| Brian Vagnoni on 8 Feb 2008 14:27:41 -0800 |
|
This is for a USB stick, but it should be easy to make the necessary changes for your situation. Keep in mind that forensic analysis tool may still be able to glean data from your drive. This is a totally encrypted drive including boot and root partitions. Fedora Core 5 Encrypted Root Booting on a USB Stick - Boot in a FC5 session to be used as a source for the encrypted image - Create the partition to house the root partition (fdisk) - Randomize the contents of the new partition - dd if=/dev/urandom of=/dev/{target root device} - Encrypt the new partition with a passphrase using dm-crypt (not LUKS) - cryptsetup create -y --verify-passphrase {name} /dev/{target root device} - Create a new file system on /dev/{target root device} - mkfs.ext3 /dev/mapper/{name} - Create a mount point and mount the new encrypted device - mkdir /mnt/encroot - mount /dev/mapper/{name} /mnt/encroot - Copy the existing root partition to the new one - cp -ax / /mnt/encroot - Create an entry in /etc/cryptab for the new encrypted device on the new root partition - vi /mnt/encroot/etc/cryptab - add entry: {name} /dev/{target root device} cipher=aes - Edit the fstab in the new root to let it know where to find the loopbacked root - vi /mnt/encroot/etc/fstab - change "LABEL=/..." line to - "/dev/mapper/{name} / ext3 defaults 1 1" ** Now it gets fun ** - Need to edit the initrd that gets installed with Fedora Core - Run mkinitrd to load all the neccessary modules into intrd - We'll need ehci-hd, usb-storage, scsi_mod, & sd_mod to make the USB booting work - We'll need aes, dm-mod and dm-crypt for the encryption - mkinitrd --preload=ehci-hd --preload=usb-storage --preload=scsi_mod --preload=sd_mod --preload=aes --preload=dm-mod --preload=dm-crypt /boot/{initrdname}.img {kernel-no} - NOTE: to get the kernel number run uname -a it should be something like "2.6.15-1.2054_FC5" - Now we have a initial initrd to work with that contains all the modules we need. However, we need to add to it to query the user for their passphrase and decrypt the root before loading. - So, edit the init script within initrd*.img - Explode the initrd*.img to a temporary location, with Fedora Core, its a cpio image thats gziped - cd /wherever - mkdir initrd - cd initrd - gzip -cd /boot/{initrdname}.img | cpio -i - Edit the init script and add the step to cryptsetup the root partition and capture the passphrase - vi init - add the line "/sbin/cryptsetup create {name} /dev/{target root device} < /dev/console > /dev/console above the line "mkrootdev /dev/root" - Copy cryptsetup to the initrd/bin directory - cp /sbin/cryptsetup /wherever/initrd/bin/ - Now wrap the initrd backup to the boot partition - cd /wherever/initrd - find . | cpio -o -c | gzip -9 > /boot/{initrdname}.img - Finally, edit the grub boot loader to point it to the new initrd img - vi /boot/grub/grub.conf - add the following lines under the boot choices title Fedora Core Encrypted ({kernel-no}) rootnoverify (hd0,0) kernel (hd0,0)/boot/vmlinuz-{kernel-no}.root ro root=/dev/mapper/{name} rhgb quiet initrd (hd0,0)/boot/{initrdname}.img - Thats it. - NOTE: The initrd will get overwritten each time the kernel is upgraded. Repeat these steps each time you upgrade the kernel. TODO: - Make Root Partition Read Only To simply install Fedora Core on a USB drive: - Check your BIOS to ensure your computer can boot off a USB - Ensure that your USB drive has an MBR on it. If it doesn't (which is likely) download and run the "HP USB Disk Storage Format Tool" (search for it on Google - its home keeps changing). This will install an MBR on the USB drive. - Remove your internal harddrive. If it is inserted, the installer won't ask to load the USB drivers. - Install Fedora Core using the 'linux expert' command line boot option - When it asks to load additional drivers, select the "usb-storage" driver - Install to the USB drive: /dev/sda - Make sure that grub is installed to the boot sector of the USB drive - When the installation reboots to the installed media, leave the CD in and select "rescue" - Skip that stage that asks to find your existing linux image - Go to the command line - Mount the / partition (/dev/sda2) on /mnt/system (or whatever mount point it gives you) and the /boot partition (/dev/sda1) on /mnt/system/boot - Use chroot to change the root to /mnt/system (or wherever you mounted your drives to) and cd to /boot. - Need to edit the initrd that gets installed with Fedora Core - Run mkinitrd to load all the neccessary modules into intrd - mkinitrd --preload=ehci-hcd --preload=usb-storage --preload=scsi_mod --preload=sd_mod /boot/{initrdname}.img {kernel-no} - NOTE: to get the kernel number run uname -a it should be something like "2.6.15-1.2054_FC5" - Finally, edit the grub boot loader to point it to the new initrd img - vi /boot/grub/grub.conf - add the following lines under the boot choices title Fedora Core Encrypted ({kernel-no}) rootnoverify (hd0,0) kernel (hd0,0)/boot/vmlinuz-{kernel-no}.root ro root=/dev/mapper/{name} rhgb quiet initrd (hd0,0)/boot/{initrdname}.img - NOTE: The initrd will get overwritten each time the kernel is upgraded. Repeat these steps each time you upgrade the kernel. Sources: http://www.linuxforums.org/forum/lin...isk-drive.html, How to set up a Fedora Core 4 on a USB disk drive, "ROXOFF", 20 Dec 2005 www.linuxjounal.com/article/7743, Encrypt Your Root Filesystem, Mike Petullo, 01 Dec 2004 lukeross.name/blog/10, Fedora: encrypted root partition, Luke Ross, 20 Feb 2006 Brian Vagnoni PGP Digital Fingerprint F076 6EEE 06E5 BEEF EBBD BD36 F29E 850D FC32 3955
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|