Brian Vagnoni on 8 Feb 2008 14:27:41 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Simple Hard drive Encryption?


This is for a USB stick, but it should be easy to make the necessary changes for your situation. Keep in mind that forensic analysis tool may still be able to glean data from your drive. This is a totally encrypted drive including boot and root partitions.


Fedora Core 5 Encrypted Root Booting on a USB Stick
- Boot in a FC5 session to be used as a source for the encrypted image
- Create the partition to house the root partition (fdisk)
- Randomize the contents of the new partition

- dd if=/dev/urandom of=/dev/{target root device}
- Encrypt the new partition with a passphrase using dm-crypt (not LUKS)
- cryptsetup create -y --verify-passphrase {name} /dev/{target root device}
- Create a new file system on /dev/{target root device}
- mkfs.ext3 /dev/mapper/{name}
- Create a mount point and mount the new encrypted device
- mkdir /mnt/encroot
- mount /dev/mapper/{name} /mnt/encroot
- Copy the existing root partition to the new one
- cp -ax / /mnt/encroot
- Create an entry in /etc/cryptab for the new encrypted device on the new root partition
- vi /mnt/encroot/etc/cryptab
- add entry:
{name} /dev/{target root device} cipher=aes
- Edit the fstab in the new root to let it know where to find the loopbacked root
- vi /mnt/encroot/etc/fstab
- change "LABEL=/..." line to
- "/dev/mapper/{name} / ext3 defaults 1 1"

** Now it gets fun **

- Need to edit the initrd that gets installed with Fedora Core
- Run mkinitrd to load all the neccessary modules into intrd
- We'll need ehci-hd, usb-storage, scsi_mod, & sd_mod to make the USB booting work
- We'll need aes, dm-mod and dm-crypt for the encryption
- mkinitrd --preload=ehci-hd --preload=usb-storage --preload=scsi_mod --preload=sd_mod --preload=aes --preload=dm-mod --preload=dm-crypt /boot/{initrdname}.img {kernel-no}

- NOTE: to get the kernel number run uname -a it should be something like "2.6.15-1.2054_FC5"

- Now we have a initial initrd to work with that contains all the modules we need. However, we need to add to it to query the user for their passphrase and decrypt the root before loading.
- So, edit the init script within initrd*.img
- Explode the initrd*.img to a temporary location, with Fedora Core, its a cpio image thats gziped
- cd /wherever
- mkdir initrd
- cd initrd
- gzip -cd /boot/{initrdname}.img | cpio -i
- Edit the init script and add the step to cryptsetup the root partition and capture the passphrase
- vi init
- add the line "/sbin/cryptsetup create {name} /dev/{target root device} < /dev/console > /dev/console

above the line "mkrootdev /dev/root"

- Copy cryptsetup to the initrd/bin directory
- cp /sbin/cryptsetup /wherever/initrd/bin/
- Now wrap the initrd backup to the boot partition
- cd /wherever/initrd
- find . | cpio -o -c | gzip -9 > /boot/{initrdname}.img

- Finally, edit the grub boot loader to point it to the new initrd img

- vi /boot/grub/grub.conf
- add the following lines under the boot choices
title Fedora Core Encrypted ({kernel-no})
rootnoverify (hd0,0)
kernel (hd0,0)/boot/vmlinuz-{kernel-no}.root ro root=/dev/mapper/{name} rhgb quiet
initrd (hd0,0)/boot/{initrdname}.img

- Thats it.

- NOTE: The initrd will get overwritten each time the kernel is upgraded. Repeat these steps each time you upgrade the kernel.

TODO:

- Make Root Partition Read Only
To simply install Fedora Core on a USB drive:
- Check your BIOS to ensure your computer can boot off a USB

- Ensure that your USB drive has an MBR on it. If it doesn't (which is likely) download and run the "HP USB Disk Storage Format Tool" (search for it on Google - its home keeps changing). This will install an MBR on the USB drive.
- Remove your internal harddrive. If it is inserted, the installer won't ask to load the USB drivers.
- Install Fedora Core using the 'linux expert' command line boot option
- When it asks to load additional drivers, select the "usb-storage" driver
- Install to the USB drive: /dev/sda
- Make sure that grub is installed to the boot sector of the USB drive
- When the installation reboots to the installed media, leave the CD in and select "rescue"
- Skip that stage that asks to find your existing linux image
- Go to the command line
- Mount the / partition (/dev/sda2) on /mnt/system (or whatever mount point it gives you) and the /boot partition (/dev/sda1) on /mnt/system/boot
- Use chroot to change the root to /mnt/system (or wherever you mounted your drives to) and cd to /boot.
- Need to edit the initrd that gets installed with Fedora Core
- Run mkinitrd to load all the neccessary modules into intrd
- mkinitrd --preload=ehci-hcd --preload=usb-storage --preload=scsi_mod --preload=sd_mod /boot/{initrdname}.img {kernel-no}

- NOTE: to get the kernel number run uname -a it should be something like "2.6.15-1.2054_FC5"

- Finally, edit the grub boot loader to point it to the new initrd img
- vi /boot/grub/grub.conf
- add the following lines under the boot choices

title Fedora Core Encrypted ({kernel-no})

rootnoverify (hd0,0)
kernel (hd0,0)/boot/vmlinuz-{kernel-no}.root ro root=/dev/mapper/{name} rhgb quiet
initrd (hd0,0)/boot/{initrdname}.img

- NOTE: The initrd will get overwritten each time the kernel is upgraded. Repeat these steps each time you upgrade the kernel.


Sources:

http://www.linuxforums.org/forum/lin...isk-drive.html, How to set up a Fedora Core 4 on a USB disk drive, "ROXOFF", 20 Dec 2005

www.linuxjounal.com/article/7743, Encrypt Your Root Filesystem, Mike Petullo, 01 Dec 2004

lukeross.name/blog/10, Fedora: encrypted root partition, Luke Ross, 20 Feb 2006

Brian Vagnoni



PGP Digital Fingerprint

F076 6EEE 06E5 BEEF EBBD BD36 F29E 850D FC32 3955


From: Brian Vagnoni [mailto:bvagnoni@v-system.net]
To: Philadelphia Linux User's Group Discussion List [mailto:plug@lists.phillylinux.org]
Sent: Fri, 08 Feb 2008 17:17:35 -0500
Subject: Re: [PLUG] Simple Hard drive Encryption?

Are you trying to encrypt the OS as well as the boot partition, or just data?

Brian Vagnoni



PGP Digital Fingerprint

F076 6EEE 06E5 BEEF EBBD BD36 F29E 850D FC32 3955


From: Sasha R [mailto:sashar@sas.upenn.edu]
To: Philadelphia Linux User's Group Discussion List [mailto:plug@lists.phillylinux.org]
Sent: Fri, 08 Feb 2008 17:03:09 -0500
Subject: Re: [PLUG] Simple Hard drive Encryption?

Thanks guys, although it looks like truecrypt doesn't like it that Ive got this formatted in reiserfs, now computer doesnt recognize the drive at all and truecrypt refuses to work with it, ah well, Ill get it reformatted and try again when I have some free time.

Sasha

On Feb 8, 2008 4:42 PM, brent saner <brent.saner@gmail.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

another vote for truecrypt.

specifically, i always go with AES256 or higher if possible whenever i
need to encrypt anything if you're looking for a wider, more vague answer.

Sasha R wrote:
| Hey guys,
|
| I was wondering if anyone could recommend an easy to use, free,
| linux based and preferably open source  program to encrypt a
| harddive  to the point that a person with physical access to the
| external harddrive could not view the data and would have to
| reformat the drive to use it for anything.
|
| Thanks,
|
| Sasha
|
| ----------------------------------------------------------------------
|
|
___________________________________________________________________________
| Philadelphia Linux Users Group         --
http://www.phillylinux.org
| Announcements -
http://lists.phillylinux.org/mailman/listinfo/plug-announce
| General Discussion  --
http://lists.phillylinux.org/mailman/listinfo/plug


- --
Brent Saner
215.264.0112(cell)
215.362.7696(residence)

http://www.thenotebookarmy.org

Bill Gates is to hacking as Sid Vicious was to the Sex Pistols: no
talent, everyone hates him, and he's just in it for the fame and money.

GPG INFO:
pub   1024D/832D950A 2008-01-26
uid                  Brent Timothy Saner <brent.saner@gmail.com>
uid                  Brent Timothy Saner (ACE Technology Group,
www.acetechgroup.com) <sanerb@acetechgroup.com>
sub   4096g/1C18F61D 2008-01-26
(pgp.mit.edu)
FINGERPRINT:
91EC 3B91 17E3 84E8 662A
9911 F2ED 9987 832D 950A

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHrMyz8u2Zh4MtlQoRAzciAKCMiIsyrOHCn943xHiAfmn3UZDKXgCg4bzc
dNb+WAbqnjgmZHlRLfLLSHM=
=S9Pe
-----END PGP SIGNATURE-----

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug