Encrypting your entire hard disk (almost)

Apr 25, 2011 • alan


I have a small netbook that I use when I travel, one of the original Asus EeePC’s, the 900.  It has a 9″ screen and a 16GB flash drive.  It runs Linux, and it’s just about right for accessing email, some light surfing, and doing small tasks like writing blog posts and messing with my checkbook.  And since it runs Linux, I can do a lot of nice network stuff with it, like SSH tunneling, VPN’s, and I can even make it act like a wireless access point.

However, the idea of leaving my little PC in a hotel room while I am out having fun leaves me a little uneasy.  I am not concerned with the hardware… it’s not worth much.  But I am concerned about my files, and the temporary files like browser cookies and cache.  I’d hate for someone to walk away with my EeePC and also gain access to

countless other things with it.

So this week, I decided to encrypt the main flash drive.  Before, the entire flash device was allocated as one device:

partition 1  –  16GB  –  the whole enhilada

Here’s how I made my conversion.

(0) What you will need:

  • a 1GB or larger USB stick (to boot off of)
  • an SD card or USB drive big enough to back up your root partition

(1) Boot the system using a “live USB stick” (you can create one in Ubuntu by going to “System / Administration / Startup Disk Creator”.  Open up a terminal and do “sudo -i” to become root.

ubuntu@ubuntu:~$ sudo -i
root@ubuntu:~$ cd /
root@ubuntu:/$

(2) Install some tools that you’ll need… they will be installed in the Live USB session in RAM, not on your computer.  We’ll install them on your computer later.

root@ubuntu:/$ apt-get install cryptsetup

(3) Insert an SD card and format it. I formatted the entire card.  Sometimes, you might want to make partitions on it and format one partition.

root@ubuntu:/$ mkfs.ext4 /dev/sdb
root@ubuntu:/$ mkdir /mnt/sd
root@ubuntu:/$ mount /dev/sdb /mnt/sd
root@ubuntu:/$

(4) Back up the main disk onto the SD card. The “numeric-owner” option causes the actual owner and group numbers to be stored in the tar file, rather than trying to match the owner/group names to the names from /etc/passwd and /etc/group (remember, we booted from a live USB stick).

root@ubuntu:/$ tar --one-file-system --numeric-owner -zcf /mnt/sd/all.tar.gz .
root@ubuntu:/$

(5) Re-partition the main disk. I chose 128MB for /boot.  The rest of the disk will be encrypted.  The new layout looks like this:

partition 1  –  128MB  –  /boot, must remain unencrypted

partition 2  –  15.8GB  –  everything else, encrypted

root@ubuntu:/$ fdisk -l

Disk /dev/sda: 16.1 GB, 16139354112 bytes
255 heads, 63 sectors/track, 1962 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0002d507

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        1          17      136521   83  Linux
/dev/sda2           18        1962    15623212+  83  Linux
root@ubuntu:/$

(6) Make new filesystems on the newly-partitioned disk.

root@ubuntu:/$ mkfs.ext4 /dev/sda1
root@ubuntu:/$ mkfs.ext4 /dev/sda2
root@ubuntu:/$

(7) Restore /boot to sda1. It will be restored into a “boot” subdirectory, because that’s the way it was on the original disk.  But since this is a stand-alone /boot partition, we need to move the files to that filesystem’s root.

root@ubuntu:/$ mkdir /mnt/sda1
root@ubuntu:/$ mount /dev/sda1 /mnt/sda1
root@ubuntu:/$ cd /mnt/sda1
root@ubuntu:/mnt/sda1$ tar --numeric-owner -zxf /mnt/sd/all.tar.gz ./boot
root@ubuntu:/mnt/sda1$ mv boot/* .
root@ubuntu:/mnt/sda1$ rmdir boot
root@ubuntu:/mnt/sda1$ cd /
root@ubuntu:/$ umount /mnt/sda1
root@ubuntu:/$

(8) Make an encrypted filesystem on sda2. We will need a label, so I will call it “cryptoroot”.  You can choose anything here.

root@ubuntu:/$ cryptsetup luksFormat /dev/sda2

WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: ********
Verify passphrase: ********
root@ubuntu:/$ cryptsetup luksOpen /dev/sda2 cryptoroot
root@ubuntu:/$ mkfs.ext4 /dev/mapper/cryptoroot
root@ubuntu:/$

(9) Restore the rest of the saved files to the encrypted filesystem that lives on sda2.  We can remove the extra files in /boot, since that will become the mount point for sda1.  We need to leave the empty /boot directory in place, though.

root@ubuntu:/$ mkdir /mnt/sda2
root@ubuntu:/$ mount /dev/mapper/cryptoroot /mnt/sda2
root@ubuntu:/$ cd /mnt/sda2
root@ubuntu:/mnt/sda2$ tar --numeric-owner -zxf /mnt/sd/all.tar.gz
root@ubuntu:/mnt/sda2$ rm -rf boot/*
root@ubuntu:/mnt/sda2$ cd /
root@ubuntu:/$

(10) Determine the UUID’s of the sda2 device and the encrypted filesystem that sits on top of sda2.

root@ubuntu:/$ blkid
/dev/sda1: UUID="285c9798-1067-4f7f-bab0-4743b68d9f04" TYPE="ext4"
/dev/sda2: UUID="ddd60502-87f0-43c5-aa28-c911c35f9278" TYPE="crypto_LUKS"   << [UUID-LUKS]
/dev/mapper/root: UUID="a613df67-3179-441c-8ce5-a286c16aa053" TYPE="ext4"   << [UUID-ROOT]
/dev/sdb: UUID="41745452-3f89-44f9-b547-aca5a5306162" TYPE="ext3"
root@ubuntu:/$

Notice that you’ll also see sda1 (/boot) and sdb (the SD card) as well as some others, like USB stick.  Below, I will refer to the actual UUID’s that we read here as [UUID-LUKS] and [UUID-ROOT].

(11) Do a “chroot” inside the target system. A chroot basically uses the kernel from the Live USB stick, but the filesystem from the main disk.  Notice that when you do this, the prompt changes to what you usually see when you boot that system.

root@ubuntu:/$ mount /dev/sda1       /mnt/sda2/boot
root@ubuntu:/$ mount --bind /proc    /mnt/sda2/proc
root@ubuntu:/$ mount --bind /dev     /mnt/sda2/dev
root@ubuntu:/$ mount --bind /dev/pts /mnt/sda2/dev/pts
root@ubuntu:/$ mount --bind /sys     /mnt/sda2/sys
root@ubuntu:/$ chroot /mnt/sda2
root@enigma:/$

(12) Install cryptsetup on the target.

root@enigma:/$ apt-get install cryptsetup
root@enigma:/$

(13) Change some of the config files on the encrypted drive’s /etc so it will know where to find the new root filesystem.

root@enigma:/$ cat /etc/crypttab
cryptoroot  UUID=[UUID-LUKS]  none  luks
root@enigma:/$ cat /etc/fstab
proc  /proc  proc  nodev,noexec,nosuid  0  0
# / was on /dev/sda1 during installation
# UUID=[OLD-UUID-OF-SDA1]  /  ext4  errors=remount-ro  0  1
UUID=[UUID-ROOT]  /  ext4  errors=remount-ro  0  1
/dev/sda1  /boot  ext4  defaults  0  0
# RAM disks
tmpfs   /tmp       tmpfs   defaults   0  0
tmpfs   /var/tmp   tmpfs   defaults   0  0
tmpfs   /var/log   tmpfs   defaults   0  0
tmpfs   /dev/shm   tmpfs   defaults   0  0
root@enigma:/$

(14) Rebuild the GRUB bootloader, since the files have moved from sda1:/boot to sda1:/ .

root@enigma:/$ update-grub
root@enigma:/$ grub-install /dev/sda
root@enigma:/$

(15) Update the initial RAM disk so it will know to prompt for the LUKS passphrase so it can mount the new encrypted root filesystem.

root@enigma:/$ update-initramfs -u -v
root@enigma:/$

(16) Reboot.

root@enigma:/$ exit
root@ubuntu:/$ umount /mnt/sda2/sys
root@ubuntu:/$ umount /mnt/sda2/dev/pts
root@ubuntu:/$ umount /mnt/sda2/dev
root@ubuntu:/$ umount /mnt/sda2/proc
root@ubuntu:/$ umount /mnt/sda2/boot
root@ubuntu:/$ umount /mnt/sda2
root@ubuntu:/$ reboot

When it has shut down the Live USB system, you can remove the USB stick and let it boot the system normally.  If all went well, you will be prompted for the LUKS passphrase a few seconds into the bootup process.