Tuesday, March 6, 2012

Decrypting the LVM-Cryptsetup - part 2


Some little things have been done until now.
A disk has been partitioned to support a /boot filesystem (holding the kernel, initram image and bootloader configuration) and an LVM volume.
Before applying the LVM setup, we created an encrypted device /dev/mapper/crypt. Data written to that device is handled by the dm_crypt module and writes the raw data encrypted onto the physical disk. On this layer the LVM setup was made, including the logical volumes and filesystems/swap for the installation


Well, personally i don't really like Ubuntu and its derivates because they tend to be to macroscopic. Additionally it seems that they use just the Debian development resources to update their systems and don't develop/fix much on their own. But that is just my view.
Ubuntu did indeed one really great step for the linux community. They helped a lot of people getting a linux up and running with a superb and easy installer. I would say that installing Ubuntu is easier than installing Windows.
Drawback: Because the installer is so easy it won't offer you all install options that could be possible. That's why we needed to take the round on the command line and do some things manually. If you just want to install BackBox (or Ubuntu), throw in the DVD, boot and then click install. After some clicks and minutes you're done. But LVM (which should be default in Ubuntu soon) and cryptsetup, since it's a transparent layer, will be honored by the installer.

The steps:
  • click on the install icon (you guessed it)
  • choose an installation language. I recommend choosing English US for all Linux installations.
  • let away the update during installation (the vid shows something different but who cares) and optional choose 3rd party software. Please check the informations on the top of the window, net should be available (actually you installed software from the network), you system should not run on battery power (just to be sure) and need at least 4.4GB free disk space (BackBox 2.0.1)
  • next comes the interesting step - disk partitioning. Well, sure we need to do "Something else" than just click install entire system. Inside the advanced partitioning window, everything looks familiar. Just use /dev/sda1 as /boot with ext4 filesystem, /dev/mapper/cryptvg-rootlv as / (choose format here, otherwise the installer will complain about this) and /dev/mapper/cryptvg-homelv as /home (if you want to, format is optional). /dev/mapper/cryptvg-swaplv is already recognized as swap area.
  • now its time to install. During the installation you will be asked which time zone you live in, which keyboard layout you want to have (doesn't matter which installation language you choose) and you should create a user. If you create the user with automatic login (which i don't recommend, especially hen using an encrypted installation - be completely paranoid, not just a bit), you still have to remember the password. sudo (for administrative tasks) will ask for it, to confirm that you are you. A user account can be hacked remotely, a password compromised (over net) is not so easy if you follow the usual best practices for passwords (long and strong).
    You are offered to encrypt you home folder, but that is more for a not-encrypted installation or the paranoids with people tracking them.
  • after the installation: Continue Testing!
Pretty easy and straightforward installation. Good for beginners - that's what makes up Ubuntu. Everyone can install and use it (Xubuntu is not much different here).
As mentioned above, because it's easy it won't offer you many install options. You can choose to install it beneath another operating system, you can install it over another operating system, on a blank disk and do something else. Something else offers a bit more but needs some preparations.

The chroot

chroot (Change Root) is mainly mainly to devide applications from the rest of the system. The application runs in its own area of the system and has just the programs it needs for itself. Maybe those programs can also be from a different operating system level. Read more about the basic functionality at wikipedia.

In our case we need the chroot to emulate the later running system. We sure need the root filesystem and /boot is also needed because the initramfs needs to be updated to include lvm2 and the crypt-modules at boot time.

The first step is self explanatory - just mount the root-filesystem of the machine to /mnt. You could create your own mount point for this if you want to, but /mnt is wiedly known as standard mount point and available on every Linux/Unix system. Just stick to the basics.

After this we mount some virtual filesystems onto /mnt:

  • /proc is for processes and kernel related informations that must be known in the chroot. I would say that it is the most interesting virtual filesystem, you can lookup and do a lot of things inside. Look here.
  • /sys is the system filesystem - which holds the driver and device informations about your running system.
  • /dev is the device filesystem which holds all devices and is used to access them - like /dev/sda1 or /dev/cryptvg/rootlv

Now /boot is mounted. Since we mounted the relevant system filesystems on /mnt, this step could be done after chrooting to /mnt. But i did it before, thinking that the steps are more straighforward.

chroot /mnt

Works as designed, we are now "inside" the newly installed system. All changes done inside the chroot will be persistent. And that's great. So we can install and update software and also change configuration files. Just what we need, because lvm2 and cryptseup is not installed on the default install and additionally there is no configuration for LUKS.

Note: Changes made to the desktop at this time won't be persistent because it still runs from the Live-CD system. We just use it to ensure that the relevant configuration files are in place and correct and the needed packages are installed, setup and included in the initrd image.

Just 1 mile to go

Inside the chroot the grub default configuration has to be extended to make grub aware of our new cryptdevice. This can be done by manually editing the GRUB_CMDLINE_LINUX_DEFAULT and add the parameter cryptdevice=/dev/sda2:crypt. This way update-grub will automatically add it to the kernel line and grub is aware of the device.
The next part is a bit tricky - or at least it looks like it. Actually you just tell luks how which device should be handled and where to find the key.
So the file /etc/crypttab needs to be edited. There are 4 parameters:

  • target name: Defines the mapper target for the device, in our case crypt
  • source device: This should be the UUID of the device, using /dev/sda2 caused some problems in the past.
  • key file: This could be a path to a keyfile (like /etc/key) or a usb device which stores the key (this is out of scope). In our case we want to enter our overly long passphrase (i really recommend 20+ characters) everytime at boot time, so we say none.
  • options: If you choose something different or another encryption method you could add this here. We just enter luks.
The UUID can be inserted in several ways. The method i used is complicated but works. There is more than one way to skin a cat.

ls /dev/disk/by-uuid/$(ls -l /dev/disk/by-uuid | grep sda2 | grep cut -d" " -f8) >> /etc/crypttab

This cuts out the UUID for /dev/sda2 and appends it to /etc/crypttab. After this you have to edit /etc/crypttab to make it work.
A better way could be

ls -l /dev/disk/by-uuid | awk '/sda2/ { print "crypt\t\tUUID="$9"\tnone\tluks" }' >> /etc/crypttab

but this is up to you.

And thats it - just update your newly installed system inside the chroot and don't forget to install lvm2 and cryptsetup:

apt-get update
apt-get upgrade
apt-get install lvm2 cryptsetup

Don't do a dist-upgrade, this should be run later when the machines comes up again.
Good thing when installing lvm2 and cryptsetup, it will automatically update the initrd image for you. So the needed drivers and modules will be included in the initrd mini-root. Oh, and besides...you are running in a chroot, the package database is also updated with the necessary informations. Nice!


Well, installing an Ubuntu based system is really easy. And if you make up your mind a bit its not much harder with encryption and lvm2.
If you leave away the cryptsetup you can install the system with LVM only - maybe using the internal home-only-encryption offered by the installer. Or you can just partition your system like you always do (maybe /dev/sda1 for /boot and an extended partition for / on /dev/sda5) and just encrypt it without LVM.
If you understand what happened it is also really easy to install BackBox next to another existing operating system. Keep in mind that the boot loader of any operating system might break the ability to boot into another one - but must work for its own system.

Hope you enjoy this article, see you the next time.

No comments:

Post a Comment