martes, 2 de septiembre de 2008

Encriptar particiones swap y Home en Ubuntu 8.04

Un sencillo tutorial para encriptar las particiones swap y home en Ubuntu, manteniendo tus datos seguros. Está en inglés pero no requiere mucho conocimiento para entenderlo.

Prerequisites

Install required packages:

# apt-get install lvm2 cryptsetup libpam-mount

Insert the needed modules (or just reboot). You should now have at least these modules installed:

$ lsmod | egrep 'aes|dm_crypt'

aes_i586 33536 3

dm_crypt 15364 0

dm_mod 62660 3 dm_crypt,dm_mirror,dm_snapshot

The device-mapper should be active:

$ ls -l /dev/mapper/

total 0

crw-rw---- 1 root root 10, 63 2008-05-04 17:12 control

..with support for crypto:

# dmsetup targets | grep crypt

crypt v1.5.0

Further the kernel need to support hash and encryption algorithms:

$ cat /proc/crypto | grep name

name : sha256

name : cbc(aes)

name : aes

name : md5

Good. Now we're ready.

Part I: Setting up encrypted swap

Step 1: Disable your current swap partition.

 # swapoff /dev/sda2

Step 2: Fill your swap with random data.

# dd if=/dev/urandom of=/dev/sda2 bs=1M

1954+0 records in

1953+0 records out

2048094208 bytes (2.0 GB) copied, 529.177 s, 3.9 MB/s

As you see, this might take some time depending on your swap size. So go grab a coffe.

Step 3: Configure encrypted swap.

Add this to your /etc/crypttab

# cat /etc/cryptab

...

cryptoswap /dev/sda2 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap

Why /dev/urandom and not /dev/random? The latter blocks until it got enough entropy to continue, urandom don't. So if you use random instead urandom you might have to wait during boot until enough entropy is collected. (It do help to type your keyboard and move the mouse.) Use /dev/random if you're really paranoid. Read the last comments in this bugreport for details.

Next, change your swap entry in /etc/fstab to this:

# cat /etc/fstab

...

/dev/mapper/cryptoswap none swap sw 0 0

For every time we boot, swap will be encrypted with a different encryption key.

Step 4: Test it.

Reboot to test.

We now have an encrypted swap:

# cat /proc/swaps

Filename Type Size Used Priority

/dev/mapper/cryptoswap partition 2000084 0 -1



# cryptsetup status cryptoswap

/dev/mapper/cryptoswap is active:

cipher: aes-cbc-essiv:sha256

keysize: 256 bits

device: /dev/sda2

offset: 0 sectors

size: 4000185 sectors

mode: read/write

Good. Now we're safe right?

Part II: Creating and setting up an encrypted home partition

Step 1: Setting up a home partition using LVM.

If you use a regular partition, you can easily skip this step.

# pvcreate /dev/sda3

Physical volume "/dev/sda3" successfully created

# vgcreate vg_storage /dev/sda3

Volume group "vg_storage" successfully created

# vgchange -a y vg_storage

0 logical volume(s) in volume group "vg_storage" now active

# lvcreate -L20G -nlv_home vg_storage

Logical volume "lv_home" created

For more details on how to use LVM, please check out the excellent LVM HOWTO.

Step 2: Fill your soon-to-be home partition with random data.

 # dd if=/dev/urandom of=/dev/vg_storage/lv_home

20481+0 records in

20480+0 records out

21474836480 bytes (21 GB) copied, 5554.23 s, 3.9 MB/s

This will take even longer than the swap partition. So go for lunch or something.

Step 3: Initialize the partition and set initial key.

Remember, if you use a weak password, your screwed. If you forget the password, its game over.

# cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/vg_storage/lv_home



WARNING!

========

This will overwrite data on /dev/vg_storage/lv_home irrevocably.



Are you sure? (Type uppercase yes): YES

Enter LUKS passphrase:

Verify passphrase:

Command successful.

We use cipher "aes-cbc-essi", since the default is vulnerable to Watermarking attack.

Step 4: Create a device mapping.

# cryptsetup luksOpen /dev/vg_storage/lv_home cryptohome

Enter LUKS passphrase:

key slot 0 unlocked.

Command successful.

This will create a device mapping, as can bee see under:

$ ls -l /dev/mapper/

total 0

crw-rw---- 1 root root 10, 63 2008-05-04 18:46 control

brw-rw---- 1 root disk 254, 2 2008-05-04 20:53 cryptohome

brw-rw---- 1 root disk 254, 0 2008-05-04 18:52 cryptoswap

brw-rw---- 1 root disk 254, 1 2008-05-04 20:53 vg_storage-lv_home

Note that LVM also uses the device-mapper (that is why LVM volumes also are listed).

Or, you can use the command dmsetup ls to list the mapped devices:

$ dmsetup ls

cryptoswap (254, 0)

vg_storage-lv_home (254, 1)

cryptohome (254, 2)

Step 5: Create a filesystem.

We noe have an encrypted partition. To use it, we need to create a filesystem on it:

# mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/cryptohome

mke2fs 1.40.8 (13-Mar-2008)

Filesystem label=

OS type: Linux

Block size=4096 (log=2)

Fragment size=4096 (log=2)

1310720 inodes, 5242623 blocks

52426 blocks (1.00%) reserved for the super user

First data block=0

Maximum filesystem blocks=0

160 block groups

32768 blocks per group, 32768 fragments per group

8192 inodes per group

Superblock backups stored on blocks:

32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,

4096000



Writing inode tables: done

Creating journal (32768 blocks): done

Writing superblocks and filesystem accounting information: done



This filesystem will be automatically checked every 28 mounts or

180 days, whichever comes first. Use tune2fs -c or -i to override.

Step 6: Testing!

We start by closing and reopen the encrypted partition before we mount it:

# cryptsetup luksClose cryptohome

# cryptsetup luksOpen /dev/vg_storage/lv_home cryptohome

Enter LUKS passphrase:

key slot 0 unlocked.

Command successful.

# mkdir -p /mnt/cryptohome

# mount /dev/mapper/cryptohome /mnt/cryptohome

# touch /mnt/cryptohome/testfile

# ls /mnt/cryptohome/

testfile

We can also confirm that it works by issuing the command:

# cryptsetup status cryptohome

/dev/mapper/cryptohome is active:

cipher: aes-cbc-essiv:sha256

keysize: 256 bits

device: /dev/mapper/vg_storage-lv_home

offset: 2056 sectors

size: 41940984 sectors

mode: read/write

Now would be a good time to move your current home to this partition.

Finally we umount:

 # umount /mnt/cryptohome

# cryptsetup luksClose cryptohome

Step 7: Cryptohome mounted at boot or at login?

Now you have to take a choice. You can enable the partition at boot time, but then the boot sequence is interrupted asking you for the LUKS password. If you want the partition automatically mounted when you login, skip to the next section.

Instead of manually typing in password, you can have the key stored externally - for instance on a usb-stick. Read more about that here.

You want to enable mounting at boot time? Then update /etc/crypttab:

# cat /etc/crypttab

...

cryptohome /dev/vg_storage/lv_home none luks

And /etc/fstab:

# cat /etc/fstab

...

/dev/mapper/cryptohome /mnt/cryptohome ext3 relatime,errors=remount-ro 0 2

When you now reboot, the boot process is interrupted asking you for the LUKS password. If you type it correctly, the home partition is mounted. When you now log in, you will have an encrypted home partition ready waiting for you.

Part III: Automatically mount when logging in.

A more elegant solution would be to automatically mount the home partition the same time you log in. This require that you use the same password for login as for the encrypted partition. (Actually that is not entirely true. You may have the password stored on file somewhere. But in this howto, we assume you have the same password for both.)

Step 1: Remove home partition from /etc/fstab

If there is an entry to your (encrypted) home partition in /etc/fstab, remove it

# cat /etc/fstab

...

/dev/mapper/cryptohome /mnt/cryptohome ext3 relatime,errors=remount-ro 0 2 # this gotta go

Step 2: Update /etc/crypttab

Make sure the you have a line in /etc/crypttab that reads as follows:

# cat /etc/crypttab

...

cryptohome /dev/vg_storage/lv_home noauto luks

Step 3: Install and configure pam_mount

# apt-get install libpam-mount

Then add the following entry in /etc/security/pam_mount.conf.xml. This file is heavily commented, and it may be useful to read the comments. Add the following entry:

# cat /etc/security/pam_mount.conf.xml

...



Step 4: Configure PAM

Add the following to /etc/pam.d/common-auth

# cat /etc/pam.d/common-auth

...

auth optional pam_mount.so use_first_pass

And to /etc/pam.d/common-session:

# cat /etc/pam.d/common-session

...

session optional pam_mount.so

Step 5: Test!

Log out and back in. You should now have an encrypted home:

$ df -h

...

/dev/mapper/_dev_mapper_vg_storage-lv_home

20G 296M 20G 2% /home

Congratulation, you now have an encrypted swap and home partition!

Fuente: Gulcpy

No hay comentarios: