Update : Encypted root file system option now available at installation in Ubuntu 7.10. See Install Time Ubuntu Encryption for more information.
This last week I’ve been very interested in encryption. If you missed it you might be interested in my post on encrypting files or emails with GPG. In this tutorial I wanted to outline how to encrypt a local partition or a removable device (like a USB key). The steps used here will work for either type of device although you’ll need to replace your partition name and number for the examples provided here.
Attention: following this tutorial will wipe all data from the partition or device you write it to. You cannot encrypt your file system after-the-fact using this method. Be sure you have backups or don’t care about the data being lost if you follow these steps!!!
The first step in the tutorial is installing the cryptsetup utility, which is part of the cryptsetup package. You can search for this using your favorite package management utility or use this command:
sudo aptitude install cryptsetup
Now that we have the cryptsetup utility installed we’ll need to prepare the device for use. If you have a newly created device or partition you may be able to skip this step, but it also won’t hurt to redo this step anyway.
If you are unsure what the device is listed as, you can use either of these two commands:
sudo fdisk -l
(this will list your current partition table, both on local and removable media.)
(this will show kernel messages pertaining to hardware. If you plug in a removable device and wait a few seconds, this will show what you what device the kernel assigned the hardware.)
Once you know what device you want to apply this to you can run the following command on [your device] to create the partition you want to encrypt. I suppose you can also use a graphical utility like gparted, etc. Those tools are outside the scope of this tutorial.
sudo fdisk /dev/[your device]
(ie; if your device showed up as /dev/sdb you would use: sudo fdisk /dev/sdb)
For removable media make a single primary partition using the entire space of the device (or alter for your needs if you know what you’re doing).
Once you have created the partition you’ll want to “w”rite the change in fdisk. Remember, if you don’t “w”rite the changes none will be applied.
To make sure that your kernel is up to date concerning the newly created / altered partition table you may need to run the command:
Now we’ll get to encrypting this new partition. There are different options you can use here, and I’ll outline a few of them, but there really isn’t one that is “the best”. It depends on your level of security needs and the time you want to spend on it. If you want it done quickly and want a basic level of fairly-hard-to-break encryption you can use the first option. If you are super paranoid and don’t mind letting this take some time (hours or days on large disks!) to build you can use option three. Somewhere in the middle, option two is probably fine. Anyone have suggestions on other methods?
We’ll write data over the newly created partition to help aid in the encryption process. By writing data to the partition prior to encryption it helps protect against data attacks, finding patterns on the block-level, etc. You can use one of the following three commands:
sudo dd if=/dev/zero of=/dev/[your device] bs=4K
(this method is probably recommended unless you expect active attacks against your encryption layer)
sudo badblocks -vfw /dev/[your device] [block-size-of-your-device]
(this option will write 5 data patterns across your drive and overwrite and verify the data. This is used to check for badblocks, but can also be used to wipe out any existing data)
sudo dd if=/dev/urandom of=/dev/[your device] bs=4K
(this method is considered pretty secure. It is based on the truly random option below but is pseudo-random data--probably a very good option in most cases.)
sudo dd if=/dev/random of=/dev/[your device] bs=4K
(this is considered the most secure but will take a long time. It is also important to generate a lot of random data on your machine. Launch some applications, do some high disc I/O, move the mouse erratically, etc. This may take DAYS!)
At this point the partition is ready to be encrypted. Now there are multiple encryption methods and options to be used within each. This tutorial outlines using the LUKS encryption with my prefered string length, hash and cipher. You may change these if you know what you’re doing. If not, omitting my options will use the defaults (ripemd160 hash). This command will remind you that all data will be lost (although we already lost everything in Step 4. This is also where you’ll be prompted for your passphrase to access the encryption.
sudo cryptsetup luksFormat /dev/[your device] -c aes -s 256 -h sha256
(again, past [your device] are my preferred options)
If you see an error near this point similar to “Failed to setup dm-crypt key mapping. Check kernel for support for the aes-cbc-plain cipher spec and verify that /dev/[your device] contains at least 258 sectors.” you’ll need to run this command:
sudo modprobe dm-crypt
You may want to have this module auto-magically added at boot time by appending this line to your /etc/modules file:
Now that we’ve created the encryption basic layout on the partition we need to open the encrypted partition for use.
sudo cryptsetup luksOpen /dev/[your device] name
(name can be whatever you like. I use things like secure or vault or encrypt)
Now that we have the device open and added to the dm (dev mapper) system we can actually create a file system on it and use it. One last command and we’ve got ourselves an encrypted, usable filesystem.
sudo mke2fs -j /dev/mapper/name -L label
(where name was applied above and label is the filesystem label. I generally match the two. This also assumes an ext3 file system. If you know you want a different filesystem type I'm assuming you know the right command.)
If you’ve come this far your device is ready to use. A few additional points that you may be interested in.
First, if this is a local partition and filesystem, such as a /data folder, you may want it to be mounted automagically at boot time. You can add the new partition to your /etc/fstab file to be mounted at boot. Be sure to specify the /dev/mapper/[name] location and not the original partition location. You should note that when your booting system arrives at this device it will prompt you for a passphrase key and halt the boot process until one is provided. An example of a line in the /etc/fstab is:
/dev/mapper/name /data ext3 defaults 0 0
Second, if you are using this on a removable drive such as a usb key the Gnome Desktop (someone verify in KDE?) will recognize the encrypted setup and prompt you for a key visually. A message such as “The storage device contains encrypted data. Enter a password to unlock” will appear. You will be required to know the passphrase (as supplied in Step 5) to access this device again. The desktop system also allows you to “forget immediately“, “remember password until you logout” or “remember forever” the key provided. Those options are up to you and your usage. “Remember forever” should store the key in your gnome keyring.
Third, if you are following this guide for use on a removable disk you may want to change ownership (chown) on the mounted path and set group id (sgid) on the directory so that your user has full permissions. Considering we ran everything with sudo the mounted path and ownership is probably set to the root user. You can use these two commands to set the permissions:
sudo chown -R user.user /media/[name]
(user.user should, of course, be replaced with your username on the system)
sudo chmod g+s /media/[name]
([name] is the mount point that the system auto-mounted the device on. It *should* match whatever you set the label to in step 7.)
There is also an option to create multiple keys to unlock the device. This is helpful if it is a multi-user system and you don’t want to use a shared passphrase. You would add a key to the encrypted device using:
sudo cryptsetup luksAddKey /dev/[your device]
This will prompt you for your current key and then the new key. The new key will have to be entered twice. Also, if you want to remove a key you can use the similar:
sudo cryptsetup luksDelKey /dev/[your device] [slot #]
To find out more information about your encrypted partition / device, and to see things such as assigned key slots, you can also use:
sudo cryptsetup status name
sudo cryptsetup luksDump /dev/[your device]
I would like to expand this soon to include encrypting your entire root filesystem or other variations like bypassing the passphrase but storing the “key” an a usb drive or similar. This way it is similar to a hardware key needed to boot your machine. There are a lot of different ways this could go… until then, I think this has become long enough