The Whole Disk

The Whole Disk

COVER STORY DM-Crypt/ LUKS Workshop: Encrypting hard disks with DM-Crypt and LUKS THE WHOLE DISK Encrypting a home directory is easy. Encrypting your whole hard disk – including the root filesystem – takes a little more effort. BY MICHAEL NERB ncrypting individual filesystems means you’ll need to roll up your shirt is no big deal; in fact, some dis- sleeves for some hands-on configuration. Etributions allow you to encrypt In this workshop, we will start by in- directories as part of the installation rou- stalling a standard Linux system and tine. But encrypting the home directory then progress to encrypting the existing on your laptop is a job half done. Dis- filesystems one at a time. We will finish honest finders can still draw conclusions off by deleting the unprotected partition from log and configuration files. If you’re and using the space for other tasks, such serious about providing security through as swapping out the /home directory to encryption, you need to protect the an encrypted partition of its own. whole hard disk against spying – some- Our goal is to encrypt the entire hard thing that no distribution can do out of disk (with the exception of the partition the box. table in the Master Boot Record). Be- Things start to become more complex cause it isn’t possible to encrypt the boot if you need to protect the root filesystem. partition, we will move /boot to an exter- Neither Suse nor Debian Linux give nal medium – a USB stick, in this case. users a tool to help encrypt the root file- To boot from the stick, we will need to system during the install (or later). That modify the BIOS and GRUB bootloader settings. The USB stick then creates an additional layer of security by serving as a kind of “key” that the thief will need to possess in order to gain access to the laptop. If this approach seems impracti- cal for your purposes, you can keep the boot partition on your hard disk. How- ever, /boot must be on an unen- crypted partition of its own. In this article, we’ll use DM- Crypt [1] for our filesystem en- www.photocase.com cryption. DM-Crypt has been the tool of choice for encrypt- ing filesystems since kernel 32 ISSUE 72 NOVEMBER 2006 DM-Crypt/ LUKS COVER STORY shown in column 2 of one partition and format the partition the table.) (mkfs.ext2 /dev/sda1). Then do: Set up the size and number of partitions to mount /dev/sda1 /mnt match your laptop’s hard cp -ax /boot/* /mnt disk and intended use – dual or multiple boot This copies the /boot directory to the configurations are possi- USB stick. If it does not already exist, ble. Do not create a user give the ln -s . boot command to create a at this phase of the in- symbolic link in the /mnt directory, to stallation; you can do so avoid a hitch with grub-install later on. later on the encrypted Now modify the GRUB bootloader system. configuration on the USB stick: /mnt/ After completing the grub/device.map states how GRUB maps installation, you should BIOS and Linux device names; you need Figure 1: Booting from a USB stick – every BIOS does its own have a working Linux an entry of (hd0) /dev/sda. thing. Our sample BIOS refers to removable drives and a system on /dev/hda4. If Change the entries for the BIOS device generic storage device. you have a kernel ver- names from (hd0,3) to (hd0,0) (this cor- sion older than 2.6.11 responds to /dev/sda1) in the /mnt/ 2.6.4. It uses the device mapper infra- (with Debian Sarge, for example), you grub/menu.lst configuration file: structure [2], and it encrypts block de- will need to update the kernel now. For vices transparently, relying on the ker- the following steps, you also need the title Suse Linux 9.3 (USB-Boot) nel’s Crypto API to do so. Linux Unified cryptsetup-luks configuration tool. kernel (hd0,0)/vmlinuz root=U Key Setup (LUKS) adds some enhance- The “Updates for Debian Sarge” box /dev/hda4 ments, which were discussed in a previ- describes how to update a Sarge system; initrd (hd0,0)/initrd ous issue of Linux Magazine [3]. The for Suse Linux, you just need to add LUKS design is implemented as the cryptsetup-luks. The LUKS homepage at Finally, run grub-install --root-direc- cryptsetup-luks [4] configuration tool. [4] has a prebuilt, statically linked ver- tory=/mnt /dev/sda to install GRUB on As an alternative to a fresh installa- sion that you can copy to /sbin/crypt- the Master Boot Record of your memory tion, you can modify an existing system, setup-luks. stick. If everything works, you can boot assuming you have enough free space on the laptop from the USB stick – to do so, the disk to create a new partition for the Booting from a USB-Stick set the BIOS boot order to boot the com- data you are encrypting. Linux typically detects USB sticks as puter from external boot media first. Don’t worry! After you finish encrypt- SCSI devices and addresses them as the ing, the disk patches and kernel updates SCSI hard disk /dev/sda (unless you Encrypting Partitions should not cause any problems, and have some other SCSI devices). Use fdisk For security reasons, either change to your backup and recovery tools should to create a partition table with at least single user mode, or close any unneces- work like they always did. Secure Data Erasure Preparation Whenever files are deleted by running uses /dev/urandom instead of /dev/zero. The equipment you need for this lab is a rm against the filenames, Linux simply Depending on how paranoid you are, suitable laptop, a USB stick with a ca- removes the inodes for the files from the you can do this between three and 35 pacity of about 64 Mbytes, and your fa- directory. The data stays on the disk and times [5] to be “fairly certain” that you vorite Linux distribution (kernel 2.6.11 can be reconstructed with a little effort. have removed the data. The shred and or newer) – we tested Suse Linux 9.3 / Reformatting with mkfs will not over- wipe [7] tools will help you do so. But 10.0 and Debian Sarge. Check the laptop write the partition. you should be aware that these tools as- BIOS to see if it supports booting from To permanently remove the data, you sume a few basic conditions that may not apply to RAID systems, journaling USB (Figure 1). Use a Live CD to ensure need to actively modify the magnetiza- filesystems (such as ReiserFS or Ext3), or that Linux supports your laptop; you tion of the sectors (in an appropriate way). The simplest way of doing this is certain hard disk drivers and firmware might like to take this opportunity to with a command such as dd if=/dev/zero components that buffer data and per- erase the laptop disk (see the “Secure of=/dev/hda. But just as a regular fall of form multiple write operations at a sin- data erasure” box). snow will not cover the outlines of the gle pass. For the initial install, divide the hard landscape, some residual magnetization To be absolutely safe, you would need to disk into four partitions, as shown in will remain after overwriting a file with destroy the hard disk and dispose of it column 1 of Table 1. This configuration null bytes. An attacker with the right kind somewhere where it will never be found. puts an unencrypted version of the of equipment might be able to recon- But you can save yourself all that trouble Linux system on /dev/hda4. (If you pre- struct the original data. by implementing the mechanisms de- fer not to boot from a USB stick, use the A more time consuming approach, but scribed in this article, and then just for- getting the passwords. alternative partitioning suggestion one that is ultimately far more secure, WWW.LINUX - MAGAZINE.COM ISSUE 72 NOVEMBER 2006 33 COVER STORY DM-Crypt/ LUKS Table 1: Partitioning knows the passphrases, the data stored on swap and /tmp is irretrievably lost, Boot from USB Stick Alternative: Boot from hard disk Content but this is intended. Swap contains – /dev/hda1 Boot partition /boot memory dumps and is reinitialized – /dev/hda2 Extended partition /dev/hda1 /dev/hda5 Encrypted swap partition whenever you boot your computer. /dev/hda2 /dev/hda6 Encrypted filesystem /tmp There are no benefits from keeping swap /dev/hda3 /dev/hda7 Encrypted root filesystem readable, and there are a number of se- /dev/hda4 /dev/hda8 Unencrypted root filesystem curity risks. Every distribution has its (to be deleted later) own approach to handling temporary files. As a rule, programs should not rely sary applications, stop all unnecessary with a filesystem, and mount the filesys- on data in /tmp surviving a reboot. services, and shutdown any user ses- tem. sions. Genuinely Temporary We will be using the Linux system we Warming Up It makes sense to recreate these filesys- just installed to encrypt the partitions on The swap partition and the /tmp direc- tems every time you boot. Debian makes the laptop step by step; the partitions in tory are useful candidates for our first this simple: just set the CRYPTDISKS_ question are /dev/hda1 through /dev/ experiments with cryptsetup-luks: these ENABLE=Yes parameter in /etc/defaults/ hda3. Partition /dev/hda4, which holds filesystems contain temporary data and cryptdisks (if it is not already set), and the root filesystem right now, will not be are no big loss if something goes awry.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    6 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us