Hello all, I posted the whole disk encryption instructions in the forum that has been briefly discussed on the list. I joined the list per Ned's post on the thread. http://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=15923&forum=42 I have a couple of questions about the process of creating a wiki. 1. How does the peer-review process work? 2. Is there a place to place an article being reviewed that can be modified while being reviewed but not necessarily available to the public? The reason that I ask the second question is because the posting in the forum is literally my first draft as I was going through the process. I have found a couple of modifications that need to be made. The changes that I know should be made are: 1. The optional step of adding exclude=mkinitrd to /etc/yum.conf should be "exclude=mkinitrd nash" 2. I switched up my disk device on some instructions to /dev/hda which should be /dev/sda for consistency. 3. I think that the last 2 steps of extending the encrypted partition to the entire disk could be clearer. Thanks. Chris _________________________________________________________________ Get thousands of games on your PC, your mobile phone, and the web with Windows?. http://clk.atdmt.com/MRT/go/108588800/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20080828/4c887378/attachment-0002.html>
Chris * wrote:> Hello all,Hello Chris!> I have a couple of questions about the process of creating a wiki. > > 1. How does the peer-review process work?You publish it on the wiki and we flame you after that >:) No, you can publish it here while we all look over it or you can begin editing on the wiki and people who are interested in it can review it while you write.> 2. Is there a place to place an article being reviewed that can be > modified while being reviewed but not necessarily available to the > public?You can edit it without it being linked from somewhere. But a search on the wiki will still find unlinked articles.> The reason that I ask the second question is because the posting in > the forum is literally my first draft as I was going through the > process. I have found a couple of modifications that need to be made. > The changes that I know should be made are: > > 1. The optional step of adding exclude=mkinitrd to /etc/yum.conf > should be "exclude=mkinitrd nash" 2. I switched up my disk device on > some instructions to /dev/hda which should be /dev/sda for > consistency. 3. I think that the last 2 steps of extending the > encrypted partition to the entire disk could be clearer.One question: How would your article differ from <http://wiki.centos.org/TipsAndTricks/EncryptedFilesystem>? I haven't read your forum post, yet. Cheers, Ralph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20080828/27ffc7b7/attachment-0002.sig>
The proposed document is below. Hopefully is remains readable.
Chris
Whole (Most) Disk Encryption on CentOS 5
This document is in the process of being developed
Credit To Others
The primary source for this document was
http://www.tummy.com/Community/Articles/cryptoroot-f8/.
It was heavily used but adapted to CentOS5 and with some changes which
simplify and improve the process. Other sources that were used are
http://musialek.org/?p=3 and
http://agiletesting.blogspot.com/2008/05/encrypting-linux-root-partition-with.html.
Summary
This document contains step by step instructions for encrypting the
entire disk including swap space with the exception of the /boot
partition on CentOS 5. It assumes that you are planning to encrypt your
disk from install and that your disk is /dev/sda. This document was
created with with CentOS 5.0 before any patches or updates were
applied. There are some optional components within this document that
are not technically necessary for encrypting the disk. Those components
can be ignored for testing, but they should be followed on any ?real?
systems.
Step One: Prepare the disk
The first step is to prepare the disk. The installer partitioning
software doesn't have the flexibility to be able to do this, so you
will need to switch to the shell and perform the setup manually.
Once the installer has moved into the GUI, press Ctrl-Alt-F2 to get a command
prompt.
OPTIONAL ? Overwrite and randomize the entire
disk. Use shred or dd to overwrite the disk. The technical merits of
multiple overwrites of shred vs. using /dev/random with dd are beyond
the scope of this document. The default options of shred take a very,
very long time to run. The time to complete on any sizeable disk would
likely be measured in days. This note applies to all statements about
radomizing the disks or partitions in this document.
# shred -v /dev/sda
or
# dd if=/dev/urandom of=/dev/sda
Use fdisk to create the partitions for install. You will
need to create a /boot partition and an LVM partition at the end of the
disk. The gap in between the two partitions will become your encrypted
file-system. This document will refer to the boot partition as
/dev/sda1 and the install partition at the end of the disk as
/dev/sda3. The encrypted partition will become /dev/sda2.
The partition at the end of the disk should be smaller than the
empty space between /boot and your LVM partition so that there is room
for the meta-data associated with the encryption. The LVM partition
really only needs to be large enough to install the system. You will be
able to expand the system volumes if you like after you have a working,
encrypted system.
# fdisk /dev/sda
RedHat documentation recommends 100MB for the boot partition. Over
time, the /boot partition can fill up as a result of updated kernels if
it is not regularly cleaned. Using a larger /boot partition may be
beneficial. /dev/sda1 should be of type 83 (Linux) and should be
bootable. /dev/sda3 should have sufficient space to perform the
installation. The partition type of /dev/sda3 should be 8e (Linux LVM).
When done, it should look something like:
Device Boot Start End Blocks Id System
/dev/sda1 * 1 65 521955 83 Linux
/dev/sda3 20000 30401 83554065 8e Linux LVM
If you are not familiar with the fdisk commands, you can type ???
at the fdisk prompt to see a list of commands. Once you have the disk
partitioned correctly (view the partition table with the ?p? command
within fdisk), remember to write the partition table while exiting with
the ?w? command.
Return to the GUI to complete the installation. Press Ctrl-Alt-F6 to return to
the GUI.
Step Two: Installing the OS
The installation must be done using the graphical installer because
the text installer doesn't allow a custom installation to use LVM.
For the partitioning, select ?Custom?, and tell it to format sda1 as /boot, and
sda3 as an LVM physical partition.
Then use the ?LVM? button to create a volume group, and a logical
volumes within it for the / file-system. Create the swap partition
within LVM to ensure that your swap space is ultimately encrypted as
well. You can create /usr, /var, /tmp, and other volumes within LVM if
you choose. Note that you'll be able to resize the partitions later, so
they don't need to be the desired target space or proportion right now.
Complete the rest of the installation process as normal.
Step Three: Create the encrypted partition
Boot into the installed system and create /dev/sda2 using fdisk. It
needs to be the space between sda1 and sda3, and it should have a
partition type of 83 (Linux) (it does not need to be type 8e, Linux
LVM). Write the partition table and quit fdisk.
Once you have create the partition, use the partprobe command to read new
partition.
# partprobe
If you did not randomize the disk via shred or dd, you should
randomize the partition using dd. This may take a while depending on
the size of the partition.
# dd if=/dev/urandom of=/dev/sda2
You now need to set up encryption.
# cryptsetup --key-size 256 --verbose --verify-passphrase --cipher
aes-cbc-essiv:sha256 luksFormat /dev/sda2
Confirm that you want to destroy all data on the partition and then
provide a pass-phrase. You will need to remember the pass-phrase in
order to access your system.
Open the encrypted file-system to ensure that all is well with the encrypted
partition
# /sbin/cryptsetup luksOpen /dev/sda2 lvm
Enter the pass-phrase for the file-system. Close the file-system with
# /sbin/cryptsetup luksClose lvm
OPTIONAL - Additional pass-phrases can be
added at this point. This is especially useful in enterprise
environments where you would like to have an administrative pass-phrase
should a user forget the pass-phrase or you need to have access after a
user leaves.
# /sbin/cryptsetup luksAddKey /dev/sda2
Enter the existing pass-phrase twice, it will then ask you to
enter a new pass-phrase where you can add the second key. You can
verify that you now have 2 keys by using the luksOpen option with the
cryptsetup command using each password or by using the command
# /sbin/cryptsetup luksDump /dev/sda2
The output will look similar to
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 2056
MK bits: 256
MK digest: f3 6e 66 7c d2 40 1c 4e 6e ce fa d5 b9 ac 3b 13 f9 a0 9c 7d
MK salt: 2b f2 38 ff 21 0a 31 cd a9 17 97 a9 c0 ad 72 46
e3 78 21 b2 03 1a d1 68 a3 2d 80 61 bf d0 09 4d
MK iterations: 10
UUID: ca858575-a412-4d26-bde7-7dfdfd0f6a72
Key Slot 0: ENABLED
Iterations: 51953
Salt: 69 51 dc 85 57 84 9d c1 97 5c ef a6 d5 31 6d d2
4f 8b ce 90 71 90 8c 6c 3f 81 b7 75 41 85 59 5b
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 52068
Salt: c7 a6 e5 e9 08 d1 d6 80 c5 0a fe f5 74 22 2e 74
63 a3 e3 41 f3 4f 82 fe 54 7d 5d 99 0b 14 8c 80
Key material offset: 264
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Step Four: Configure mkinitrd for encrypted system
Make a backup copy of /sbin/mkinitrd. Future updates of the
mkinitrd package will overwrite it, but the changes will allow future
kernel updates to properly build an initrd. Modify /sbin/mkinitrd per
the patch below. The patch modifies the MODULES line so that initrd has
the proper modules for encryption, adds cryptsetup to initrd, and
configures initrd to open the encrypted file-system.
>--- /sbin/mkinitrd.before.dm-crypt.20080811 2008-08-11
23:17:04.000000000 -0400
+++ /sbin/mkinitrd 2008-08-14 18:52:31.000000000 -0400
@@ -40,7 +40,7 @@
VERSION=5.1.19.6
PROBE="yes"
-MODULES=""
+MODULES="aes sha256 dm_crypt cbc"
PREMODS=""
DMDEVS=""
NET_LIST=""
@@ -1081,6 +1081,7 @@
fi
inst /sbin/nash "$MNTIMAGE/bin/nash"
inst /sbin/insmod.static "$MNTIMAGE/bin/insmod"
+inst /sbin/cryptsetup "$MNTIMAGE/bin/cryptsetup"
ln -s /sbin/nash $MNTIMAGE/sbin/modprobe
for MODULE in $MODULES; do
@@ -1264,6 +1265,10 @@
# things like RAID or LVM
emit "mkblkdevs"
+# Adding stuff for dm-cyrpted root partition
+emit "echo Decrypting root device"
+emit "cryptsetup luksOpen /dev/sda2 lvm"
+
emitdms
if [ -n "$raiddevices" ]; then
NOTE: If you choose to modify the /sbin/mkinitrd file
manually, the additions for ?cryptsetup luksOpen /dev/sda2 lvm? should
occur after the SECOND occurance of ?emit mkblkdevs?
OPTIONAL ? You can prevent the mkinitrd script from being updated via yum by
modifying /etc/yum.conf to include the line
exclude=mkinitrd nash
Step Five: Build new initrd
You now need to create the new initrd that will allow the system to
boot using the encrypted device. The method used here will allow the
presence of both the encrypted system and the unencrypted system on the
computer. This provides the opportunity to ensure that the encrypted
system is working properly and to boot into the unencrypted system
should any modifications be needed.
# mkinitrd -v /boot/initrd-2.6.18-8.el5.crypt.img 2.6.18-8.el5
Step Six: Copy the LVM to the encrypted partition
Make sure that any modifications to the system configurations such
as the modified mkinitrd or the modified yum.conf are done before
performing this step. Although those things can be duplicated on the
encrypted system, it is easier if they don't need to be repeated.
Reboot the system into single user mode.
Open the encrypted file-system
# /sbin/cryptsetup luksOpen /dev/sda2 lvm
Enter the pass-phrase. Now you can copy the contents of sda3 to the encrypted
sda2.
# dd if=/dev/sda3 of=/dev/mapper/lvm
When it's done, close the encrypted partition with:
# /sbin/cryptsetup luksClose lvm
Step Seven: Modify grub.conf to boot the encrypted system
Add the following lines to the end of /boot/grub/grub.conf. This can be done
while still in single user mode.
title CentOS Encrypted System (2.6.18-8.el5)
root (hd0,0)
kernel /vimlinuz-2.6.18-8.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.18-8.el5.crypt.img
NOTE: To make the encrypted system the default system, make the above lines the
first block listed in grub.conf
Step Eight: Extend encryption to the entire disk
NOTE: The /boot partition will not be encrypted, however the rest of the disk
will be.
Once the encrypted system is confirmed to be working correctly,
remove the unencrypted system. Randomize /dev/hda3 by using either
shred or dd. Once this step is performed, there is no turning back.
The unencrypted system will no longer exist on the disk. It is also
safe to remove the grub.conf entries for the unencrypted system.
# shred -v /dev/sda3
or
# dd if=/dev/urandom of=/dev/sda3
Use the fdisk command to resize sda2 to fill the entire disk.
# fdisk /dev/sda
Within fdisk, delete /dev/sda2 and /dev/sda3. Create a new
/dev/sda2 that fills the entire disk. When adding the new /dev/sda2 the
defaults should be sufficient.
Write the changes to the partition table. Use partprobe to detect changes to the
partition table.
# partprobe
Step Nine: Resize the file-systems
First, resize the crypto device.
# cryptsetup resize lvm
Next, resize the physical volume in the volume group:
# pvresize ?-setphysicalvolumesize [size of disk - /boot] /dev/mapper/lvm
In order to resize the LVM volumes to use the entire disk, a reboot is
required.
NOTE to testers This seems strange to me and seems to
defeat one of the primary strengths of using LVM, but I was unable to
extend the logical volumes beyond the original number of physical
extents until after a reboot. I will do some more with this to see if
it can be done without the reboot.
Extend the logical volumes of the system with lvextend. man lvextend for more
information on the command.
# lvextend -L +[size to increase the volume] /dev/VolGroup00/LogVol00
Resize each of the file-systems with:
# resize2fs /dev/VolGroup00/LogVol00
Replace VolGroup00 and LogVol00 with the correct volume group names and logical
volume names for each volume on the system.
Finishing Up
Have a beer.
Interesting and Related Information
NOTE to peer-reviewers: The idea of this section
was to have links to additional information such as why someone should
randomize the entire disk,additional information related to the whole
Gutmann method situation, NIST 800-88 publication, etc.
From: ixeous at hotmail.com
To: centos-docs at centos.org
Date: Thu, 28 Aug 2008 09:53:26 -0400
Subject: [CentOS-docs] potential wiki on encryption
Hello all,
I posted the whole disk encryption instructions in the forum that has been
briefly discussed on the list. I joined the list per Ned's post on the
thread.
http://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=15923&forum=42
I have a couple of questions about the process of creating a wiki.
1. How does the peer-review process work?
2. Is there a place to place an article being reviewed that can be modified
while being reviewed but not necessarily available to the public?
The reason that I ask the second question is because the posting in the forum is
literally my first draft as I was going through the process. I have found a
couple of modifications that need to be made. The changes that I know should be
made are:
1. The optional step of adding exclude=mkinitrd to /etc/yum.conf should be
"exclude=mkinitrd nash"
2. I switched up my disk device on some instructions to /dev/hda which should
be /dev/sda for consistency.
3. I think that the last 2 steps of extending the encrypted partition to the
entire disk could be clearer.
Thanks.
Chris
Get thousands of games on your PC, your mobile phone, and the web with Windows?.
Game with Windows
_________________________________________________________________
See what people are saying about Windows Live. Check out featured posts.
http://www.windowslive.com/connect?ocid=TXT_TAGLM_WL_connect2_082008
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos-docs/attachments/20080829/f998f7f9/attachment-0002.html>
This is a newer version of the proposed whole disk encryption HowTo. I have
added a section that attempts to combine the information in
http://wiki.centos.org/TipsAndTricks/EncryptedFilesystem. All information has
not been incorporated, but I tried to keep the instructions for having non-root
partitions consistent with the steps and methods outlined earlier in the
document. I think that this does allow for additional encrypted partitions as
described in the TipsAndTricks document.
Here's the latest version.
Whole (Most) Disk Encryption on CentOS 5
This document is in the process of being developed
Credit To Others
The primary source for this document was
http://www.tummy.com/Community/Articles/cryptoroot-f8/.
It was heavily used but adapted to CentOS5 and with some changes which
simplify and improve the process. Other sources that were used are
http://musialek.org/?p=3 and
http://agiletesting.blogspot.com/2008/05/encrypting-linux-root-partition-with.html.
Summary
This document contains step by step instructions for encrypting the
entire disk including swap space with the exception of the /boot
partition on CentOS 5. It assumes that you are planning to encrypt your
disk from install and that your disk is /dev/sda. This document was
created with with CentOS 5.0 before any patches or updates were
applied. There are some optional components within this document that
are not technically necessary for encrypting the disk. Those components
can be ignored for testing, but they should be followed on any ?real?
systems.
The end of the document contains optional configurations. This is
useful if you prefer to have additional partitions on the disk. The
step by step instructions will leave a disk with two partitions, /boot
(/dev/sda1) and an LVM (/dev/sda2) partition which contains all system
volumes. The optional section will contain the differences needed to
have an additional partition (/dev/sda3) which may be used as a data
store, NFS share, etc.
Step One: Prepare the disk
The first step is to prepare the disk. The installer partitioning
software doesn't have the flexibility to be able to do this, so you
will need to switch to the shell and perform the setup manually.
Once the installer has moved into the GUI, press Ctrl-Alt-F2 to get a command
prompt.
OPTIONAL ? Overwrite and randomize the entire
disk. Use shred or dd to overwrite the disk. The technical merits of
multiple overwrites of shred vs. using /dev/random with dd are beyond
the scope of this document. The default options of shred take a very,
very long time to run. The time to complete on any sizeable disk would
likely be measured in days. This note applies to all statements about
radomizing the disks or partitions in this document.
# shred -v /dev/sda
or
# dd if=/dev/urandom of=/dev/sda
Use fdisk to create the partitions for install. You will
need to create a /boot partition and an LVM partition at the end of the
disk. The gap in between the two partitions will become your encrypted
file-system. This document will refer to the boot partition as
/dev/sda1 and the install partition at the end of the disk as
/dev/sda3. The encrypted partition will become /dev/sda2.
The partition at the end of the disk should be smaller than the
empty space between /boot and your LVM partition so that there is room
for the meta-data associated with the encryption. The LVM partition
really only needs to be large enough to install the system. You will be
able to expand the system volumes if you like after you have a working,
encrypted system.
# fdisk /dev/sda
RedHat documentation recommends 100MB for the boot partition. Over
time, the /boot partition can fill up as a result of updated kernels if
it is not regularly cleaned. Using a larger /boot partition may be
beneficial. /dev/sda1 should be of type 83 (Linux) and should be
bootable. /dev/sda3 should have sufficient space to perform the
installation. The partition type of /dev/sda3 should be 8e (Linux LVM).
When done, it should look something like:
Device Boot Start End Blocks Id System
/dev/sda1 * 1 65 521955 83 Linux
/dev/sda3 20000 30401 83554065 8e Linux LVM
If you are not familiar with the fdisk commands, you can type ???
at the fdisk prompt to see a list of commands. Once you have the disk
partitioned correctly (view the partition table with the ?p? command
within fdisk), remember to write the partition table while exiting with
the ?w? command.
Return to the GUI to complete the installation. Press Ctrl-Alt-F6 to return to
the GUI.
Step Two: Installing the OS
The installation must be done using the graphical installer because
the text installer doesn't allow a custom installation to use LVM.
For the partitioning, select ?Custom?, and tell it to format sda1 as /boot, and
sda3 as an LVM physical partition.
Then use the ?LVM? button to create a volume group, and a logical
volumes within it for the / file-system. Create the swap partition
within LVM to ensure that your swap space is ultimately encrypted as
well. You can create /usr, /var, /tmp, and other volumes within LVM if
you choose. Note that you'll be able to resize the partitions later, so
they don't need to be the desired target space or proportion right now.
Complete the rest of the installation process as normal.
Step Three: Create the encrypted partition
Boot into the installed system and create /dev/sda2 using fdisk. It
needs to be the space between sda1 and sda3, and it should have a
partition type of 83 (Linux) (it does not need to be type 8e, Linux
LVM). Write the partition table and quit fdisk.
Once you have create the partition, use the partprobe command to read new
partition.
# partprobe
If you did not randomize the disk via shred or dd, you should
randomize the partition using dd. This may take a while depending on
the size of the partition.
# dd if=/dev/urandom of=/dev/sda2
You now need to set up encryption.
# cryptsetup --key-size 256 --verbose --verify-passphrase --cipher
aes-cbc-essiv:sha256 luksFormat /dev/sda2
Confirm that you want to destroy all data on the partition and then
provide a pass-phrase. You will need to remember the pass-phrase in
order to access your system.
Open the encrypted file-system to ensure that all is well with the encrypted
partition
# /sbin/cryptsetup luksOpen /dev/sda2 lvm
Enter the pass-phrase for the file-system. Close the file-system with
# /sbin/cryptsetup luksClose lvm
OPTIONAL - Additional pass-phrases can be
added at this point. This is especially useful in enterprise
environments where you would like to have an administrative pass-phrase
should a user forget the pass-phrase or you need to have access after a
user leaves.
# /sbin/cryptsetup luksAddKey /dev/sda2
Enter the existing pass-phrase twice, it will then ask you to
enter a new pass-phrase where you can add the second key. You can
verify that you now have 2 keys by using the luksOpen option with the
cryptsetup command using each password or by using the command
# /sbin/cryptsetup luksDump /dev/sda2
The output will look similar to
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 2056
MK bits: 256
MK digest: f3 6e 66 7c d2 40 1c 4e 6e ce fa d5 b9 ac 3b 13 f9 a0 9c 7d
MK salt: 2b f2 38 ff 21 0a 31 cd a9 17 97 a9 c0 ad 72 46
e3 78 21 b2 03 1a d1 68 a3 2d 80 61 bf d0 09 4d
MK iterations: 10
UUID: ca858575-a412-4d26-bde7-7dfdfd0f6a72
Key Slot 0: ENABLED
Iterations: 51953
Salt: 69 51 dc 85 57 84 9d c1 97 5c ef a6 d5 31 6d d2
4f 8b ce 90 71 90 8c 6c 3f 81 b7 75 41 85 59 5b
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 52068
Salt: c7 a6 e5 e9 08 d1 d6 80 c5 0a fe f5 74 22 2e 74
63 a3 e3 41 f3 4f 82 fe 54 7d 5d 99 0b 14 8c 80
Key material offset: 264
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Step Four: Configure mkinitrd for encrypted system
Make a backup copy of /sbin/mkinitrd. Future updates of the
mkinitrd package will overwrite it, but the changes will allow future
kernel updates to properly build an initrd. Modify /sbin/mkinitrd per
the patch below. The patch modifies the MODULES line so that initrd has
the proper modules for encryption, adds cryptsetup to initrd, and
configures initrd to open the encrypted file-system.
>--- /sbin/mkinitrd.before.dm-crypt.20080811 2008-08-11
23:17:04.000000000 -0400
+++ /sbin/mkinitrd 2008-08-14 18:52:31.000000000 -0400
@@ -40,7 +40,7 @@
VERSION=5.1.19.6
PROBE="yes"
-MODULES=""
+MODULES="aes sha256 dm_crypt cbc"
PREMODS=""
DMDEVS=""
NET_LIST=""
@@ -1081,6 +1081,7 @@
fi
inst /sbin/nash "$MNTIMAGE/bin/nash"
inst /sbin/insmod.static "$MNTIMAGE/bin/insmod"
+inst /sbin/cryptsetup "$MNTIMAGE/bin/cryptsetup"
ln -s /sbin/nash $MNTIMAGE/sbin/modprobe
for MODULE in $MODULES; do
@@ -1264,6 +1265,10 @@
# things like RAID or LVM
emit "mkblkdevs"
+# Adding stuff for dm-cyrpted root partition
+emit "echo Decrypting root device"
+emit "cryptsetup luksOpen /dev/sda2 lvm"
+
emitdms
if [ -n "$raiddevices" ]; then
NOTE: If you choose to modify the /sbin/mkinitrd file
manually, the additions for ?cryptsetup luksOpen /dev/sda2 lvm? should
occur after the SECOND occurance of ?emit mkblkdevs?
OPTIONAL ? You can prevent the mkinitrd script from being updated via yum by
modifying /etc/yum.conf to include the line
exclude=mkinitrd nash
Step Five: Build new initrd
You now need to create the new initrd that will allow the system to
boot using the encrypted device. The method used here will allow the
presence of both the encrypted system and the unencrypted system on the
computer. This provides the opportunity to ensure that the encrypted
system is working properly and to boot into the unencrypted system
should any modifications be needed.
# mkinitrd -v /boot/initrd-2.6.18-8.el5.crypt.img 2.6.18-8.el5
Step Six: Copy the LVM to the encrypted partition
Make sure that any modifications to the system configurations such
as the modified mkinitrd or the modified yum.conf are done before
performing this step. Although those things can be duplicated on the
encrypted system, it is easier if they don't need to be repeated.
Reboot the system into single user mode.
Open the encrypted file-system
# /sbin/cryptsetup luksOpen /dev/sda2 lvm
Enter the pass-phrase. Now you can copy the contents of sda3 to the encrypted
sda2.
# dd if=/dev/sda3 of=/dev/mapper/lvm
When it's done, close the encrypted partition with:
# /sbin/cryptsetup luksClose lvm
Step Seven: Modify grub.conf to boot the encrypted system
Add the following lines to the end of /boot/grub/grub.conf. This can be done
while still in single user mode.
title CentOS Encrypted System (2.6.18-8.el5)
root (hd0,0)
kernel /vimlinuz-2.6.18-8.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.18-8.el5.crypt.img
NOTE: To make the encrypted system the default system, make the above lines the
first block listed in grub.conf
Step Eight: Extend encryption to the entire disk
NOTE: The /boot partition will not be encrypted, however the rest of the disk
will be.
Once the encrypted system is confirmed to be working correctly,
remove the unencrypted system. Randomize /dev/hda3 by using either
shred or dd. Once this step is performed, there is no turning back.
The unencrypted system will no longer exist on the disk. It is also
safe to remove the grub.conf entries for the unencrypted system.
# shred -v /dev/sda3
or
# dd if=/dev/urandom of=/dev/sda3
Use the fdisk command to resize sda2 to fill the entire disk.
# fdisk /dev/sda
Within fdisk, delete /dev/sda2 and /dev/sda3. Create a new
/dev/sda2 that fills the entire disk. When adding the new /dev/sda2 the
defaults should be sufficient.
Write the changes to the partition table. Use partprobe to detect changes to the
partition table.
# partprobe
Step Nine: Resize the file-systems
First, resize the crypto device.
# cryptsetup resize lvm
Next, resize the physical volume in the volume group:
# pvresize ?-setphysicalvolumesize [size of disk - /boot] /dev/mapper/lvm
In order to resize the LVM volumes to use the entire disk, a reboot is
required.
NOTE to testers This seems strange to me and seems to
defeat one of the primary strengths of using LVM, but I was unable to
extend the logical volumes beyond the original number of physical
extents until after a reboot. I will do some more with this to see if
it can be done without the reboot.
Extend the logical volumes of the system with lvextend. man lvextend for more
information on the command.
# lvextend -L +[size to increase the volume] /dev/VolGroup00/LogVol00
Resize each of the file-systems with:
# resize2fs /dev/VolGroup00/LogVol00
Replace VolGroup00 and LogVol00 with the correct volume group names and logical
volume names for each volume on the system.
Optional Configurations
A: Encrypting Additional Partitions
A.1: Create the encrypted system
This step is optional. If the goal is to have the entire system
encrypted, follow steps 1-7 above. The only difference is that when
creating /dev/sda2 in fdisk, only make it as large as you want your
system volumes to use. If /dev/sda2 is larger than /dev/sda3 and you
wish to change the volume sizes for the system volumes, follow step 9
from above.
A.2: Create partition
Because /dev/sda3 as used for install only needed to be large enough
to perform the installation, the partition should now be enlarged to
the desired size.
Randomize /dev/hda3 by using either shred or dd. Once this step is performed,
there is no turning back.
The unencrypted system will no longer exist on the disk. It is also
safe to remove the grub.conf entries for the unencrypted system.
# shred -v /dev/sda3
or
# dd if=/dev/urandom of=/dev/sda3
Use the fdisk command to resize sda3.
# fdisk /dev/sda
Within fdisk, delete /dev/sda3. Create a new /dev/sda3 that follows
/dev/sda2 and is of the desired size. If /dev/sda3 is intended to fill
the remainder of the disk, the defaults should be sufficient.
Write the changes to the partition table. Use partprobe to detect changes to the
partition table.
# partprobe
A.3: Create the file system
Create the new file system on /dev/sda3
# mkfs -t ext3 /dev/sda3
A.4: Encrypt the file system
This step is essentially the same as step 3 above. The difference
being the device encrypted and a different mapper device name should be
used.
# cryptsetup --key-size 256 --verbose --verify-passphrase --cipher
aes-cbc-essiv:sha256 luksFormat /dev/sda3
# /sbin/cryptsetup luksOpen /dev/sda3 myencryptedpartition
# /sbin/cryptsetup luksClose myencryptedpartition
OPTIONAL - Add additional pass-phrases. A
key file can be used to prevent the need for typing in a pass-phrase
every time the file-system is mounted.
# /sbin/cryptsetup luksAddKey /dev/sda3
or
# /sbin/cryptsetup luksAddKey /dev/sda3 /path/and/keyfile
A.5: Configure encrypted partitions to mount at boot
This step simplifies the use of an encrypted file system. It will allow
the encrypted file system to be treated as any non-encrypted system.
The file /etc/crypttab will automate the luksOpen commands that were
used earlier. The format of the /etc/crypttab is
mappingname devicename password_file_path options
Not all fields are needed. Most of the possible options for the
options field are ignored for LUKS volumes, because LUKS volumes have
all the necessary information about the cipher, key size, and hash in
the volume header. Also, if the password_file_path field is empty or
has the value ?none?, the system will prompt for the pass-phrase when
mounting the file system.
Create /etc/crypttab
myencryptedpartition /dev/sda3 /path/and/keyfile
or
myencryptedpartition /dev/sda3 none
It is usually a bad idea to store the pass-phrase in a plain text
file, however, an encrypted root partition does alleviate some of the
concern. Under no circumstances should a pass-phrase be stored on an
unencrypted partition such as /boot.
Modify /etc/fstab to add the line
/dev/mapper/myencryptedparition /myFileSystem ext3 defaults
1 2
The encrypted partition is now configured to mount at boot.
From: ixeous at hotmail.com
To: centos-docs at centos.org
Date: Thu, 28 Aug 2008 09:53:26 -0400
Subject: [CentOS-docs] potential wiki on encryption
Hello all,
I posted the whole disk encryption instructions in the forum that has been
briefly discussed on the list. I joined the list per Ned's post on the
thread.
http://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=15923&forum=42
I have a couple of questions about the process of creating a wiki.
1. How does the peer-review process work?
2. Is there a place to place an article being reviewed that can be modified
while being reviewed but not necessarily available to the public?
The reason that I ask the second question is because the posting in the forum is
literally my first draft as I was going through the process. I have found a
couple of modifications that need to be made. The changes that I know should be
made are:
1. The optional step of adding exclude=mkinitrd to /etc/yum.conf should be
"exclude=mkinitrd nash"
2. I switched up my disk device on some instructions to /dev/hda which should
be /dev/sda for consistency.
3. I think that the last 2 steps of extending the encrypted partition to the
entire disk could be clearer.
Thanks.
Chris
Get thousands of games on your PC, your mobile phone, and the web with Windows?.
Game with Windows
_________________________________________________________________
See how Windows Mobile brings your life together?at home, work, or on the go.
http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos-docs/attachments/20080904/3aa5f6b0/attachment-0004.html>