Here, I'm describing how to set up full disk encryption using dm-crypt combined with logical volumes with Arch Linux. Most people use encryption to avoid physical access to their data by people who aren't explicitly allowed. It makes quite much sense to set up encryption at a notebook in case it's getting lost or stolen - the finder/thief has the hardware but not your data! For this scenario, it is not necessary to have all copies of that data encrypted because you usually keep the copies on a safe place (i.e. if you are using a home server for backups). In the other case, if you explicitly don't want anybody to access your data at any time at any place you have to make sure that all copies of the data are either erased or stored encrypted. Also don't forget: A running system which uses full disk encryption is still vulnerable to network/Internet attacks!
There are two ways of setting up an encrypted disk using LVM:
1. Create the LVM and encrypt every volume separately
2. Set up LVM on top of an encrypted partition
The first method is described in the Arch Wiki
I'll explain the second way (which is even easier):
Step 0: Preparing the hard drive
At the start we have to talk about the hard disk. I know, it is mentioned very often but it's important: BACKUP your data before you execute any of the commands below!
After that we can start. To ensure that all sensible data is erased I'd suggest to overwrite the disk first. There are two options to erase data:
1. Overwrite with zeros
2. Overwrite with random data
In our case the second is the method of choice. This is because we are going to store data on the disk and in most cases the disk won't get full. The main point is here, that someone could see where your encrypted data ends because of the zeros at the end - an ideal starting point for an attack.
The command to overwrite the disk with random data is:
dd if=/dev/urandom of=/dev/HARDDRIVE
This can take quite long depending on the size of your disk. Then we can setup the partitions, where we have to mention that we need at least one boot partition (~150 MB) and a partition for the LVM.
The partitioning can be done with cfdisk. Don't forget to select "Write" before "Quit" and to mark the boot parition as "Bootable".
Now, we are going to set up the encryption and the LVM.
From now on, we call the partition where we want to have the encrypted LVM on /dev/sda2 and the boot partition /dev/sda1.
Step 1: Encryption
To encrypt /dev/sda2 we can use the following commands:
Load the encryption module:
Set up encryption (aes-xts-plain is just a suggestion):
cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sda2
To explain what it does:
-c is for the chiper algorithm (which is lrw)
-y is for typing in passphrase a second time (as confirmation)
-s is the length of the key (whereas in our case (lrw) just 256 are used)
Now we have to access the encrypted volume:
cryptsetup luksOpen /dev/sda2 lvm
Of course, all the steps above work as well with different settings and a different chiper algorithm.
Step 2: LVM
First of all we have to initialize the physical volume (in our case the reference to the encrypted volume) and create a volume group:
lvm pvcreate /dev/mapper/lvm
lvm vgcreate vgroup /dev/mapper/lvm
You can adjust the following commands to your needs but be aware that you need at least a root and a swap partition. The command lvm lvcreate adds logical volumes to the volume group we just created:
Step 3: Installation and configuration of Arch Linux
IMPORTANT: If you changed your keyboard layout by using the "km"-command you have to follow the KEYMAP instructions below. If you are using standard us keyboard layout, you can ignore these instructions!
Start the Arch installer:
-> Prepare Hard Drive -> Set Filesystem Mountpoints
First, you have to choose the mountpoints of / (root) and /swap. The other mountpoints are not mandatory but we already set up partitions for /home, /tmp and /boot. It is important to understand that the boot partition has to be unencrypted, so we choose /dev/sda1 in our case. Then you can install Arch. There is an installation guide in the Arch Wiki.
After install we have to alter several configuration files:
Set USELVM="no" to USELVM="yes"
KEYMAP: Change the KEYMAP field to the same as you chose with command "km". You can find a list of available KEYMAPS at the Arch Wiki. The extension ".map.gz" should be removed.
Alter this line:
HOOKS="base udev autodetect pata scsi sata filesystems"
HOOKS="base udev autodetect pata scsi sata encrypt lvm2 filesystems"
It is important that encrypt is loaded BEFORE lvm2.
KEYMAP: Add keymap BEFORE encrypt:
HOOKS="base udev autodetect pata scsi sata keymap encrypt lvm2 filesystems"
Then, before installing grub you have to change the file /boot/grub/menu.lst at two points:
Add "cryptdevice=/dev/sda2:vgroup" between "root=..." and "ro" in the paragraphs "Arch Linux" and "Arch Linux Fallback"
Then install the bootloader to /dev/sda
- 6th June 2009: Added new screen shots, added the KEYMAP part (thanks to Jean's hint!) and altered the structure.
- 18th September 2012: Changed suggested cipher from aes-lrw to aes-xts (thanks to Stephen).
Verfasst von fensterplatz am Februar 27th, 2009
Abgelegt unter Allgemein, Linux, Technik | Kommentare (47)