niemueller.de::home niemueller.de
Open Software. Open Knowledge.




 

Fedora 7 (Test 3) with crypto root/swap on x86_64

Introduction

After I got my new Thinkpad T60 I was excited to try out the new Fedora 7, so I did. It works just fine, besides the still unstable iwlwifi driver. After playing around for a while I want to get productive. I have been to several fairs, trade shows and other events lately and there is more and more valuable and personal data on my laptop. So I thought I should encrypt my hard drive. I did so before already with a few external drives, but not with the overall system. Here is the procedure I used. It's still quite hacky these days but no rocket science any more...

All of this is based on the great work presented in [Michael Hampton's HOWTO] and the [mkinitrd patch by Andy Walls et al.].

I reproduce this here in the hope that it is useful for others. I shall not be held responsible though for any damage caused by following this document. I wrote this down after I did this so it may well be that it contains errors!

Prerequesites

  • Computer that supports suspend to disk. If it doesn't work without encryption it's not going to magically work with encryption!
  • Fedora 7 installation media
  • Additional disk space that can hold at least 4 GB, USB drive recommended
  • Additional USB stick to carry utilities for rescue mode
  • A bed
  • Enough coffee

Overview

These steps are necessary to get the desired setup working:
  1. Install Fedora 7
  2. Build and install new mkinitrd with crypto support
  3. Copy data from hard drive to spare drive
  4. Create crypto drives
  5. Copy data back from spare drive to crypto drive
  6. Create new initrd with crypto support
  7. Boot into new encrypted system

Caveats

  • There are smaller issues that I encountered working on the crypto machine. For some reason reboot is broken. The system is torn down but the final reset does not work and has to be done manually. Not a big deal though.
  • The file system has to be relabeled once after the encryption.
  • ksoftirqd sucked up 100% of one of my cores for a few minutes. This went away then. Have not yet found out about it.

Install Fedora

First do a plain install of Fedora 7 on your laptop. You can do this besides an pre-existing installation of an operating system that came with the machine. The GParted LiveCD? is very handy to squeeze down existing partitions, be it NTFS or whatever.

One important thing about the installation is to use the default layout, as I will assume this in this document. Also it seems that the software used here is not fully ready to work with other layouts as well as it does with the default layout. This basically consists of a 100 MB ext3 partition for /boot and another LVM partition which is again split in two pieces, one for swap (VolGroup00/LogVol01?) and one for the root file system (VolGroup00/LogVol00?).

I recommend to use the base installation. If you want to build your own mkinitrd packages you will need to install the software development tools. After installing do a full upgrade of the system to run the newest kernel. I have tested this with 2.6.21-1.3149.fc7, 2.6.21-1.3167.fc7 and 2.6.21-1.3194.fc7 (x86_64).

Installing new mkinitrd

Now it is time to create the new mkinitrd packages. At [RH Bug 124789] you can find the patches. I adapted the [patch for mkinitrd 6.0.9]. You can get the [src rpm] and the [mkinitrd x86_64 rpm], [libbdevid-python rpm] and [nash rpm] to avoid having to recompile them. Rebuild with the patch or install the supplied RPMs.

Preparing for creating the crypto drives

Unfortunately the rescue CD does not come with the tools needed to create and maintain crypto drives, also it does not have the needed kernel modules. So we are going to copy these to our (not encrypted!) USB stick. This may be a FAT filesystem so you don't need to reformat for this. The files needed are:
  • /bin
  • /sbin
  • /lib
In reality you by far do not need all of it, but this is the simplest method to get what you need. Just copy this to your stick (for example to /media/disk).

Creating the crypto drives

Now reboot into the rescue system from the installation media. Make sure that the USB stick is plugged in while you boot to get it enabled automatically. In the rescue system mount the stick for example via
mkdir /mnt/stick
mount /dev/sdb1 /mnt/stick
(assumed that the stick is at sdb1). Add /mnt/stick/bin and /mnt/stick/sbin to your path with export PATH=/mnt/stick/bin:/mnt/stick/sbin:$PATH (assumed that these are the directories where you copied the stuff before).

Mount the root device with
mkdir /mnt/disk1
mount /dev/VolGroup00/LogVol00 /mnt/disk1
Now we get to the spare hard drive. Assumed that it is at sdc do something like
mkdir /mnt/disk2
mount /dev/sdc1 /mnt/disk2
The original document by Michael suggests to create a temporary crypto drive. Since I assume that we just have a base installation this seems unecessary but of course you can do so if you like.

Then copy everything from the original disk to the spare disk with
cp -ax /mnt/disk1/* /mnt/disk2
. Now we unmount the original disk and shread everything and write random junk to the disk. This is needed to hide where encrypted data starts and where it ends to limit the amount of information an attacker has. Do this with
umount /mnt/disk1
shred -v /dev/VolGroup00/LogVol00
Depending on the size of the drive this will take a long time. A good idea is to do this overnight. This will erase all data so make sure

Now create the crypto drives. Do this with
cryptsetup -y -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/VolGroup00/LogVol00
# (enter passphrase twice for root device)
cryptsetup -y -c aes-cbc-essive:sha256 -s 256 luksFormat /dev/VolGroup00/LogVol01
# (enter passphrase twice for swap device, may be different from root device)
After this we create the file systems, mount the drive and copy back the data from the spare drive:
cryptsetup luksOpen /dev/VolGroup00/LogVol00 root
cryptsetup luksOpen /dev/VolGroup00/LogVol01 swap
mke2fs -j -L "/" /dev/mapper/root
mkswap /dev/mapper/swap
mount /dev/mapper/root /mnt/disk1
cp -ax /mnt/disk2/* /mnt/disk1
A SELinux relabeling is needed which can be forced for the next boot with touch /mnt/disk1/.autorelabel. This will cause the relabeling and one reboot after this is finished on the next boot.

Creating the new initrd

Now we need to create the new initial ramdisk with crypto support and prepare the drives. First we chroot to the crypto drive and do some modifications needed.
chroot /mnt/disk1
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount /dev/sda2 /boot
dmsetup mknodes
ln -s /dev/mapper/VolGroup00-LogVol01 /dev/VolGroup00/LogVol01
# change /dev/VolGroup00/LogVol00 to /dev/mapper/root and
# /dev/VolGroup00/LogVol01 to /dev/mapper/swap.
vi /etc/fstab
A small hack is needed to make mkinitrd to add LVM support. For this add the line
vg_list=VolGroup00
at line 1386 just after the lines containing
# FIXME -- this can really go poorly with clvm or duplicate vg names.
# nash should do lvm probing for us and write its own configs.
On newer versions of mkinitrd (so if you upgraded before creating the crypto device or if you use this on the final version of Fedora 7) this is at line 1412.

Then create the initrd with
/sbin/mkinitrd -v -f /boot/initrd-2.6.21-1.3149.fc7.img 2.6.21-1.3149.fc7
Change this accordingly for your kernel version.

Do not change your grub.conf. You might think that you have to change the root parameter to no longer mention the LVM device. This is wrong! Just leave grub.conf.

Boot into the encrypted system

Unmount all drives, remove the bootable rescue media and reboot. You will be asked twice for a password, the first is the password for the swap partition, the second for the root volume. If the machine wakes up from suspend to disk only the swap password is queried. The root device password is then stored in the (encrypted) RAM written to the swap.
    Home     Contents     Search     View other revisions     Recent changes    




Top 5 Pages
Wiki
WebLog
SquidGuard Webmin Module
Mensa WAP
Onager




Palm Software
UniMatrix UniMensa UniSorter
UniChat OHS Mobile Onager


My Bookshelf




Valid XHTML 1.1!

RSS Copyright © 2000-2009 by Tim Niemueller