Adverts I have posted, and statistics

Looking for a carpenter in the South of England? Click here for more iformation on my in-laws company, JJA Carpentry.

This page has been visited 2839 times, as of Thu Jul 24 18:29:13 BST 2008 . Your IP Address is given as 38.103.63.17; this appears to be page number 12 for you today.

Disclaimer


Encrypted Root openSuSE 10.3 howto

A PDF version of my encryption guides (with referenced links for convinience etc), which you may find much easier to read is available here.

Overview

This howto is for people using openSuSE 10.3. This can (I hope) be easily adapted for other Linux system users.

The final system

Once finished the user will have:

Will my system be fully secure?

When switched off/ not logged in then yes, however you will still be vulnerable to Viruses, Trojans, Root Kits, internet hackers etc whilst the system is running, and so you should still install all the usual software (virus checker etc) and take all the usual precautions that you would for an unencrypted system.

Getting started

As it is likely that the system you are reading this on is the one you want to work on it's best to download all the required software now whilst the system is still working. Also print off a paper copy of this howto.

You will need a copy of openSuSE 10.3 on CD or DVD. That's all :-)

Checking the downloads

The openSuSE 10.3 CD and DVD images come with a media checking utility. Boot the system from the DVD or CD number 1 and select install from the first menu. Once the system is up (there will be a few more questions) there is a screen that you can use to check each CD/ DVD for errors (which often occur during download). If there are any don't install until you have a good copy.

Burn all the software and any personal files you want to keep to CD (or place on any other generic medium).

Make sure you have saved everything you want to keep; once the next step has been completed it will be very difficult to ever recover your data.

Wiping all data from the HDD

As everyone knows data on a hard drive isn't deleted until it is overwritten.

Even if you have an encrypted file system now it may be possible to look past that at what used to be on the drive, so if there is anything currently on your system you want secure its time to overwrite the whole hard disk.

Boot openSuSE and from the first set of options select 'Rescue System'.

Once the system has loaded you will have to log-in. The username is 'root' (as in the superuser account), there is no password.

Once in you will have to determine what the name of the HDD is. Normally it is called /dev/hda (IDE) or /dev/sda (SATA/ SCSI), if you don't know make sure all USB etc drives are unplugged (to avoid confusing outputs) and run the following command: 

Rescue:~# fdisk -l

A printout of the result will look something like this: 

Disk /dev/sda: 80.0 GB, 80026361856 bytes
255 heads, 63 sectors/track, 9729 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x31c492b4

Device		Boot	Start	End	Blocks		Id	System
/dev/sda1	*	1	9729	80026361	7	HPFS/NTFS

In the above example the name of the main hard disk is /dev/sda (/dev/sda1 is a Windows partition on the disk). You are now going to overwrite the entire hard disk with zeros. This form of data deletion won't beat the CIA but will defeat most data thieves, and besides you are going to be doing more to erase your data as you go through. Make sure you have performed a full backup before executing the next command: 

Rescue:~# dd if=/dev/zero of=/dev/sda bs=4096

The option bs=4096 sets the block size for the overwrite. By setting this to an optimal size for your system you can speed up the erase, but if you don't know what you are doing then it's best to leave it at 4096, this size works for most modern systems.

The erase will probably take an hour or more for an 80 GB drive, and will destroy not only all data but the partition table too.

Installing openSuSE 10.3/ Linux

Boot the machine with the openSuSE DVD/ CDROM. Follow the default install until you get to the system configuration screen. This is the screen which will show you a summary of the system to be installed, such as software and partitioning.

Partitioning

First you change the partitioning. As the HDD is a large chunk of free space openSuSE will have determined optimal partition sizes, sadly you want none of these but before you delete them make a note of the swap partition size, you will want to remember it.

Once all the default partitions have been deleted you must first create a boot partition (so set the mount point to '/boot'). This should be 75MB as you may want to have more than one kernel and initrd.

Next you create the swap partition, size as remembered above, followed by what will eventually become the root partition. My partition is 8GB and Ext3, set the mount point to nothing.

The remaining space on the disk will be for documents. For now you will install Linux there (so set the mount point to '/') but you will move that to the new root partition later.

Install the root file system ('/') on one of them and leave the mount point of the other one blank. It doesn't matter at this time what file system you format this as it will be overwritten by Truecrypt, however whatever it is will be the final file system of the installation (as we will create a file system within the encrypted devices). On our example system my partition table now looks like this:
DeviceSizeTypeFilesystemWhat is it?
/dev/sda170GBExtendedW95 Ext'd (LBA)Extended Partition
/dev/sda575MBExtendedExt3/boot
/dev/sda62GBExtendedswapswap
/dev/sda710GBExtendedExt3Future root
/dev/sda858GBExtendedExt3Root ('/')

Software

You should now add some additional packages during installation. Select the dropdown to change software, in the screen which appears click on 'Details' (near the bottom of the screen) and on the next screen which appears select 'Search' from the dropdown near the top.

Now search for and select the following packages:
PackageWhy
kernel-sourceNeeded to build truecrypt module
kernel-symsNeeded to build truecrypt module
cryptconfigNeeded for encrypted root FS
cryptsetupNeeded for encrypted root FS
libgcryptNeeded for encrypted root FS
libxcryptNeeded for encrypted root FS
gccNeeded to build truecrypt module
makeNeeded to build truecrypt module
e2fsprogsNeeded for encrypted root FS
e2fsprogs-develNeeded for encrypted root FS
kinternetAdded for convenience, otherwise it will ask to install later

Accept any packages added in support of the above and any licence agreements and return to the summary screen.

It is now ok to run the installation.

Update

Do not run update during installation as a new kernel is already out and this will make the install fail. Wait until the system is running.

Root password and user accounts

Besides doing anything else during installation you need to make sure that when you set the root password (and you should) that you don't use the password you will want to use for the encrypted filesystems.

At this time do not add any user accounts, and ignore the warning that this will only be an empty login server (or whatever that warning said).

Once the installation has finished log in as the root user.

Randomising the root partition

Once you are logged in as the root user on your new system you should start the process of moving root to its new encrypted partition.

However first run YaST, get the system hooked up to the internet, add an Online Update source and run an online update. This will install a new kernel and some security updates (in fact the longer after openSuSE 10.3 came out you read this the more updates there will be).

The newer kernels for openSuSE 10.3 implement (or seem to implement) the use of mkinitrd in a slightly different way to the default installation, and doing this update skips a chapter I would've had to otherwise write.

Once the update is complete reboot and log in again as root.

The first thing you are going to do is overwrite the soon to be root partition with random data. This will help to erase anything that you once had on the disk that wasn't removed earlier, and help hide the encrypted data that the root partition will soon contain.

As can be seen in the earlier example system the new root partition will be /dev/sda7 so you run the command (from a terminal or terminal emulator): 

tin-man:~# dd if=/dev/urandom of=/dev/sda7 bs=4096

This will overwrite the whole of the new root with data from urandom, a device in the Linux system which generates random data by combining random number generators with information on disk timings and mouse movements. It runs pretty slowly and for a 10GB drive will take several hours to finish. By making the block size (bs=4096) larger you haven't made the process run faster (unlike with /dev/zero earlier), but you have reduced the overhead on the system as it writes to disk less often, and so you will be able to do other things whilst this runs.

If you want you can move ahead whilst this runs and do the next step, but as that (the next step) will only take a few minutes maybe you should just get a cup of tea.

Setting up the bootloader - Grub

Whilst the system is busy writing random data to the new root partition you can be setting up Grub (or enjoying that tea).

Using the file manager as root go to /boot/grub; inside the directory you will find a file called 'menu.lst'.

Open this with your favourite text editor and add a new entry (modified for your system), an example file can be found here.

Save the file and close the text editor.

Encrypting and formatting root

One the random data has been written to the new root you need to create an encrypted file system, run the following command: 

tin-man:~# cryptsetup -v --key-size 256 luksFormat /dev/sda7

And follow the instructions. Remember to use a different password from your usual user account login.

Next you need to open the new partition, run: 

tin-man:~# cryptsetup luksOpen /dev/hda3 root

And enter your password.

Finally you need to format the partition, I use Ext3 here but you should use whatever the original root system was installed on (the default openSuSE 10.3 filesystem is Ext3). 

tin-man:~# /sbin/mkfs.ext3 -j /dev/mapper/root

Making a cryptab file

When the system boots the encrypted file system software looks for a file listing encrypted systems and what they should be booted as. This file is called crypttab and is found in /etc, e.g:

/etc/crypttab

See here for an example crypttab file; you will need to save this file as root, named 'cryptab' (no extension - read write permissions) edit it to match your system and place it in /etc.

Moving the root Filesystem

Once the new root partition has been created you need to copy over the current root file system.

First mount the partition. 

tin-man:~# mount /dev/mapper/root /mnt

If the directory /mnt does not exist make one using file manager.

Within /mnt make the directory's 'media', 'proc', 'boot' and 'sys'. These are system directories that you don't need to copy over; they are set up as the system is running.

Now you copy the rest of the root partition: 

tin-man:~# cd /
tin-man:/ find bin dev etc home lib* opt root sbin srv tmp usr var -depth -print0 | cpio -pmd --null /mnt

Mount options: fstab

The fstab, which is the file the running system uses to determine where and if to mount partitions, needs to be altered for the new encrypted root system.

Go to /mnt/etc (the /etc within the soon to be new root filesystem) and open the file 'fstab' with your favourite text editor.

Click here for an example fstab, for the new system you only need to alter one line, the line for the root filesystem.

The initial Ram Disk - Initrd

The Linux system uses an initial ram disk (initrd) to boot the system, containing and modules and software that the kernel will need prior to mounting the root directory. In order to mount an encrypted root filesystem a few tools must be added to the initrd.

With the introduction of openSuSE 10.3 the system will run almost out of the box with the standard kernel and software

Run the following command: 

tin-man:~# mkinitrd -d /dev/mapper/root

Which tells mkinitrd to make a new initrd based on the root system on /dev/mapper/root.

Once done you should be able to reboot the system.

The first boot, what to do if it doesn't work, and what to do when it does

When you reboot you should see the option to boot 'Encrypted openSUSE 10.3', if not you must go back in and edit the grub menu as described above.

Next you should see the usual openSuSE booting screen (with the option to press Escape for more information). After a few seconds (which will seem longer because you are waiting and watching) the screen will show the boot process, and the words 

Enter Luks password:

should appear.

They may however have appeared and be a few lines back, because on some systems the kernel will continue to discover hardware and report on it. Either way when the scrolling text stops just enter the password you made up earlier - no stars or text will appear - and press return, the system should then continue to boot.

If you are unable to type anything re-boot Linux via the normal way and check that your keyboard is supported by initrd during boot. USB keyboards commonly are not; you will therefore need to find a guide on the web to enable the keyboard. Commonly you can enable USB keyboard support in your initrd with the command (all as one line): 

tin-man:~# mkinitrd --with=ehci-hcd --with=uhci-hcd -d /dev/mapper/root

Or add the modules to initrd using YaST and remake the initrd for /dev/mapper/root.

If you get error messages like 'no filesystem driver' or similar then initrd needs to be rebuilt; log back in and run mkinitrd and look for error messages, if it runs without incident try rebooting again.

Once you have booted you should run the command 'mkinitrd' (and just that word) to make sure that the new system is able to build its own initial ram disk (this will be needed every time a kernel update is installed).

Creating the /home directory

If your system has booted up successfully then you can proceed to create a '/home' directory.

You can use several options for this (for example use YaST to format an encrypted home partition), but I prefer Truecrypt.

Installing truecrypt

Unpack the contents of the truecrypt source code tar you downloaded (section 3.1) into your home directory (which for root will be /root). Make sure that the full file path to where you unpack the source code has no spaces in the name; otherwise the kernel module build will fail.

From a terminal or terminal emulator enter the 'Linux' directory within the unpacked source code directory and run: 

tin-man:~# ./build.sh

Followed by: 

tin-man:~# ./install.sh

In theory just running ./install.sh should work, but I have found that if there is already an existing built module in the directory the install script will just try and load that, which may be problematic as it will give no errors but could affect other running kernel modules.

After you have installed Truecrypt check module dependencies (also run this before making a new initrd (command mkinitrd) to prevent errors regarding the module 'dm-truecrypt'. 

tin-man:~# depmod -a

A note about Truecrypt and new kernel updates

You should keep the source files in your root home directory as you will need to rebuild Truecrypt after every kernel update. Because you have installed kernel-symbols the module should always load and allow you to mount /home, even with the different kernel; however you may have odd hardware errors (on mine WIFI drops out) due to module conflicts so you should always re-build Truecrypt (it takes seconds after all) and run 'depmod -a'.

Keeping it in the root partition ensures that it is always available, even if Truecrypt won't mount /home anymore.

Remove old items from grub

The original opensuse entry can now be deleted from the grub menu. Make sure you also update the failsafe option to reflect the new root filesystem. You may want to reboot to check its all working.

Creating the home directory

Now that the root system is installed and working it's time to delete the old root file system, which in your example is on /dev/sda8.

Run the command: 

tin-man:~# truecrypt -c /dev/sda8

You will be asked what volume type you want, select 'normal', and when asked which filesystem you want, 'fat' or 'none' select 'none', follow the rest of the instructions to create an encrypted file system.

There is no need to randomise this partition first as truecrypt will fill it with random data, this will take an hour or more depending on system speed and partition size. Again go and make some tea.

Formatting the home directory

Mount the new partition with the command: 

tin-man:~# truecrypt /dev/sda8

This should mount the partition as /dev/mapper/truecrypt0, to format run the command: 

tin-man:~# /sbin/mkfs.ext3 -j /dev/mapper/truecrypt0

Next un-mount the volume: 

tin-man:~# truecrypt -d /dev/sda8

And run a test mount replacing the word 'yourpassword' with the password you used to create the truecrypt volume: 

tin-man:~# truecrypt /dev/sda8 /home -p yourpassword

Setting up an auto-mount for /home

You now want to set the system up to mount this new truecrypt partition at boot, to do this edit the file /etc/init.d/boot.local as shown in the example here.

Reboot the system and check that the '/home' drive is mounted (the '/home' folder will go from being empty to containing a folder called 'lost+found') Also keep an eye out to make sure that disk checking is run every so often..

5.10 Adding a user account

Now that the system has been created with an encrypted '/' (root) and '/home' you can add a user account. Do this using YaST.

If you have enabled the auto-mount option for the Truecrypt partition, and have your password in the boot.local file you can now set up the user account to log-in automatically. This is safe as the entire basic Linux system is secure (except for swap which is covered soon), and it means that you will only need to enter one password between boot and desktop!

That's the basic Linux system set-up, with the exception of the swap space, which you will deal with later.

Encrypting the system swap and hibernation space

The final part of this howto covers the system swap and hibernation space. There are several options here for system security, starting with the most basic and finishing with high level security options.

The higher security options, whilst providing a significant level of security, can carry with them a much higher maintenance requirement than the simple options.

Swap Space

Under Linux this is the swap partition.

Swap space is used when the computer runs out of physical memory (RAM), to free up physical memory information is swaped out of RAM into the swap space.

Therefore, even though you have encrypted all of your personal files, folders and personal settings (and the Linux root) there is still the risk that sensitive data will leak out into the swap space.

Of course if you are confident that your system has so much RAM it will never use swap space, and you will never want to suspend Linux to disk then you can delete the Linux swap; for the rest of you, you have to look at either deleting or encrypting this data (see below).

Hibernation

When a system hibernates it saves the contents of RAM into a file on the hard disk. On Linux this is a RAM disk image stored on the swap partition.

As above there is a risk that sensitive data will be saved to the hard disk, in fact there is a greater risk as you will be deliberately dumping the entire contents of RAM to the disk.

On very secure systems its best to disable hibernation altogether, if you want this feature you have to look at encrypting this data too.

Simple steps - Wiping/ encrypting Swap

A basic step you can do is have the Linux system wipe the swap partition on reboot.

Skip these sections (wipe swap, simple encrypted swap) if you intend to use the advanced techniques discussed later.

This will add up to a minute to the shutdown time (with a 2GB swap, and about 30s with a 800MB swap) but will provide an extra level of security when combined with the delete pagefile below.

You are going to ad a series of commands to the /etc/init.d/halt.local script which will be executed as root once the system is almost shutdown.

Open the file with your favourite text editor and add the following lines (editing for your installation): 

swapoff /dev/sda6
dd if=/dev/zero of=/dev/sda6 bs=4096
mkswap /dev/sda6
swapon /dev/sda6

You may want to try executing the 'dd' command from a terminal as root (after first making sure you have switched off swap) using different block sizes (the 'bs' option) to see what is the optimal setting for your system, and hence speed up the /dev/zero and shutdown processes. However even with the optimal setting you will still see a significant increase in the shutdown time.

Simple encrypted swap without hibernate or Windows pagefile share

I've included this for completion, but it goes very much against the idea of this howto. If you need to have an encrypted swap there is an advanced example later of how to have an encrypted swap with pagefile partition sharing and encrypted hibernate.

First of all log into Windows and move the pagefile to another partition. Then log into Linux and run YaST. Open the partitioning tool and format the swap as an encrypted partition. You don't have to enter a password, and if you don't a new encryption key will be created each time you boot based on /dev/urandom.

That's it, an encrypted swap which even the system itself will be unable to access after reboot, which is why hibernate will no longer be available, and even if you enter a set password the Kernel will not be able to load the partition at boot, hence, again, no hibernate feature.

Encrypt the hibernate disk image

As part of the standard openSuSE 10.3 installation is the option to encrypt the hibernate RAM disk image. The image is still stored on the swap partition, and the partition is still unencrypted, however the image itself can't be read.

To enable this open /etc/suspend.conf with a text editor; scroll down and un-comment (remove the # at the start of the line) the following options:

An example suspend.conf file can be seen here.

When you now suspend to disk the system will ask you for a password, and then write it to the file specified in the RSA Key file option. As the root file system is encrypted this is very secure.

If you want to use the expert options (below) you should enable this feature.

Expert steps - Encrypted swap and Linux Hibernate

This section is for experts or the very paranoid who know how to carry out maintenance on their system if an error occurs during a system change, such as a new Kernel via online update.

It's not that this method causes any errors under the current openSuSE 10.3 system, but you will be regularly changing the format of a key system partition and this may cause a boot failure following future system updates. You should be comfortable dealing with such issues before enabling these options.

Warning

Please note; if your system regularly uses large chunks of the swap partition (for example if it is low on resources), or is likely to just prior to the hibernate process then do not use this method as errors will occur when resuming and work can be lost. This method is particularly not recommended for systems with limited resources.

A swap space monitoring package (several are provided with openSuSE 10.3) will tell you what your usage is like.

Most systems however should have no problem.

Creating an encrypted swap system, compatible with hibernate

This method will change the state of the swap partition when booting, hibernating and shutting down.

When the system is running the swap partition will be encrypted with a random keyfile created from /dev/urandom.

When it is switched off the swap partition will be clean formatted and unencrypted; the only data that can be recovered from it will be fragments of encrypted data from the Windows and Linux systems.

When the system is hibernated (Linux only) it will be a freshly formatted swap partition with an encrypted RAM disk image on it.

Sadly because the swap/ resume partition presented to the Kernel at boot, and whilst running, is fundamentally different you may have to do some re-configuring of your system during certain updates. Ensure you are comfortable doing this before enabling this option.

Getting started

Configure the system to use the encrypted Linux hibernate image.

The following steps must be followed before rebooting the system.

Remove swap devices from /etc/fstab

Open fstab in a text editor as root and delete any line referring to a swap partition.

Edit /etc/init.d/boot.local

You are going to edit the local boot script (which contains your Truecrypt mount command) to create and mount an encrypted swap partition.

An example of this boot.local can be found here.

Edit /etc/init.d/halt.local

Next edit the local halt script to turn off swap, dismount the encrypted swap partition and format it as a standard swap partition.

An example halt.local can be found here.

Create a script for hibernating the computer

User scripts used during the hibernation of a computer are stored in the directory:

These are executed along with the system scripts in numerical order, based on the name of the script (which can be between 00 and 99, however most have been used). If you do not know what you are doing with power management just follow the exact instructions here (noting that they are for a default openSuSE 10.3 system). To create the script enter the directory:

And create a file called '04swapencryption'. An example showing the contents of this file can be found here. Make sure you edit the script to match your swap file partition, and make sure the name starts with '04' (as in 'zero four').

Filling the swap partition with random data

You have now ensured that no more un-encrypted data will ever be written to the swap partition so you should now ensure that any old data from the previous system on this computer is overwritten.

Run the following commands and then reboot, once up the system should now be fully encrypted, with the exception of the Windows C: drive. 

tin-man:~# swapoff /dev/sda6
tin-man:~# dd if=/dev/urandom of=/dev/sda6 bs=4096

As before this will take some time, but setting the block size to one suited to your system should make it possible to continue working until the command is finished. Of course with no swap the system may be slow.

Bugs and issues to note

Now that you have done all that work I should mention a few of the bugs you may experience.

Resume fails or data is missing after hibernate

This can happen when using the advanced system described at the end of the howto. It happens because a large amount of data was still on the swap partition prior to the hibernate script wiping the partition. If this happens regularly you should either stop using this encryption technique, stop using hibernate, reduce the system overhead before hibernating (e.g. stop any unnecessary processes or do not use any particularly onerous packages) or install more RAM.


Page loading