Linux:System Encryption

As mentioned in a Linux:dm-crypt_Encrypted_Home_Directories[previous post], I use dm-crypt with a luks header and the pam-mount module to encrypt and mount the home directories on my laptop and server. While this works fantastically, it does have a potential fatal flaw, which is that my operating system is readily available to a would-be attacker. For instance, if they were skilled enough (which I am not), they could modify the any number of applications on my system to, quitely dump or send my encryption key password the next time I mount my home directory, thus defeating my security. Further, my system is readily available for any linux user good with mounting and chroot knowledge (which is probably most of us), and thus one could do all kinds of mischief on the unencrypted system partition of my computer.

I’m sure this is a bit tin-foil hatted of me. I have nothing to hide (though it’s not about that, it’s a matter of principle). Further, there is no one [that I know of] who would be that interested in me or my data. Despite, this is a very cool thing that I am doing purely because it can be done (in slang I believe the term is "the cool factor").

A Preliminary Note

I would not recommend this be done for servers or multi-user laptops or desktops. This process requires that a password be typed or a key be available every time the system is booted, which requires physical presence to do so. Since most servers are administered and used remotely over a network, a reboot would me a service outtage until someone were able to open a local terminal to type the password (to say nothing about having to share the password with multiple people).

Overview

Due to the scope of this post and that I don’t want to focus on documenting some other tasks that are more generic and less related to the actual encryption of the system, I will not be covering how to back up your system or to partition your drive. However, please see the following two notes.

During the installation process we will…

  1. Set up encryption

  2. Modify the grub defaults so it properly sets up the loop device on boot

  3. Modify the Initramfs Configuration (this one is Arch Linux specific)

Setting Up Encryption

We’re going to assume here that the system partition will be installed on sda2. With that, let’s "format" that with luks/dm-crypt.

Warning
Again, back up your data if you haven’t already. This will irrevocably destroy any data on the partition [unless you are good with data recovery tools].
cryptsetup luksFormat /dev/sda2

And so our installation can continue, the loop device needs to be set up and a filesystem created

# Open the encrypted container to the system map device (though you can name it whatever you want)
cryptsetup luksOpen /dev/sda2 system
# ...Type the password
# Create the filesystem here - I use btrfs
mkfs.your_choice /dev/mapper/system
# Mount the filesystem
mount /dev/mapper/system /mnt/ # Or wherever your distro's installation mount point is

Now that this is done, it’s time to re-install or copy from backups your system to the new encrypted container.

Modifying the Grub Defaults

Now that the system partition is setup up and our system re-installation is complete, it’s time to configure Grub so it knows the system partition is encrypted. Without this step, you won’t get past the initramfs since an encrypted system partition without a password is effectively useless. Here I will again assume your system partition is on /dev/sda2..

Change…

/etc/default/grub
...
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
...

…to …

/etc/default/grub
...

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:system quiet"
...

Modifying the Initramfs Configuration

This part is oriented towards Arch Linux. Modifying the initramfs generation configuration is something that varies from distribution to distribution. I run Arch, so Arch it is! (let me know though if you want to know how to do it on another distribution and I’ll figure it out and update the post).

This is actually very simple on Arch. Simply open /etc/mkinitcpio.conf and edit the HOOKS line. What matters here is that the encrypt hook occurs before the filesystems hooks.

/etc/mkinitcpio.conf
...
HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck"
...

Once you’ve done that, save and close the config file and run

mkinitcpio -p linux

You should be able to now reboot your system and it will prompt you for a password immediately after grub. If you were successful, you should be brought to a screen that looks something like…

A password is required to access the sda volume:

Enter passphrase for /dev/sda2:_

Category:Encryption Category:Security