With the generous assistance of Marc Schwartz, I finally figured out how
to encrypt /home on a Fedora Core 5 machine. In the interest of making
this procedure more available to people learning about cryptsetup, I
have written the following HOWTO. Any comments would be greatly
appreciated.
Encrypting /home with cryptsetup-luks on Fedora Core 5
Introduction
This HOWTO shows you how to take an existing, functional Fedora Core 5
system and encrypt (using dm-crypt and LUKS) the partition that gets
mounted on /home. Note that /home needs to be on its own partition, not
on the / partition. Also, in words similar to those from night-shade, I
have tested this with LVM2 devices containing nothing important. It
worked for me but you are advised to have current working backups if the
data matters to you. You have been warned.
Because we are dealing with the /home partition, these instructions will
also explain how to ensure that the /home partition is mounted during a
boot.
Step 0: Log on as root
Because you will need to unmount /home, you must log on as root rather
than su to root from an unpriveledged user account.
Step 1: Backup /home
Presumably you would like to return to the same Home environment that
you started with before you encrypted your /home partition. Therefore,
you need to backup the contents of /home. (Be aware that these
instructions will not necessary restore your Home environment EXACTLY as
it was before you encrypted /home. Please read all of these
instructions before proceeding, so that you are sure that this solution
will work for you.) In this HOWTO, we will assume there is only one
unpriveledged user (jmaher) on the system, so only /home/jmaher needs to
be backed up. One way to back up this folder is to use the following
commands:
# mkdir /root/jmaher
# /bin/cp -a /home/jmaher/.* /root/jmaher
The -a option is for archiving files and directories. It uses recursion
and preserves the permissions of the files and directories.
Step 2: Remove the user whose Home directory we just backed up
We will be recreating the unpriviledged user (jmaher) after we have
encrypted and re-mounted our /home directory, so we should clean things
up first and remove that account:
# userdel -r jmaher
The -r option removes the user, the user's files, and the user's
directory in /home.
Step 3: Get the correct cryptsetup version
You need the version of cryptsetup with luks enabled. You can determine
if the correct version of cryptsetup is install using the command:
# cryptsetup --help
You should see "cryptsetup-luks" displayed near the top of the output.
If you do not have cryptsetup, you can install it using yum (assuming
yum has been properly configured):
# yum -y install cryptsetup-luks
Step 4: Initialize a LUKS partition and set the initial key
This step establishes the mapping between physical partitions and
logical partitions.
In this HOWTO, our physical partition will actually be a logical
volume. By default, when installing Fedora Core 5, a volume group and
logical volumes within the volume group are created. The volume group
is called VolGroup00, and the logical volumes are called LogVo100,
LogVo101, etc, for each of the partitions. However, in this HOWTO, our
volume group will be called vg0, and our logical volume that will
eventually get mounted to /home will be called home. So, the full path
of the physical partition that will be mounted on /home (when we are
done) is /dev/vg0/home. (Your device path will likely be different, but
you need to identify the device that is currently mounted to /home.)
With that said, let's use the following command to initialize a LUKS
partition and set the initial key using a passphrase (note, this will
wipe out all data on the /home partition):
# cryptsetup --verbose --verify-passphrase luksFormat /dev/vg0/home
WARNING!
========
This will overwrite data on /dev/vg0/home irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: (enter your passphrase, and write it down somewhere!)
Verify passphrase: (repeat passphrase)
Step 5: Create a mapping between physical and logical partitions
# cryptsetup luksOpen /dev/vg0/home home
Enter LUKS passphrase:
#
If all is well, you now have a special file called /dev/mapper/home.
This is what you will mount on /home. Verify that the file was created:
# ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 63 May 24 06:52 control
brw-rw---- 1 root disk 253, 4 May 24 10:54 home
brw-rw---- 1 root disk 253, 1 May 24 06:52 vg0-home
brw-rw---- 1 root disk 253, 0 May 24 10:53 vg0-root
brw-rw---- 1 root disk 253, 2 May 24 06:52 vg0-swap
Notice the other logical volumes (vg0-home, vg0-root, and vg0-swap) that
were created when Fedora Core 5 was installed. (Note, the names of
these volumes were changed by me during the installation. The were
originally VolGroup00-LogVo100, VolGroup00-LogVo101, etc.) The fact
that you are using logical volumes (like /dev/vg0/home) as physical
devices can be confusing. It may help to remember that when we refer to
physical devices we use devices located in the volume group directory
(example: /dev/vg0), and when we refer to logical devices we use devices
located in /dev/mapper (i.e., they have been mapped are are ready to
use). (Okay, yes, it's confusing that the physical devices in /dev/vg0
are also listed as logical devices in /dev/mapper. Try to ignore them.)
Step 6: Create a filesystem on the new logical partition
For this HOWTO, we make an ext3 file system on /dev/mapper/home using
the following commands:
# /sbin/mkfs.ext3 -j -m 1 /dev/mapper/home
(wait several minutes...)
mke2fs 1.35 (28-Feb-2004)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
36634624 inodes, 73258400 blocks
732584 blocks (1.00%) reserved for the super user
First data block=0
2236 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632,
2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 39 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
#
(Note, the above output was borrowed from William Owen Smith's HOWTO:
"EncryptedDeviceUsingLUKS".)
Step 7: Mount the filesystem
Mount your new logical device /dev/mapper/home to /home.
# mount /dev/mapper/home /home
View the file system's disk usage to verify that it worked:
# df -h /dev/mapper/home
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/home 4.0G 80M 3.8G 3% /home
Step 8: Restore the user's Home directory
Re-created the unpriviledged user:
# useradd -m jmaher
The -m option create's the user's home directory using the files and
directories in /etc/skel as a template.
Now we need to copy MOST of the user's backed-up files back to the
user's Home directory. I say MOST because I have found that copying all
of the files back to the user's Home directory will break the use of the
Home directory for that user. I have not investigated this, so someone
else may want to comment as to the reason for this. Basically, I found
it safe to copy all non-hidden files and directories back to the
/home/jmaher using the following command:
# /bin/cp -r --preserve /root/jmaher/* /home/jmaher
The -r options allows recursion of subdirectories to occur, and the
--preserve option preserves permissions and ownership of the files and
directories.
I would recommend selectively copying hidden files and directories for
those applications you find most important. For example, I really
wanted my Thunderbird, Firefox, and ssh settings to be restored, so I
used the following commands:
# /bin/cp -r --preserve /root/jmaher/.thunderbird /home/jmaher
# /bin/cp -r --preserve /root/jmaher/.mozilla /home/jmaher
# /bin/cp -r --preserve /root/jmaher/.ssh /home/jmaher
If you had previously modified .bashrc, .bash_profile, or .bash_logout,
then you may want to copy those files as well.
Don't reboot yet, but you should now be able to test your actions and
log on as the unpriviledged user (jmaher) using the following command:
# su - jmaher
Step 9: Modify /etc/fstab
Some aspects of the boot sequence need to be changed, because the
physical volume (/dev/vg0/home) that gets mounted to /home is encrypted
and is no longer a recognizable file system as far as /bin/mount is
concerned. Of course, if cryptsetup is used to open the device (using
the command cryptsetup luksOpen /dev/vg0/home), then /bin/mount could
see that the device has an ext3 file system, and the device can be mounted.
So here are the steps to do that.
Change the line in /etc/fstab that mounted the Home directory so that it
(a) refers to /dev/mapper/home rather than /dev/vg0/home; (b) the fourth
field indicates the device should not be mounted when then 'mount -a'
command is given, and unpriviledged users can mount the device; (c) the
fifth field no longer indicates that this device should be accessed by
the dump command; and (d) the six field no longer indicates that fsck
should check this device at boot time.
In short, change the line that will look similar to this:
/dev/vg0/home /home ext3 defaults 1 2
and change it to this:
/dev/mapper/home /home ext3 noauto,user 0 0
Step 10: Create and modify luksopen script
Copy the wonderful script called luksopen (created by embro and modified
by johnny) from
http://www.saout.de/tikiwiki/tiki-index.php?page=luksopen, and paste it
into a new file called /sbin/luksopen.
Modify the script as follows:
a. Change devArray variable from:
devArray=(/dev/hda7 /dev/hda10 /dev/hda11 /dev/hda13)
to:
devArray=(/dev/vg0/home)
(Remember, this is the physical device used for /home. Yours is
probably different.)
b. Delete the entire mapArray variable line
c. Change mntArray variable from:
mntArray=(/tmp /mnt/bergen /mnt/trondheim /mnt/oslo)
to:
mntArray=(/home)
d. Replace the line that reads:
map=${mapArray[$i]}
with:
# assign last directory name of device name to $map variable
map_elements=`echo ${devArray[$i]} | sed -e 's/^\///' -e 's/\// /g'`
for e in $map_elements ; do map=$e ; done
e. Add ' answer' (no quotes) to the following line:
read -p "Next device in list is \"$dev\". Do you want to open and
mount it? (y/N): "
so that it looks like this:
read -p "Next device in list is \"$dev\". Do you want to open and
mount it? (y/N): " answer
Step 11: Edit /etc/rc.d/rc.local and add the line "/sbin/luksopen" (no
quotes) to the end.
Step 12: REBOOT
What You Can Expect
The boot process will be essentially the same as before, but this time
the partition /dev/vg0/home will not get mounted to /home. In fact, it
will not get mounted. Instead, all other partitions will get mounted
and the remainder of the boot process will continue as it always has.
Near the end of the boot process you will be prompted to with the
following message:
Next device in list is /dev/vg0/home. Do you want to open and mount
it? (y/N):
You need to type "y" <ENTER>, and you will then be prompted to enter
your passphrase. If you enter your passphrase correctly, the device
(/dev/vg0/home) you encrypted and mapped in Steps 4 and 5 above will be
mapped to /dev/mapper/home and mounted to /home. The boot process will
complete, and you can log on as your unpriviledged user (jmaher).
(Written by John Maher, 24 May 2006)
---------------------------------------------------------------------
- http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
