The linux unified key setup

Configuring LUKS: Linux Unified Key Setup

According to Wikipedia, the Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux. LUKS uses device mapper crypt ( dm-crypt ) as a kernel module to handle encryption on the block device level.

More Linux resources

There are different front-end tools developed to encrypt Linux partitions, whether they’re plain partitions or Logical Volumes (LVs). In this tutorial, we’ll explore these tools and demonstrate how to configure disk encryption. I’ve created a 10GB disk ( /dev/vdb ) to use during this tutorial.

Installing the tools

Let’s start by installing the appropriate tools for configuring encryption:

The cryptsetup package provides the cryptsetup command, which we’ll use to configure encryption, while the parted package provides the parted command for configuring the partition.

Creating the partition

Running the lsblk command shows your current setup:

We can encrypt a whole block device like /dev/vdb , but creating a partition offers more flexibility since we can add other partitions later on.

Now we run the following commands to create a partition to encrypt:

When running lsblk again, we see that the dev/vdb1 partition was added:

Formatting the volume with LUKS

The following process encrypts dev/vdb1 . In order to proceed, you need to enter YES in capitals and provide the password twice:

Then, we need a target to open the encrypted volume. I used mybackup as my target, but this target can be named anything:

Running lsblk once again, we see:

We can also see the mybackup encrypted volume’s mapping:

Creating a filesystem

Since we now can access the encrypted volume, we need to format it before we can store data on it. You can choose between different filesystem types, like xfs (the default on Red Hat Enterprise Linux 8), ext3, ext4, etc. For the sake of simplicity, we’ll use xfs as the filesystem type:

Creating the mount point and directory

To write data on the encrypted filesystem, we need to mount it first. I chose /mnt/my_encrypted_backup to be the mount point for my data:

Then we run the mount command:

Here we get a Security-Enhanced Linux (SELinux) warning. We need to relabel the mount point’s SELinux security context:

Running the mount command once again shows that the warning is gone:

Running lsblk again produces the following output:

Retrieving LUKS details

We can now dump the LUKS header information, data segment section, key slots used, etc.:

Adding a key file and automounting

Mounting the LUKS encrypted filesystem automatically has security implications. For laptop users, doing this is not a wise choice. If your device gets stolen, so is your data that was stored in the encrypted partition.

Regardless of the security implication mentioned above, here’s how to set up automatic mounting. First, create the appropriate directory to store the key file:

Then, add the key using the cryptsetup utility:

Next, we need to restore the SELinux context:

Previously, we opened the encrypted filesystem and mounted it manually. Now we need to see if we can do the same with automation. Since our filesystem is already mounted, we first need to umount (unmount) it:

Let’s try opening the encrypted partition via the command line using the file as a key:

Next, we need to configure /etc/crypttab and /etc/fstab to mount the disk on boot. We first need the UUID for /dev/vdb1 (not /dev/mapper/mybackup ), which can be retrieved as follows:

Now enter the following line in /etc/crypttab so we can automatically open our encrypted filesystem:

With this much done, we can now configure /etc/fstab . Append the following line (in bold) to this file:

And, finally, we can test to see if automount works without rebooting the machine, using mount -a :

In this case, /mnt/my_encrypted_backup was successfully mounted. Now, reboot the system and make sure the automount works on reboot as well.

Final thoughts

There are other options that can be provided to cryptsetup , and each has trade-offs when it comes to speed and a more secure filesystem. Explore the options and choose what’s best for your situation.

Источник

Ubuntu Documentation

Further support may be available from the official Ubuntu support community IRC channel #ubuntu on Libera (irc.libera.chat).
This page is an up-to-date guide to comprehensive LUKS encryption, including GRUB, covering 18.04 LTS and later releases.

It is focused on modifying the Ubuntu Desktop installer process in the minimum possible way to allow it to install with an encrypted /boot/ and root file-system. It requires 36 commands be performed in a terminal, all of which are shown in this guide and most can be copy and pasted.
It is also a useful overview on the manual steps required for storage-at-rest encryption.

It is intended to replace the current (hopelessly out-of-date and inadequate) FullDiskEncryptionHowto page.

Almost Full Disk Encryption (FDE)

I’m (Tj) being deliberately pedantic in calling this almost Full Disk Encryption since the entire disk is never encrypted. What is encrypted are the operating system partition and the boot-loader second-stage file-system which includes the Linux kernel and initial RAM disk.

However, this is much better than the Ubuntu installer Encrypt Disk option which only supports encrypting the operating system partition but leaves the boot-loader second stage file-system unencrypted and therefore vulnerable to tampering of the GRUB configuration, Linux kernel or more likely, the initial RAM file-system ( initrd.img).

In both cases the first-stage GRUB boot-loader files are not (and cannot) be encrypted or protected through cryptographic signatures in BIOS boot mode.

It is possible, in UEFI Secure Boot mode, to have every stage cryptographically signed, in which case any tampering can be detected and boot aborted. Unfortunately, Canonical (who control the building of the packaged signed GRUB UEFI boot-loader) did not include the encryption modules in their signed GRUB EFI images until the release of 19.04 Disco. See bug #1565950.

Illustrations (screen-captures) are taken from the Ubuntu 19.04 ‘Disco’ Desktop Installer. Other flavours have their own installers and themes and may not look identical.

Prerequisites

Desktop installer ISO image from http://releases.ubuntu.com/ copied to installation media (usually a USB Flash device but may be a DVD or the ISO file attached to a virtual machine hypervisor).

Empty installation media (no existing operating systems or data, or entire device can be over-written)

Boot the Installer

Even before starting the installer it is critical to select the correct boot mode. Ubuntu (and flavours like Kubuntu, Lubuntu, Xubuntu, etc.) uses hybrid bootable images that have two alternate boot-loaders:

1. GRUB (GRand Unified Bootloader)
2. Syslinux

The ISO images can boot in several possible combinations of mode and partitioning:

1. ISO-9660 El-Torito (the CD/DVD optical media boot mechanism — uses Syslinux)
2. GPT + EFI-SP (GUID Partition Table and EFI System Partition — uses GRUB)
3. MBR + EFI-SP (Master Boot Record and EFI System Partition — uses GRUB)
4. GPT + PC (GUID Partition Table and BIOS boot — uses Syslinux)
5. MBR + PC (Master Boot Record and BIOS boot — uses Syslinux)

Boot Modes

PCs have two boot modes: BIOS (Basic Input Output System) and UEFI (Unified Extensible Firmware Interface). BIOS was installed in IBM PCs and compatibles from the 1980s. UEFI mode has become prevalent since Microsoft introduced it in Windows 7 and later began requiring it on new PCs to meet the Windows Logo License Agreement requirements. Most PCs since 2010 have UEFI.

Apple Macintosh/iMac devices have their own EFI (Extensible Firmware Interface) which is almost, but not quite, the same as UEFI but do not have a BIOS equivalent. This guide doesn’t (currently) address installation on Apple devices.

BIOS is also known as Legacy or CSM (Compatibility Support Module) when part of UEFI.

If the target system is BIOS-only you can disregard the rest of this section.

Selecting UEFI boot mode

In order to support UEFI Secure Boot, or to install alongside another operating system that uses UEFI boot mode (e.g. Windows 10), the system motherboard’s firmware boot-manager has to be told to start the Ubuntu installer in UEFI mode.

Unfortunately there is no consistency between different PC manufacturers on how motherboard firmware boot-managers should indicate boot-mode so we, as users, have to figure it out from what clues we can see when the PC’s boot menu is displayed and lists boot devices.

Let’s assume we’re using a USB Flash device. The boot menu may list that device twice (once for UEFI mode, and again for BIOS/CSM/Legacy mode). It may make it explicit that one is «UEFI» and the other not, or it may use some hard-to-spot code such as a single letter abbreviation (e.g. «U» vs «B»).

If we want to guarantee UEFI mode and avoid BIOS/CSM/Legacy mode then by entering firmware Setup at power-on we should be able to find an option to disable CSM/Legacy mode.

After doing that we can be sure the installer will boot in UEFI mode.

There is a quick way to confirm the installer has started in UEFI mode — it will be using GRUB, so see the following section First Boot Screen > GRUB (UEFI mode) for what it will look like.

Detecting UEFI boot mode

Once Linux has started it is possible to check. The presence of the efivarfs file-system means the system booted in UEFI mode:

First Boot Screen

The options displayed will look different depending on which boot-loader is used.

GRUB (UEFI mode)

Choose Try Ubuntu without installing from the GRUB boot-loader menu:

Syslinux (BIOS mode)

The display will briefly pause for selection of the input language:

If you interrupt at this stage to choose a language Syslinux will display a menu where you can make various advanced changes to the boot options. At this point you should choose the Try Ubuntu without installing menu option.

Welcome Options

If the boot hasn’t been interrupted to choose a language the Welcome dialog with start-up options will be displayed. Choose Try Ubuntu.

Live Desktop

Once the Live Desktop environment has started we need to use a Terminal shell command-line to issue a series of commands to pre-prepare the target device before executing the Installer itself.

On Ubuntu (Gnome) press the Show Applications button at lower-left corner

In the subsequent text search field type «Term» until just the Terminal icon is shown

Press the icon to launch Terminal.

Instead of these steps you can just press Ctrl+Alt+T hot-key combination.

Pre-Prepare Encrypted Partitions

You might find maximising the Terminal window is helpful for working with the command-line.

As much as is possible these manual steps will keep to the same installation layout and naming as the installer uses.

For these commands you’ll need elevated privileges so switch to root user (the $ prefix indicates a regular user and # indicates root user):

A couple of later commands rely on Bourne-Again Ash Shell (BASH) specific functionally so always switch from the default shell to bash:

If at any time you wish to check which shell is in use do:

You will something like one of these:

Identify Installation Target Device

Here the installation target device is sda but yours may vary so examine the SIZE to ensure you choose the correct target. (in this example target is a 9GiB virtual machine disk image file).

We’ll set an environment variable we can re-use in all future commands. Doing this will allow you to copy and paste these instructions directly into your terminal (note: do not copy and paste the «#» prefix). In this example I’m installing to /dev/sda:

On systems with NVME storage devices the naming scheme is /dev/nvme$n$p$ so if there is only one device it is likely it would require:

Finally we’ll set an environment variable for the encrypted device-mapper naming that omits the leading path «/dev/» part:

And we have to cope with NVME devices needing a ‘p’ for partition suffix:

Partitioning

We’ll now create a disk label and add four partitions. We’ll be creating a GPT (GUID Partition Table) so it is compatible with both UEFI and BIOS mode installations. We’ll also create partitions for both modes in addition to the partitions for the encrypted /boot/ and / (root) file-systems.

We’ll be using the sgdisk tool. To understand its options please read man 8 sgdisk

First check for any existing partitions on the device and if some are found consider if you wish to keep them or not. If you wish to keep them DO NOT USE sgdisk —zap-all command detailed next. Instead, consider if you need to free up disk space by shrinking or deleting individual existing partitions.

If you do need to manipulate the existing partitions use the Show Applications menu to search for GPartEd which is the graphical user interface partitioning tool (see the GPartEd manual for how to use it)

If it is safe to delete everything on this device you should wipe out the existing partitioning metadata — DO NOT DO THIS if you are installing alongside existing partitions!

Now we’ll create the partitions. A small bios_boot (2MB) partition for BIOS-mode GRUB’s core image, an 128MB EFI System Partition, a 768MB /boot/ and a final partition for the remaining space for the operating system.

: : where start and end can be relative values and when zero (0) adopt the lowest or highest possible value respectively.

Partition 4 is not created. The reason is the Ubuntu Installer would only create partitions 1 and 5. Here we create those and in addition the two boot-loader alternatives.

LUKS Encrypt

The default LUKS (Linux Unified Key Setup) format (version) used by the cryptsetup tool has changed since the release of 18.04 Bionic. 18.04 used version 1 («luks1«) but more recent Ubuntu releases default to version 2 («luks2«). GRUB only supports opening version 1 so we have to explicitly set luks1 in the commands we use or else GRUB will not be able to install to, or unlock, the encrypted device.

In summary, the LUKS container for /boot/ must currently use LUKS version 1 whereas the container for the operating system’s root file-system can use the default LUKS version 2.

Читайте также:  Windows 10 record games

For more information see the man-pages for 18.04 Bionic or 18.10 Cosmic onwards.

First the /boot/ partition:

Now the operating system partition:

LUKS unlock

Now open the encrypted devices:

After the Ubuntu installation is finished we will be adding key-files to both of these devices so that you’ll only have to type the pass-phrase once for GRUB and thereafter the operating system will use embedded key-files to unlock without user intervention.

Format File-systems

IMPORTANT this step must be done otherwise the Installer’s partitioner will disable the ability to write a file-system to this device without it having a partition table (Man-page for mkfs.ext4):

Format the EFI-SP as FAT16 (Man-page for mkfs.vfat):

LVM (Logical Volume Management)

We’ll now create the operating system LVM Volume Group (VG) and a Logical Volume (LV) for the root file-system.

LVM has a wonderful facility of being able to increase the size of an LV whilst it is active. To provide for this we will only allocate 80% of the free space in the VG to the LV initially. Later, if you need space for other file-systems, or snapshots, the installed system will be ready and able to support those requirements without struggling to free up space.

I am also creating a 4GiB LV device for swap which, as well as being used to provide additional memory pages when free RAM space is low, is used to store a hibernation image of memory so the system can be completely powered off and can resume all applications where they left off. The size of the swap space to support hibernation should be equal to the amount of RAM the PC has now or is is expected to have in the future.

Install Ubuntu

Now minimise the Terminal window and start the Installer:

Choose the installation language and keyboard and then the software installation choices:

In the Installation Type options choose Something Else:

Manual Partitioning

The manual partitioner will start:

Select the root file-system device for formatting ( /dev/mapper/ubuntu—vg-root), press the Change button, choose Use As Ext4. and Mount point /:

Select the swap device ( /dev/mapper/ubuntu—vg-swap_1), press the Change button, choose Use as swap area:

Select the Boot file-system device for formatting ( /dev/mapper/LUKS_BOOT), press the Change button. choose Use as Ext4. and Mount point /boot:

Select the boot-loader device ( /dev/sda in my example). Boot-loader device should always be a raw disk not a partition or device-mapper node:

Press the Install Now button to write the changes to the disk and press the Continue button:

The installation process will continue in the background whilst you fill in the Where Are You? and Who Are You? forms:

Enable Encrypted GRUB

As soon as you have completed those forms switch to the Terminal to configure GRUB. These commands wait until the installer has created the GRUB directories and then adds a drop-in file telling GRUB to use an encrypted file-system. The command will not return to the shell prompt until the target directory has been created by the installer. In most cases that will have been done before this command is executed so it should instantly return:

This has to be done before the installer reaches the Install Bootloader stage at the end of the installation process.

If installation is successful choose the Continue Testing option:

Post-Installation Steps

Return to the Terminal and create a change-root environment to work in the newly installed OS (Man-pages for mount chroot):

Within the chroot install and configure the cryptsetup-initramfs package. This may already be installed. Note: this package is not available in 18.04 Bionic because the files are included in the main cryptsetup package.

This allows the encrypted volumes to be automatically unlocked at boot-time. The key-file and supporting scripts are added to the /boot/initrd.img-$VERSION files.

This is safe because these files are themselves stored in the encrypted /boot/ which is unlocked by the GRUB boot-loader (which asks you to type the pass-phrase) which then loads the kernel and initrd.img into RAM before handing execution over to the kernel. (Man-page for initramfs.conf):

Create a randomised key-file of 4096 bits (512 bytes), secure it, and add it to the LUKS volumes (Man-pages for dd chmod):

Add the keys to the crypttab (Man-pages for crypttab blkid):

Finally update the initialramfs files to add the cryptsetup unlocking scripts and the key-file:

If everything has gone well the system is now ready to reboot.

ReBoot

Reboot the system, not forgetting to remove the installation media (otherwise it’ll boot again!).

You should get a GRUB pass-phrase prompt:

Full_Disk_Encryption_Howto_2019 (последним исправлял пользователь tj 2021-09-04 12:41:49)

The material on this wiki is available under a free license, see Copyright / License for details
You can contribute to this wiki, see Wiki Guide for details

Источник