Computer Cleanup - Installing Linux Mint on a Partially Encrypted File-System

The reason I started this blog today is because yesterday I finished cleaning up my laptop. It all started because I wanted to organize my pictures (a new family member causes a lot of pictures to be taken), but I quickly realized my entire file-system was a mess…

Cleaning up my laptop had become a necessity, I decided to repartition it for two reasons:

1. I wanted to replace my Xubuntu install with Linux Mint, because I could and
2. I wanted to move my partitioning scheme to LVM, because my disk space needs tend to change every once in a while.

Another thing I had been considering for a while was encryption, no need to explain why, (semi-)private data on a laptop could do with some protection. While I was at it, I decided to tackle this as well.

Setting Things Up

The Linux Mint installer I used was for Linux Mint 14 – Cinnamon. The Mint installer comes without (full) support for lvm/dm-crypt, however, lvm2 and cryptsetup are included on the dvd!. So some manual tweaking was needed. I’ll describe the steps I used (from the live DVD).

Partitioning

My laptop still has Windows on it, and although I never use it, I want to keep it there just in case. The remaining hard-disk space was divided into three partitions (I decided to not encrypt the full disk, but only the sensitive parts). So, I decided on the following layout:

• /dev/sda1 – 20G Windows
• /dev/sda2 – 256M /boot
• /dev/sda3 – extended partition (needed because of existing data)
  • /dev/sda5 – lvm – vg1 (unencrypted)
  • /dev/sda6 – lvm – vgc1 (encrypted)

I decided on a separate /boot partition because I had some troubles booting directly through an LVM.Using an entire encrypted LVM volume allows one to enter a single password (during boot) to unlock everything that needs unlocking. This includes swap, enabling use of normal hibernate/resume!I backup up everything just in case, but did not delete my existing /home partition. I used gparted on the live DVD to set up the empty partitions, no file-systems yet. After modifying my partitions I rebooted (just to be sure that the kernel recognized the new partitioning)

Encryption

Since I was encrypting an entire LVM physical volume, (or raw partition) I am using dm-crypt/Luks. Setting up encryption for an entire physical volume is easy. Linux Mint uses mostly Ubuntu packages, so the prerequisites are the cryptsetup and lvm2 packages. First setup an encrypted partition:

sudo cryptsetup -s 256 luksFormat /dev/sda6

This calls cryptsetup with the default options and 256 bit encryption. This is pretty secure for most situations. You will be asked for a pass-phrase, this pass-phrase is the weakest link in the encryption chain. If your encryption is going to be broken, it is because you pass-phrase was guessed. Be sure to select a strong pass-phrase, write it down somewhere, because if you forget it there is NO way to recover the data!

To provide a mapping of the encrypted partition we use cryptsetup with the following command:

sudo cryptsetup luksOpen /dev/sda6 cryptfs

This creates the mapper at /dev/mapper/cryptfs. Now we could mount the encrypted partition, however, I want to create an LVM physical volume.

LVM

Creating a physical volume and volume group on this encrypted partition is not much different then using a normal partition:

sudo pvcreate /dev/mapper/cryptfs
sudo vgcreate vgc1 /dev/mapper/cryptfs

Several parts of a Linux file-system could contain sensitive information. What you consider sensitive however could differ from what I consider sensitive. I decided to encrypt the following: /usr, /var, /tmp, /root, /home and swap

The most obvious choice here is /home, with my private user files in it. Besides the “normal” users, the root user’s files are stored in /root. Temporary files containing information or (part of) files from these “home” directories could be stored in either one of the other directories. Especially when swapping, don’t forget that everything gets written to swap when you hibernate.

So, I decided to generate logical volumes for the following directories:

sudo lvcreate -L 3G -n usr vgc1
sudo lvcreate -L 3G -n var vgc1
sudo lvcreate -L 1G -n opt vgc1
sudo lvcreate -L 1G -n tmp vgc1
sudo lvcreate -L 1G -n hroot vgc1
sudo lvcreate -L 50G -n home vgc1
sudo lvcreate -L 4G -n swap vgc1

Diagram showing encrypted volume group

The sizes of the partitions of course are not fixed, but it is smart too leave free space in your logical volume giving you the option to rearrange things if needed.

These logical volumes are in essence virtual partitions, now residing in /dev/mapper, just like the encrypted partition.

ls /dev/mapper
cryptfs vgc1 vgc1-usr vgc1-var vgc1-tmp vgc1-hroot vgc1-home vgc1-swap

We still need file-systems on these logical volumes:

sudo mkfs.ext4 /dev/mapper/vgc1-usr
...
sudo mkswap /dev/mapper/swap

I used ext4 here, but you could use whatever you want!

Installing Linux Mint

Now, run the installer! When choosing the installation location, select the custom option. The installer should automatically recognize the (encrypted) logical volumes, assign these to be used with their according file-systems and mount points.

I found out (for my particular 64-bit install) that not specifying the option to format the file-systems caused the installer to hang, so be sure to select this option! Off course, do not format the partition with your existing data on it, but don’t select it as one of the partitions to be used by your fresh installation either.

Complete the rest of the installation as normal. At the end of the install, do no restart the computer, you are not done yet!

Post Installation Tweaking

If you were to reboot now, you would not be able to mount several parts of your file-system, most likely nothing related to LVM or encryption! Our new system does not yet include the lvm2 and cryptsetup packages! We can install these from the command-line of the live DVD by chrooting into our fresh install.

First download the needed packages. I found the easiest way to do this was to force them to reinstall on the live DVD:

sudo apt-get remove libreadline5 watershed lvm2 cryptsetup
sudo apt-get install libreadline5 watershed lvm2 cryptsetup

Mount the new root, /dev, /sys, and /proc file-systems (we need grub to update its configuration, this ensures it can find all of the new file-systems). I happened to put my unencrypted root partition on a separate logical volume group vg1, your configuration may be different.

sudo mount /dev/mapper/vg1-root /mnt
sudo mount /dev/mapper/vgc1-tmp /mnt/tmp
sudo mount -i bind /dev /mnt/dev
sudo mount -i bind /sys /mnt/sys
sudo mount -i bind /proc /mnt/proc

Copy the needed packages to our new installation:

sudo cp /var/cache/apt/archives/*.dev /mnt/tmp

No actually chroot and install the packages:

sudo chroot /mnt
cd root
dpkg -i libreadline5 watershed lvm2 cryptsetup

Instead of unlocking our encrypted volume manually (using cryptsetup luksOpen) we can setup things so mount asks as for a password. We can use the crypttab for that, which is similar to fstab. We can edit it with nano for instance,

nano /etc/crypttab

to include the following:

# <target name>    <source device>        <key file>    <options>
vgc1        /dev/sda6        none        luks, lvm=vgc1

This specifies our mapper at /dev/mapper/vgc1 from the actual partition /dev/sda6. We did not use a keyfile (so we will be prompted for a pass-phrase) and the volume is luks encrypted and uses LVM.

Now lets update grub, so during boot all the file-systems can be found and mounted:

grub-mkdevicemap
grub-update

and exit the chroot:

exit

Now you can use the live DVD to copy all your data to your new /home, after mounting it:

sudo mount /dev/mapper/vgc1-home /mnt/home

Joy!

Now you should be all set! Reboot, enter your pass-phrase and rejoice!

About these ads