Installing Slackware in an encrypted LVM
En Español
Introduction
When a laptop is lost or stolen (or it may be a desktop computer, but this is more likely to happen to a computer that we carry around), at first we may resent the price of the machine itself (and the personal data on the machine if you do not back-up frequently, which you really should, specially if you move your computer around a lot), until we realize that whomever is in possession of the computer now has access to all of our information: our photos, our documents, our media, all of our browser history, and, to make things worst, he/she may have access to sensitive information such as our credit card and log in information of the websites that we visit. If this lost computer used to belong to a corporate user, things are even worst, as whoever took possession of the computer may have obtain sensitive information about the company or about the clients of the company.
A common approach for protect this sensitive information is to create an encrypted area (or multiple encrypted areas) inside the Hard Disk Drive (HDD), by using a program like TrueCrypt, in which we store the sensitive information. While this approach is good, this doesn't protect things such as the browser history or the virtual memory of the computer, in which information such as passwords and credit card numbers is stored. And of course, if we want to put the computer to hibernate, the entire content of the memory is dumped into the HDD along with these passwords and other content that the computer was supposed to store temporally, and it may be retrieved by someone with the necessary expertise.
A different approach to achieve the security is to encrypt the entire system, not just an area with personal data. This offers several advantages over an encrypted area such as.
- If the system is lost, without the password at boot time, the computer it's pretty much useless; only a full format and a reinstall would make it useful again, but our information on it is forever lost (unless we use a really bad passphrase).
- The encryption is transparent, one password at the start serves to unlock both the system and the personal data. Other than that the system performs the encryption and decryption operations transparently as it writes/reads from the disk.
- The virtual memory is encrypted as well.
- This allows us to put the computer to hibernate; when the memory is dumped into the HDD, it gets encrypted.
This is the first of several posts, the goal is to create a secure system where we can store and manage our sensitive information and from which we could safely do online transactions. I intend to cover topics ranging from the installation of an encrypted system, to the maintenance of the system, to automated back-ups. I will cover both Slackware for the truly paranoid that wants to have a thigh control over the system and only trust downloading the source code and compiling programs himself, and Ubuntu for the ones who want a more user friendly system, I may cover other distributions and/or operating systems, or encryption schemes, but this is only a start.
In this first guide, I will be covering the installation of a fully encrypted Slackware, for this is an old Linux distribution with a solid history of security and stability, and of course, because I like it and use it in a frequent basis.
Requirements
We need the Slackware CDs or the DVD, although you can use other medium of installation. For this guide I used the DVD, although in netbooks I usually utilize a small flash memory and have the installation files in a NFS (network file system).
Of course, we need an empty area in the HDD. If we are going to perform a full install, around 8GB should be enough and give us some flexibility to install additional programs that we may need and space to store our private documents, but the more the better.
Creating partitions
First of all we are going to insert the Slackware DVD and restart the computer, if you are doing this on a netbook or in a computer without an optical disk reader, you may boot it from a flash memory and use a network file system as the software source. At first we will be greeted and then asked about whether to start with the default kernel (hugesmp.s) or choose a different one, we will press enter and go with the default kernel, unless we are doing this in a very old machine.
ISOLINUX 3.84 2009-12-18 ETD Copyright (C) 1994-2009 H. Peter Anvin et alWelcome to Slackware version 13.1 (Linux kernel 2.6.33.4)!If you need to pass extra parameters to the kernel, enter them at the promptbelow after the name of the kernel to boot (huge.s etc). NOTE: If your machineis not at least a Pentium-Pro, you *must* boot and install with the huge.skernel, not the hugesmp.s kernel! For older machines, use "huge.s" at theboot prompt.In a pinch, you can boot your system from here with a command like:boot: hugesmp.s root=/dev/sda1 rdinit= roIn the example above, /dev/sda1 is the / Linux partition.This prompt is just for entering extra parameters. If you don't need to enterany parameters, hit ENTER to boot the default kernel "hugesmp.s" or press [F2]for a listing of more kernel choices.boot: _
Slackware will start loading and eventually will ask us to choose a keyboard layout, I will press enter and continue as I'm fine with the US keyboard, but if you need a different keyboard layout press 1 and choose a different keyboard layout until you find one that suits you.
<OPTION TO LOAD SUPPORT FOR NON-US KEYBOARD>If you are not using a US keyboard, you may now load a differentkeyboard map. To select a different keyboard map, please enter 1now. To continue using the US map, just hit enter.Enter 1 to select a keyboard map: _
And finally we will get to a login screen, where we will simply type root and hit Enter.
Welcome to the Slackware Linux installation disk! (version 13.1)###### IMPORTANT! READ THE INFORMATION BELOW CAREFULLY. ######- You will need one or more partitions of type 'Linux' prepared. It is alsorecommended that you create a swap partition (type 'Linux swap' priorto installation. For more information, run 'setup' and read the help file.- If you're having problems that you think might be related to low memory (thisis possible on machines with 64 or less megabytes of system memory), you cantry activating a swap partition before you run setup. After making a swappartition (type 82) with cfdisk or fdisk, activate it like this:mkswap /dev/<partition> ; swapon /dev/<partition>- Once you have prepared the disk partitions for Linux, type 'setup' to beginthe installation process.- If you do not have a color monitor, type: TERM=vt100before you start 'setup'.You may now login as 'root'.slackware login: _
Once logged in we will prepare the system. Usually, we just create a partition for Linux and one for swap. I recommend to also create one for /home, as this makes it easier to reinstall the system without affect the personal user information and settings. However, as this is not a common installation, we are going to distribute the HDD differently. We will start by creating two partitions, a small unencrypted one where we are going to store the Linux kernel and with which we will boot the system, and a second one where we are going to store our encrypted LVM. In the end the HDD will be like this:
We start by typing fdisk -l
to see the hard disk drives and their partitions in our computer, in my case I can see that my disk is labeled sda, and that it doesn't have a valid partition table because it's an empty disk, I can also see that there are no other units available in the computer, therefore, when I run cfdisk in the next step, I don't need to specify it the HDD to use, it will use sda.
root@slackware:/# fdisk -lDisk /dev/sda: 9663 MB, 9663676416 bytes255 heads, 63 sectors/track, 1174 cylindersUnits = cylinders of 16065 * 512 = 8225280 bytesSector size (logical/physical): 512 bytes / 512 bytesI/O size (minimum/optimal): 512 bytes / 512 bytesDisk identifier: 0x00000000Disk /dev/sda doesn't contain a valid partition tableroot@slackware:/# _
Now we will type cfdisk
and press Enter. This will show us the cfdisk
interface, as the HDD is empty, the empty space is selected by default, if we are doing this in a computer that already have another operating system on it, we just need to select the desired free space with the up and down arrow keys. Then we can move between the different options with the left and right arrow keys.
cfdisk (util-linux-ng 2.17.2)Disk Drive: /dev/sdaSize: 9662676416 bytes, 9663 MBHeads: 255 Sectors per Track: 63 Cylinders: 1174Name Flags Part Type FS Type [Label] Size (MB)------------------------------------------------------------------------------ Pri/Log Free Space 9656.48 [ Help ] [ New ] [ Print ] [ Quit ] [ Units ][ Write ]Create new partition from free space_
We select [ New ] and press enter, then we select [ Primary ] and press enter, then we type the size of the partition, in this case I am going to select 100MB for this area.
cfdisk (util-linux-ng 2.17.2)Disk Drive: /dev/sdaSize: 9662676416 bytes, 9663 MBHeads: 255 Sectors per Track: 63 Cylinders: 1174Name Flags Part Type FS Type [Label] Size (MB)------------------------------------------------------------------------------ Pri/Log Free Space 9656.48 Size (in MB): 100_
Once we type the number we press enter, select [ Beginning ], and the partition will appear, it's type will be marked as Linux. Once here we can go to the option that says [ Bootable ], as this is going to be the area of the disk from which we boot, and press enter. And we are done creating the first partition.
cfdisk (util-linux-ng 2.17.2)Disk Drive: /dev/sdaSize: 9662676416 bytes, 9663 MBHeads: 255 Sectors per Track: 63 Cylinders: 1174Name Flags Part Type FS Type [Label] Size (MB)------------------------------------------------------------------------------ sda1 Boot Primary Linux 98.71 Pri/Log Free Space 9557.78[ Bootable ] [ Delete ] [ Help ] [ Maximize ] [ Print ][ Quit ] [ Type ] [ Units ] [ Write ]Toggle bootable flag of the current partition_
After this we are going to create the second partition, we need to select the empty area below, and repeat the same steps, only this time we are going to use the rest of the empty space. Once this is done it will look like this:
cfdisk (util-linux-ng 2.17.2)Disk Drive: /dev/sdaSize: 9662676416 bytes, 9663 MBHeads: 255 Sectors per Track: 63 Cylinders: 1174Name Flags Part Type FS Type [Label] Size (MB)------------------------------------------------------------------------------sda1 Boot Primary Linux 98.71 sda2 Primary Linux 9557.78 [ Bootable ] [ Delete ] [ Help ] [ Maximize ] [ Print ][ Quit ] [ Type ] [ Units ] [ Write ]Write partition table to disk (this might destroy data)_
Now we go to [ Write ], type "yes" and press Enter. The partition table is created, take note of the name of the units tho, we we will be using sda1 and sda2 during the process. If you need to check them at any time just type fdisk -l
from the prompt, it will give you the list of partitions. Finally, we select [ Exit ] to get back to the prompt.
Disk has been changed.WARNING: If you have created or modified anyDOS 6.x partitions, please see the cfdisk manualpage for additional information.root@slackware:/# _
Preparing the encrypted LVM
We are going to encrypt sda2, but first, if you want, as this is entirely optional, or if you feel like your computer is likely to be searched by, I don't know, the FBI, you can fill the entire partition destined to be encrypted with random data before use it. This is because encrypted data looks like random data, so if you realize the procedure in this post in an new (and therefore empty) HDD, it will be easy to determine which area is encrypted data, as the rest of the HDD will be empty. We can previously fill this partition with randomly generated data, but be aware that this may take a really long time, I am talking about hours here. For this we use the command dd, and just remember to use the right partition here, because if you do this to any other partition it will screw it up:
dd if=/dev/urandom of=/dev/sda2
Once this is done, if you choose to do it, we are going to format the partition to be encrypted. To do this we will use:
cryptsetup -s 256 -y luksFormat /dev/sda2
You will be warned that this command will completely destroy any data you have in that partition, after you confirm that this is really what you want to do, you will be asked twice for your passphrase, this accept more than just letters and numbers, but be careful with what you use, because if you don't have the right keyboard layout and use symbols, you may end with a passphrase that is different than what you thought you wrote, and in addition to this, if you forget your passphrase, you will lose your data, all of it, and there will be nothing that you can do about this, it is for this reason that I recommended that you constantly back-up your data. If this is your mobile laptop and you have a desktop at home, I strongly suggest to routinely synchronize the contents of this laptop with that of your desktop.
The default cypher it's 'AES', with a key whose strength is of 128 bits, you can modify the strength of the cypher with -s
and a multiple of 8. In this case I am using key with a strength of the 256 bits. The -y
parameter is to ask you for confirmation of your passphrase. Of course, the longest the key, the harder it is to crack the encryption, but every read and write operation will cost more processor cycles.
Once this is done, we are going to open our newly created encrypted partition and use it as a mapped device, we will call this slackcrypt (or, you can call it anything that you want) so this will appear mounted in /dev/mapper/slackcrypt:
cryptsetup luksOpen /dev/sda2 slackcrypt
This will ask for the passphrase we previously enter. With our encrypted partition open and mounted as a mapped device, we are going to create a Physical Volume (PV) on /dev/mapper/slackcrypt
pvcreate /dev/mapper/slackcrypt
Then we create a Volume Group (VG) called cryptvg (this can be named anything that you want as well).
vgcreate cryptvg /dev/mapper/slackcrypt
Now we proceed to create three Logical Volumes (LVs), one for the system (root), one for the personal data (home) and one for the virtual memory (swap), the sum of the logical volumes must be under the total size of the volume group. In case that you need to check how much space do you have available in the volume group at any time, you can do so with:
vgdisplay -v cryptvg | more
To exit from that press q. We can define the size of the logical volume by using -L
, a number and optionally a suffix. The default the number is taken as megabytes, but you can use the suffixes K (kilo), M (mega), G (giga), T (tera), P (peta) or H (hexa), although the last three suffixes are to big at the time of writing this article. Additionally we can use -l
(lowercase L) to use a logical extend, %VG
would be a percentage of the volume group size, %FREE
would be a percentage of the remaining free space in the volume group, for this example I am going to use 7GB for the system, 500MB for the virtual memory, and the rest of the space for the personal data.
lvcreate -L 7G -n root cryptvg
lvcreate -L 500M -n swap cryptvg
lvcreate -l 100%FREE -n home cryptvg
Now we are going to have the system detect the logical volumes and to create device nodes for them:
vgscan --mknodes
As a result you will get a 'Found volume group "cryptvg" using metadata type lvm2', then we proceed to activate all the volumes, this will make the logical volumes known to the kernel, so we can format the swap volume and use this logical volumes during the install procedure:
vgchange -ay
This will return '3 logical volume(s) in volume group "cryptvg" now active'. And now we will run mkswap so that the setup program will identify the swap LV as a valid swap partition. We do this with:
mkswap /dev/cryptvg/swap
And we are done preparing the system for the installation of Slackware.
Installation
You can now type setup, hit enter, and follow the instruction to perform a normal Slackware installation. When you are setting the Swap, it will automatically detect /dev/cryptvg/swap as the swap area, just accept the setting. When you are asked about the partitions select /dev/cryptvg/root for the root partition, /dev/cryptvg/home for the /home partition and /dev/sda1 for /boot, this will be the only unencrypted part of this Slackware install. In this part of the setup you will see several more devices such as /dev/mapper/* Do not touch any of this or you may lose the logical volumes, or the volume group, or the encrypted area.
Once all packages has been installed, we will eventually get to the dialog of liloconfig. Choose expert, then select Begin, and when asked where to install lilo choose MBR (Master Boot Record) and /dev/sda. Then choose to add a Linux partition and you will see the different areas in the HDD, type /dev/cryptvg/root, then choose Install. This will attempt to install lilo, but you may see an error message stating that the installation of lilo failed. If you get it, just ignore it, because we will have to add an initrd image to '/etc/lilo.conf' and rerun lilo once the installation is done and we are be back in the command prompt.
Fixing lilo
When the installation is finished, the disk will be ejected (if it's a disk what you have been using to install Slackware) and we will be told to hit ctrl+alt+delete to reboot. But first, we are going to fix lilo so don't reboot just yet. The setup program has done all the preparations already, such as remounting /sys and /proc in /mnt and generating LVM device nodes in /mnt. Lets become root in the newly installed system with chroot
:
chroot /mnt
Here we are going to create an initrd image with LVM and CRYPT support. The image will be named initrd.gz and as we formatted the root as ext4 (or at least I done that, you can change this to the file system that you used during the installation process) and since we are running Slackware 13.1's default kernel '2.6.33.4-smp':
mkinitrd -c -k 2.6.33.4-smp -m ext4 -f ext4 -r /dev/cryptvg/root -C /dev/sda2 -L
This command will create a folder called initrd-tree inside /boot, where you can add modules or change the keyboard layout of the passphrase prompt if you need. If you do change this, you will need to rerun mkinitrd again. The resulting initrd image will be saved in '/boot/initrd.gz' by default. Now we are going to open the file /etc/lilo.conf and tell lilo about our new initrd, as well as load the generic kernel instead of the huge one. The huge one is mean to boot from the cd/dvd in a wide variety of system, but we don't really need it, and it is bigger than what lilo can handle. To edit the file we can use nano, vi or vim for this, in this example I use nano, but personally I prefer to use vim.
nano /etc/lilo.conf
In the bottom, you will see the Linux area, edit it so it looks like this:
image = /boot/vmlinuz-generic-smp-2.6.33.4-smp
initrd = /boot/initrd.gz
root = /dev/cryptvg/root
label = Slackware
read-only
Now save your changes with ctrl+o and exit with ctrl+x. And run lilo:
lilo
It will give you a few warnings, one concerning '/proc/partitions'. Ignore this and reboot when lilo is done with ctrl+alt+delete. After you reboot, the system will ask you for your passphrase . After entering the passphrase, the system will boot into Slackware. You will work as usual, and when you shut down or put the machine to hibernate, everything, including your swap will be encrypted on your disk.
Final notes
Back-up often, I can not possibly emphasize this enough. If by some unfortunate reason your HDD fails, if you lose or forget your passphrase, or who knows what else may happen, no one is going to be able to recover the information contained in your encrypted system. Ultimately this is the whole point of do this, so that no other person can access your sensitive information, but that will include anyone who could repair or give maintenance to the computer.
And that will be all for now. I would like to expend this even more to cover the entire installation process with images, but unfortunately there is no time, but there will be updates, whenever new versions of Slackware arrive.
The raw commands
cfdisk
dd if=/dev/urandom of=/dev/sda2
cryptsetup -s 256 -y luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 slackcrypt
pvcreate /dev/mapper/slackcrypt
vgcreate cryptvg /dev/mapper/slackcrypt
lvcreate -L 7G -n root cryptvg
lvcreate -L 500M -n swap cryptvg
lvcreate -l 100%FREE -n home cryptvg
vgscan --mknodes
vgchange -ay
mkswap /dev/cryptvg/swap
setup
chroot /mnt
mkinitrd -c -k 2.6.33.4-smp -m ext4 -f ext4 -r /dev/cryptvg/root -C
/dev/sda2 -L
nano /etc/lilo.conf
Edit the Linux entry of lilo to make it look like this:
image = /boot/vmlinuz-generic-smp-2.6.33.4-smp
initrd = /boot/initrd.gz
root = /dev/cryptvg/root
label = Slackware
read-only
lilo