How to: get the whole system encrypted

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Do not start a support topic here please. Before you post please read this

Re: How to: get the whole system encrypted

Postby kristhor on Mon Feb 01, 2010 1:26 pm

well the "simple" user as you call it might have his system on a laptop or even mobile on a usb harddrive, and even though it doesnt have stuff on it thats relevant to national security he might have some personal stuff or just doesnt like the idea of somone going through his system out of curiosity or malicious reasons. And he might loose his disk or laptop, and even if he gets it back there can be no way of knowing if anyone has tinkered with it in the meantime. Maybe its a little superparanoid to have the whole system encrypted, probably enough to just have your home or parts of it, but the whole thing makes some people sleep better at night..... besides its fun :)
kristhor
Level 2
Level 2
 
Posts: 91
Joined: Fri Apr 17, 2009 9:40 pm

Linux Mint is funded by ads and donations.
 

Re: How to: get the whole system encrypted

Postby kristhor on Mon Feb 01, 2010 1:31 pm

gtech wrote:I followed the guide word for word from a USB drive with Helena live boot. I start up the computer and there is just a cursor blinking on the upper left of the screen. Any ideas on why it isn't booting?
I have an extended partition with 10GB root, 12GB not used, and 124 GB home partition, all three are encrypted.

Strangely everytime I try to umount /dev/root/ at the end it says the drive is busy. Each time I just restarted anyway.



when that happines go back in to chroot and unmount /proc /sys and /dev/pts before exiting
then your able to unmount root.
kristhor
Level 2
Level 2
 
Posts: 91
Joined: Fri Apr 17, 2009 9:40 pm

Re: How to: get the whole system encrypted

Postby linuxviolin on Tue Feb 02, 2010 8:31 pm

kristhor wrote:besides its fun :)

Ok, maybe... everyone amused as he can/wants :lol:

But I maintain my point of view. I don't think the personal stuff of a normal user are so important and secret that the system must be encrypted... But this is just my opinion! :D
K.I.S.S. ===> "Keep It Simple, Stupid"
"Simplicity is the ultimate sophistication." (Leonardo da Vinci)
"Everything should be made as simple as possible, but no simpler." (Albert Einstein)
User avatar
linuxviolin
Level 8
Level 8
 
Posts: 2055
Joined: Tue Feb 27, 2007 6:55 pm
Location: France

Re: How to: get the whole system encrypted

Postby twistx on Mon Feb 08, 2010 10:04 pm

Why not? That's what you should be asking yourself. Why compile a custom kernel when genkernel can do it for you? Why build a computer when you can buy one from Dell? Why run linux at all when windows is the more popular and widely used OS? You're certainly entitled to your opinion though.
twistx
Level 1
Level 1
 
Posts: 3
Joined: Tue Jan 05, 2010 5:01 pm

Re: How to: get the whole system encrypted

Postby Brock on Thu Apr 29, 2010 12:51 pm

Last night I had to do a hard reboot on an HP laptop setup exactly like the tutorial. Works great, I've used it for several installs of Linux Mint, currently LM8 Fluxbox, and have never had so much as a hiccup.

On restart the "croot" and "cswap" mounted fine, but on login, the hdd accessed for a bit then restarted the login (never getting past that).

From a terminal on the live CD, I can open "chome" with cryptsetup, but when I go to mount it I get a "mount: wrong fs type, bad option, bad superblock on /dev/mapper/chome,
missing codepage or helper program, or other error"

Specifically:
Code: Select all
mint@mint mnt $ sudo cryptsetup luksOpen /dev/sda4 chome
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

mint@mint mnt $ sudo mkdir home

mint@mint mnt $ sudo mount -t ext3 /dev/mapper/chome /mnt/home
mount: wrong fs type, bad option, bad superblock on /dev/mapper/chome,
       missing codepage or helper program, or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so


Am I trying to mount that volume correctly? If so, does that indicate a disk problem? Is there any way to fix that and save what I can from that volume?

I have looked at fstab, crypttab, the pam_mount config xml on "croot" and all the rest and verified they still match the tutorial.

Edit to add: Looks like I do have disk errors. Syslog:
Code: Select all
Apr 29 16:55:18 mint kernel: [ 8191.456102] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
Apr 29 16:55:18 mint kernel: [ 8191.456109] ata1.00: BMDMA stat 0x25
Apr 29 16:55:18 mint kernel: [ 8191.456119] ata1.00: cmd c8/00:00:37:99:a6/00:00:00:00:00/e7 tag 0 dma 131072 in
Apr 29 16:55:18 mint kernel: [ 8191.456121]          res 51/40:52:e5:99:a6/00:00:00:00:00/e7 Emask 0x9 (media error)
Apr 29 16:55:18 mint kernel: [ 8191.456125] ata1.00: status: { DRDY ERR }
Apr 29 16:55:18 mint kernel: [ 8191.456129] ata1.00: error: { UNC }
Apr 29 16:55:18 mint kernel: [ 8191.472422] ata1.00: configured for UDMA/100
Apr 29 16:55:18 mint kernel: [ 8191.472443] ata1: EH complete
Apr 29 16:55:20 mint kernel: [ 8194.061416] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
Apr 29 16:55:20 mint kernel: [ 8194.061423] ata1.00: BMDMA stat 0x25
Apr 29 16:55:20 mint kernel: [ 8194.061433] ata1.00: cmd c8/00:00:37:99:a6/00:00:00:00:00/e7 tag 0 dma 131072 in
Apr 29 16:55:20 mint kernel: [ 8194.061435]          res 51/40:52:e5:99:a6/00:00:00:00:00/e7 Emask 0x9 (media error)
Apr 29 16:55:20 mint kernel: [ 8194.061439] ata1.00: status: { DRDY ERR }
Apr 29 16:55:20 mint kernel: [ 8194.061443] ata1.00: error: { UNC }
Apr 29 16:55:20 mint kernel: [ 8194.078095] ata1.00: configured for UDMA/100
Apr 29 16:55:20 mint kernel: [ 8194.078117] ata1: EH complete
Apr 29 16:55:23 mint kernel: [ 8196.861069] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
Apr 29 16:55:23 mint kernel: [ 8196.861076] ata1.00: BMDMA stat 0x25
Apr 29 16:55:23 mint kernel: [ 8196.861086] ata1.00: cmd c8/00:00:37:99:a6/00:00:00:00:00/e7 tag 0 dma 131072 in
Apr 29 16:55:23 mint kernel: [ 8196.861088]          res 51/40:52:e5:99:a6/00:00:00:00:00/e7 Emask 0x9 (media error)
Apr 29 16:55:23 mint kernel: [ 8196.861092] ata1.00: status: { DRDY ERR }
Apr 29 16:55:23 mint kernel: [ 8196.861096] ata1.00: error: { UNC }
Apr 29 16:55:23 mint kernel: [ 8196.879909] ata1.00: configured for UDMA/100
Apr 29 16:55:23 mint kernel: [ 8196.879931] ata1: EH complete
Apr 29 16:55:26 mint kernel: [ 8199.464602] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
Apr 29 16:55:26 mint kernel: [ 8199.464609] ata1.00: BMDMA stat 0x25
Apr 29 16:55:26 mint kernel: [ 8199.464619] ata1.00: cmd c8/00:00:37:99:a6/00:00:00:00:00/e7 tag 0 dma 131072 in
Apr 29 16:55:26 mint kernel: [ 8199.464621]          res 51/40:52:e5:99:a6/00:00:00:00:00/e7 Emask 0x9 (media error)
Apr 29 16:55:26 mint kernel: [ 8199.464625] ata1.00: status: { DRDY ERR }
Apr 29 16:55:26 mint kernel: [ 8199.464629] ata1.00: error: { UNC }
Apr 29 16:55:26 mint kernel: [ 8199.488407] ata1.00: configured for UDMA/100
Apr 29 16:55:26 mint kernel: [ 8199.488427] ata1: EH complete
Apr 29 16:55:28 mint kernel: [ 8202.077700] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
Apr 29 16:55:28 mint kernel: [ 8202.077707] ata1.00: BMDMA stat 0x25
Apr 29 16:55:28 mint kernel: [ 8202.077718] ata1.00: cmd c8/00:00:37:99:a6/00:00:00:00:00/e7 tag 0 dma 131072 in
Apr 29 16:55:28 mint kernel: [ 8202.077720]          res 51/40:52:e5:99:a6/00:00:00:00:00/e7 Emask 0x9 (media error)
Apr 29 16:55:28 mint kernel: [ 8202.077724] ata1.00: status: { DRDY ERR }
Apr 29 16:55:28 mint kernel: [ 8202.077728] ata1.00: error: { UNC }
Apr 29 16:55:28 mint kernel: [ 8202.092389] ata1.00: configured for UDMA/100
Apr 29 16:55:28 mint kernel: [ 8202.092408] ata1: EH complete
Apr 29 16:55:31 mint kernel: [ 8204.879434] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
Apr 29 16:55:31 mint kernel: [ 8204.879441] ata1.00: BMDMA stat 0x25
Apr 29 16:55:31 mint kernel: [ 8204.879451] ata1.00: cmd c8/00:00:37:99:a6/00:00:00:00:00/e7 tag 0 dma 131072 in
Apr 29 16:55:31 mint kernel: [ 8204.879453]          res 51/40:52:e5:99:a6/00:00:00:00:00/e7 Emask 0x9 (media error)
Apr 29 16:55:31 mint kernel: [ 8204.879458] ata1.00: status: { DRDY ERR }
Apr 29 16:55:31 mint kernel: [ 8204.879461] ata1.00: error: { UNC }
Apr 29 16:55:31 mint kernel: [ 8204.900415] ata1.00: configured for UDMA/100
Apr 29 16:55:31 mint kernel: [ 8204.900456] sd 0:0:0:0: [sda] Unhandled sense code
Apr 29 16:55:31 mint kernel: [ 8204.900460] sd 0:0:0:0: [sda] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
Apr 29 16:55:31 mint kernel: [ 8204.900465] sd 0:0:0:0: [sda] Sense Key : Medium Error [current] [descriptor]
Apr 29 16:55:31 mint kernel: [ 8204.900471] Descriptor sense data with sense descriptors (in hex):
Apr 29 16:55:31 mint kernel: [ 8204.900474]         72 03 11 04 00 00 00 0c 00 0a 80 00 00 00 00 00
Apr 29 16:55:31 mint kernel: [ 8204.900494]         07 a6 99 e5
Apr 29 16:55:31 mint kernel: [ 8204.900501] sd 0:0:0:0: [sda] Add. Sense: Unrecovered read error - auto reallocate failed
Apr 29 16:55:31 mint kernel: [ 8204.900509] end_request: I/O error, dev sda, sector 128358885
Apr 29 16:55:31 mint kernel: [ 8204.900553] ata1: EH complete
Apr 29 16:55:31 mint kernel: [ 8204.901905] JBD: Failed to read block at offset 29825
Apr 29 16:55:31 mint kernel: [ 8204.901914] JBD: recovery failed
Apr 29 16:55:31 mint kernel: [ 8204.901917] EXT3-fs: error loading journal.


Now what?

Edit 2:

Easy fix, actually. Boot to live CD, plug in USB external HDD (mounted to /media/disk) and make a backup copy of the partition.

Code: Select all
mint@mint media $ sudo dd if=/dev/sda4 of=/media/disk/chome.img


Open the encrypted volume:

Code: Select all
mint@mint media $ sudo cryptsetup luksOpen /dev/sda4 chome
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.


Check and repair the file system:

Code: Select all
mint@mint media $ sudo e2fsck -C0 -f -y /dev/mapper/chome


fsck checks and repairs the corrupt superblock. Reboot to the HDD, and viola! Back to normal.
Brock
Level 1
Level 1
 
Posts: 3
Joined: Fri Mar 05, 2010 4:47 pm

Re: How to: get the whole system encrypted

Postby na5m on Sun Jul 11, 2010 9:20 pm

Great tutorial. I substituted aes-xts-plain for the older cbc mode and
I used the aes_x86_64 module, as I'm running 64-bit Isadora. I chose sha512 for
password hash and also for key creation. I put everything under / (except for /boot, of course)
and I have no swap. Suspend to ram works fine. I don't use suspend to disk as this is my desktop
machine connected to a UPS. I feel that my data is pretty secure now (not that I have anything
interesting hidden :mrgreen: ).

Cheers to the OP.

EDIT:
Having played with the information in this thread for a few days, I discovered that:

1) (for Isadora x64, anyway) you only need to mount /proc in the chroot environment to achieve a successful update-initramfs pass. BTW, you should umount /proc before you leave the chroot environment.

2) (for Isadora x64, anyway) you don't need to apt-get anything. It's already on the liveDVD.

3) (for Isadora x64, anyway) you don't need to modprobe anything. See below 4).

4) (for Isadora x64, anyway) you don't need to put anything in /etc/initramfs-tools/modules. The modules' functionality gets automagically loaded into the running kernel. See above 3).

5) Mint ROCKS!
User avatar
na5m
Level 1
Level 1
 
Posts: 2
Joined: Sun Mar 25, 2007 7:53 pm
Location: California

Re: How to: get the whole system encrypted

Postby macias on Tue Dec 28, 2010 4:29 am

Thank you for great howto! I will try it out with LMDE

The auto-mount on login link is dead, I found some others:

https://we.riseup.net/debian/automatica ... ypted-home
http://gentoo-blog.de/ubuntu/encrypted- ... uto-logon/
macias
Level 1
Level 1
 
Posts: 30
Joined: Tue Dec 21, 2010 12:06 pm

Re: How to: get the whole system encrypted

Postby willie42 on Tue Dec 28, 2010 4:53 am

Great how too.......very detailed and very well stated.
Comptia A+ Certified Technician
Comptia Network + Certified Technician
You can not have Success without Failures.
User avatar
willie42
Level 7
Level 7
 
Posts: 1977
Joined: Tue Jun 22, 2010 7:52 pm
Location: Oak Ridge, TN USA

Re: How to: get the whole system encrypted

Postby phaed on Sun May 08, 2011 2:52 pm

Thanks for this.
Last edited by phaed on Mon Oct 21, 2013 11:18 am, edited 1 time in total.
phaed
Level 1
Level 1
 
Posts: 5
Joined: Wed Feb 25, 2009 10:57 pm

Re: How to: get the whole system encrypted

Postby turqoisehex on Tue Aug 09, 2011 3:07 am

Finally! A full disk encryption technique that works! All the others I had used complex LVM setups and would never work. Thank you for sharing this!
turqoisehex
Level 1
Level 1
 
Posts: 45
Joined: Tue Aug 03, 2010 9:33 pm

Re: How to: get the whole system encrypted

Postby Paddy Landau on Sun May 27, 2012 9:38 am

sharney wrote:This works great, however, if you have a laptop and you want to use hibernate to disk, you can't because the swap partition is encrypted with a random key. However, I found another howto at http://www.c3l.de/linux/howto-completly ... y-eft.html which helped me figure out how to do fix this. Basically you make the swap partition like you do the other paritions with a passphrase but there are a few wrinkles ...

@sharney, thank you for that great description.

Thanks to you, I have managed to modify the process to work with Ubuntu!
Paddy Landau
Level 1
Level 1
 
Posts: 1
Joined: Fri May 25, 2012 9:05 am

Re: How to: get the whole system encrypted

Postby sisteczko on Mon Dec 02, 2013 6:54 am

This recipe ceased to work on Mint 16 Petra; there's no file /etc/acpi/hibernate.sh and I failed to find something similar.

Skipping the step involving the hibernate.sh leads to the system without swap and never asking the password on boot time.

I use fairly vanilla Mint 16 Petra Cinnamon.
sisteczko
Level 1
Level 1
 
Posts: 5
Joined: Tue Oct 23, 2012 2:52 am

Linux Mint is funded by ads and donations.
 
Previous

Return to Tutorials

Who is online

Users browsing this forum: jdmcc, springvanillarose and 6 guests