Updated on 25 Nov 2008: Made some more minor corrections .
Hi!
This is my first howto ever! First of all I would like to advise that all the work has been done by others and all the credits are for them. This howto is just a little summary for those who get confused...or are too lazy Please, check the links at the end of the post. The intro is mine, but almost all the steps of the howto are based on them.
I hope many people would find it useful. I think that if you install Ubuntu with the alternate cd, it gives you the possibility of encrypting the root filesystem. But if you use the desktop cd (the LiveCD like Mint's one) you don't have this option, and you can only encrypt a folder onto your /home after installation. Fedora also lets you encrypt the whole system during installation...but we want to install Mint, didn't we?
Some people thinks encryption is not necessary for the average user, but that's not true. If you lose your laptop, or if anyone stoles it, the personal information (yes, last picnic pics included ) on it can be used against you. Sometimes we don't realise that we don't protect some personal information at all. Think of it, how many times do you let your browser store your passwords so you don't have to remember them? Is the one for accessing your bank's webpage included? If someone uses your browser and "accidentally" gets to one of these webpages...dangerous, huh? Well, maybe I'm getting paranoic...
Anyway, encryption is not the holy grail...specially while the computer is running. Encryption will lock your computer and if anyone gets physical access to your computer, it is possible to take the hard drive and connect it to another computer but, if the cipher is good and the password is strong enough, it will take years to decrypt it.
OK, here is the recipe...I don't want to scare you. It has been tested on Felicia RC1, but it should work in older releases. It will also work if you are dual-booting and also if you have your windows partition encrypted with Truecrypt (Truecrypt bootloader can chainload partitions).
1 - First of all, make a backup of your data. Then, boot your Mint LiveCD. Make sure you have Internet connection, we need to install a package. Once at the desktop, type on a terminal (press Alt+F2 and type "xterm"):
Code: Select all
sudo apt-get install cryptsetup
2 - OK, now you should fill your hard disk with random data. This will destroy your partition scheme and all your data on the disk. To do this, type:
Code: Select all
dd if=/dev/urandom of=/dev/sda
Code: Select all
dd if=/dev/zero of=/dev/sda
If you like your actual partition scheme, just make room for /boot (if you don't have it yet) and use dd commands above with them separately so you don't need to repartition./dev/sda1 /boot
/dev/sda2 swap
/dev/sda3 /
/dev/sda4 /home
3 - Now, we need to load some modules for crypto...things to work
Code: Select all
sudo modprobe dm-crypt
sudo modprobe aes-i586
Code: Select all
sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sdXX
Code: Select all
sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda3
Code: Select all
sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda4
5 - Now we have two encrypted containers. One in /dev/sda3 and one in /dev/sda4. Once finished, we must open them in order to format them. In our example:
Code: Select all
sudo cryptsetup luksOpen /dev/sda3 croot
Code: Select all
sudo cryptsetup luksOpen /dev/sda4 chome
6 - Format them.
Code: Select all
mkfs.ext2 -j /dev/mapper/croot
mkfs.ext2 -j /dev/mapper/chome
7 - Install as normal. When the installer asks you for partitioning, select "Manual". In our example we should set mountpoints like this:
Do nothing with /dev/sda2, /dev/sda3, /dev/sda4. If you have windows partitions or other like /usr, /var, ... mount them as normal (If you want /usr, /var, to be encrypted proceed as for / and /home)./dev/mapper/croot /
/dev/mapper/chome /home
/dev/sda1 /boot
Note for Truecrypt users: If you have your windows system partition encrypted with Truecrypt, remember to install grub to /boot. To do this, click "Advanced" on the last step of the installer and type /dev/sdXX (your /boot partition) on the "Install grub to..." field. On our example, we would type /dev/sda1.
Click "Install", and let it be.
8 - Once the installation has finished, let the installer know that you want to keep using the LiveCD. We need to work some more.
Go back to the terminal and create a temporal mountpoint:
Code: Select all
cd /mnt
sudo mkdir root
Code: Select all
sudo mount -t ext3 /dev/mapper/croot /mnt/root
sudo mount -t ext2 /dev/sda1 /mnt/root/boot
Code: Select all
sudo chroot /mnt/root
Code: Select all
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts
9 - Update your apt and install cryptsetup and initramfs-tools:
Code: Select all
apt-get update
apt-get install cryptsetup initramfs-tools
nano /etc/crypttab
nano /etc/fstabcswap /dev/sda2 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap # this line auto-mounts the swap partition at boot and ciphers it with a random key
croot /dev/sda3 none luks
chome /dev/sda4 none luks
Remove the swap line added by the installer and add this:
The lines added by the installer for croot and chome didn't work for me. I think it's because of using UUIDs. So, don't use them./dev/mapper/cswap none swap sw 0 0
/dev/mapper/croot / ext3 relatime,errors=remount-ro 0 1
/dev/mapper/chome /home ext3 relatime 0 2
nano /etc/initramfs-tools/modules
11 - Update your initramfs:dm_mod
dm_crypt
sha256_generic
aes-i586
Code: Select all
update-initramfs -k all -c
12 - Exit chroot environment (CTRL+D) and umount /boot and /:
Code: Select all
umount /mnt/root/boot
umount /mnt/root
Extra (get your /home partition mounted automatically when you log in): (Credits for http://blog.gnist.org/article.php?story ... HomeUbuntu)
14 - Remove entries for chome on /etc/fstab
15 - Change chome entry on /etc/crypttab to:
16 - Install pam_mountchome /dev/sda4 noauto luks
Code: Select all
sudo apt-get install libpam-mount
17 - Update config files as seen:
nano /etc/security/pam_mount.conf.xml (add it at the end of the file, before </pam_mount>)
Note: Don't forget to replace yourusername with...your username<volume user="yourusername" fstype="crypt" path="/dev/sda4" mountpoint="/home" />
nano /etc/pam.d/common-auth (add the line at the end of the file)
nano /etc/pam.d/common-session (add the line at the end of the file)auth optional pam_mount.so use_first_pass
18 - Finally, change your user's password to match the one you put on your /home encrypted partition:session optional pam_mount.so
Code: Select all
sudo passwd <yourusername>
If it does not work for any of you, or you have questions, etc just tell me. And I'm sure this howto is full of mistakes, tell me so
This Howto is based on information from:
http://blog.gnist.org/article.php?story ... HomeUbuntu
http://www.hacktimes.com/?q=node/48/print
https://help.ubuntu.com/community/Encry ... ystemHowto
https://help.ubuntu.com/community/Encry ... emLVMHowto
http://wiki.archlinux.org/index.php/LUKS_Encrypted_Root
https://help.ubuntu.com/community/Encry ... OnIntrepid