Debian Installation :: Full Disk Encryption (LUKS) LVM
Oct 21, 2015
I would like to configure my Debian Jessie system in this way.
Two partitions:
1) /boot on /dev/sda1
2) everything else on /dev/sda2
I want to encrypt the second partition with LUKS. And then install over it a LVM volume. Inside the LVM volume i will create the / (root), /var, /opt and /home virtual partitions. In this way, i'll get asked only once for the password to decrypt all partitions. Because if i don't use LVM, then i'll get asked for the password for each encrypted partition.
I can follow and understand almost everything of this HOW-TO for Archlinux: [URL] ....
Only two passages are unclear to me:
1) Configuring mkinitcpio
I don't understand what i should do here in order to complete this. What should i do in Debian to configure "mkinitcpio"? what is the equivalent thing to do here?
I thought that the kernel would automatically recompile itself with all installed modules on the Debian system, once cryptosetup/LUKS or LVM2 get installed.
2) Configuring the boot loader
I don't understand what should i write in /etc/default/grub. Will GRUB automatically load the LUKS and LVM2 modules? Also, I don't think that i could boot the system in this way:
I'm trying to install a luks enabled grub for full system encryption. What modules are required by grub to load a normal ubuntu linux system and what is the type to use?
With all the talk about disk encryption for Apple devices, I wanted to ask about how full disk encryption compares between debian linux and mac OS X. Is the code for debian linux fully available for people to inspect for flaws or backdoors? Apparently although part of the encryption code is available for OS X the full code for Filevault 2 is not public. What are the advantages and disadvantages of each method of encryption for each operating system?
I managed to get a cheap refurbed netbook recently (Samsung N150) and I'm wanting to put Ubuntu on it. As it's also likely to be used when travelling and have things like chat logs, photos, and other such things I'd like to do full disk encryption. Also I've been pointed towards 10.4 as apparently the 10.10 netbook desktop isn't to everyone's taste.
So I tried using unetbootin to make a bootable 10.4.1 i386 Alternate usb stick, which hit the problem of no cd drive. I found an item to add to the boot (cdrom-detect/try-usb=true) which got it a little further, but at a copying stage it threw an error saying it couldn't copy off the disc.
Finally I tried making a unetbootin of the mini iso (does mini even support full disk encryption?) but that seems to hang after selecting a mirror.
EDIT: Well it seems I was just impatient on the mini ISO and after a few minutes it's gone onto time-zone, though of course this could get rather tiresome without a local mirror, especially given this may go through more than one iteration.
I've been wanting to do this for a while and after upgrading some of my pc components I decided I would finally try to dual boot with full disk encryption on both windows 7 and Ubuntu 9.10. I managed to encrypt the windows drive with truecrypt and that worked. I installed Ubuntu 9.10 using the alternate cd and everything but /boot is in an encrypted LVM. Each OS is on a separate SATA drive the windows is on sda1 and ubuntu /boot is sdb1.
To setup the dual boot I started out following the tutorial [url] but its for XP and versions of ubuntu that use grub not grub 2. I ran dd as posted and saved the files it produced from truecrypt. I then ran into some problems with grub reinstallation so I simply reinstalled Ubuntu 9.10 from scratch again. This put grub 2 on the computer. I've managed to get it to add a Windows 7 option.
However, when the option is selected truecrypt comes up and says that the bootloader is corrupted and that I need to use the repair CD I burned before I encrypted the drive. My question is does anyone have any experience dual booting using Truecrypt on Windows 7 and LUKS/dm-crypt on Ubuntu 9.10 with grub 2? And how would I get the boot menu to work? I'd rather not reinstall but if I have to I have images from right before I encrypted so it wouldn't be the end of the world.
To structure the layout of my partitions. I'm installing Windows 7, Backtrack 4 R2 and Ubuntu 10.10 Desktop on my laptop. I've got a 500 GB HDD named sda.
I've already installed Windows 7. It's my opinion that it's easiest to begin with Windows.
The partitions look like this right now:
The Windows installation is unencrypted and I want it to stay that way. It's only there in case my laptop gets stolen, I've installed various nasty things there.
The Backtrack 4 installation will also be given 100 GB space, I want it to be encrypted. The Ubuntu installation should get the rest of all the remaining space and preferably be encrypted but it's not 100% necessary.
How I should partition this? There's a limit on 4 primary partitions? How do I circumvent this? There should be one dedicated GRUB partition which will point to each of the installations own boot loaders?
The only reason why I don't use Linux (even though I prefer Linux over Windows, and can do everything faster and more efficiently) is because each time I try to learn about dm-crypt I give up.
Can someone point me in the right direction for full OTFE on Linux (like TrueCrypt)?
I do know about cold boot attacks. But I ran across a couple of posts/websites that had me wonder if it is possible, without the passphrase, to just remove the encryption?
I have a bunch of pictures that I thought I had backed up but as it turns out I didn't, the problem is I formatted the drive they were on.
It is a 1TB hard drive, and it was running Ubuntu 10.10 using full disk encryption from the alternate install CD. After formatting, I installed Ubuntu Server 10.10, also using full disk encryption.
I know the encryption key for both installs (and the keys in fact are the same).
I have turned off the machine, and have stopped writing to the disk. I am hoping because it is a 1TB drive, and I have only written over it with 2GB of data, that there is a chance I can recover the data.
Is there a way to install ubuntu 10.04 or 10.10 with full disk encryption? I read how to do it in the 8.0 version, was wondering if it is still possible?
this isn't really a security question, per se, so feel free to move. It is related to full disk LVM encryption though. Full disk didn't work for me with grub2 after running dd to a remote server, so I downgraded to grub1. No biggie. However, I have neither grub or grub2 as selected in Synaptic.Let's say I forget which I have installed. How would I determine what version of grub is installed at the moment. I'm assuming it's somehow installed on in the mbr but not on the OS. I didn't mean to do anything funky. Is that the normal setup? I'm deploying these systems to users and want to be able to troubleshoot issues in the future (hopefully that will not be needed!) grub --version does not work because it is not installed.
I am investigating full disk encryption and have made a DD copy of the hard drive which has been encrypted, this DD file is stored on my computer for analysis.
First question is - Anyone know how i can access data in this DD file even though its been encrypted?
Second question - Is there a DD command where i can image the systems memory? I ask this because when a system is turned on, to get past the pre-boot authentication stage you need a password. From what i understand, this password will be passed in to ram when power is applied to the system. Making a copy of the memory will also copy the password?
I'm trying to upgrade my Win8/Wheezy 64-bit machine to Jessie 8.1 by installing from the amd64-bit netinstall iso image on a USB flash drive. I had done the previous, Wheezy, install on a disk partition that was whole-partition LUKS/LVM drive, with separate logical partitions for swap, root, and home.
Before doing the upgrade, I booted to the BIOS to ensure that my UEFI system had the correct, CSM and Legacy modes enabled in it, so that installer would boot using the non-efi BIOS mode.
Step one of the upgrade was to boot the netinstall and enter the rescue mode so that I could manually do the cryptsetup/LVM business. When I returned to the installer, I mounted the now-recognized logical partitions normally, choosing to format only the swap and / partitions.
During the entire process, I had to go into rescue mode one more time to manually mount the unencrypted /boot partition, along with my /home partition. I copied a backup of my old /etc/crypttab from the latter, and after returning to the installer, finished the install. That finish included installing grub on my hard drive's main boot partition.
Everything seemed to finish with no problems. However, when I try to boot the debian bootloader, I get tossed to grub rescue with the message that '/grub/x86_64-efi/normal.mod' doesn't exist. At this point I returned to the installer, mounted the /boot partition, and saw that there grub-install didn't create that an x86_64-efi directory at all. Instead, it had created an i386 directory. The exact name escapes me at the moment.
I *think* that my install was clean other than the last bit that was related to installing the bootloader. How to reinstall the bootloader in such a way as to make all of this work.
first i make one partiton ten format it add mount point and fire luksopen command and create secert file and enter this in crypttab but when i rebbot it showes scert file not found and partion remain unlocked
Is it better to install LUKS to raw disk (/dev/sdb) or disk partition (/dev/sdb1)? What are best LUKS options?
"cryptsetup benchmark" output Code: Select allPBKDF2-sha1 1310720 iterations per second PBKDF2-sha256 862315 iterations per second PBKDF2-sha512 590414 iterations per second
[Code] ....
Is slow hash better or how to choose it? It is clear that aes-xts is best choise. Is 265 bit key good?
1.) I am wondering how to enable the lock to an encrypted partition which has been unlocked, using luks? On boot, I am been asked automatically for the pass phrase to unlock my partitions. After doing a back up, I want lock the encrypted partition again, but I don't know the command?! I umounted the partition but after mounting it again, I was not asked for the pass phrase but had access to my data.
2.) How secure is the default fedora version of luks? Is truecrypt better?
I've got some old drives using pre-LUKS loopback encryption, and I'm having problems mounting them on OpenSUSE 11.3. What I expected to work, based on past experiences with other distributions, is something along the lines of:
mount -t ext3 /dev/sdc11 tmp -o loop=/dev/loop1,encryption=AES256. When I try this I'm asked for the password, but then get the message "ioctl: LOOP_SET_STATUS: Invalid argument". Anyone have a clue what could be going wrong, or how I can best access these drives from OpenSUSE?
When 10.04 is released I'll encrypt my /home partition using luks. I've read that xts is good for hard drive encryption and aes is good for cipher encryption. I'm looking for something that is fairly secure without sacrificing a lot of speed.
I'm planning a fresh F13 install, with separate partitions for /boot, /home, /tmp, /, and swap. All but /boot will be logical volumes, and I'd like to encrypt all but boot. If I encrypt the underlying partitions, is there any reason to also encrypt the logical volumes themselves?
my system will be: HP dv6-3040us Pavillion laptop AMD Phenon II 4GB DDR3
I have set up a Linux software RAID5 on three hard drives and want to encrypt it with cryptsetup/LUKS. My tests showed that the encryption leads to a massive performance decrease that I cannot explain. The RAID5 is able to write 187 MB/s [1] without encryption. With encryption on top of it, write speed is down to about 40 MB/s.
The RAID has a chunk size of 512K and a write intent bitmap. I used -c aes-xts-plain -s 512 --align-payload=2048 as the parameters for cryptsetup luksFormat, so the payload should be aligned to 2048 blocks of 512 bytes (i.e., 1MB). cryptsetup luksDump shows a payload offset of 4096. So I think the alignment is correct and fits to the RAID chunk size.
The CPU is not the bottleneck, as it has hardware support for AES (aesni_intel). If I write on another drive (an SSD with LVM) that is also encrypted, I do have a write speed of 150 MB/s. top shows that the CPU usage is indeed very low, only the RAID5 xor takes 14%.
I also tried putting a filesystem (ext4) directly on the unencrypted RAID so see if the layering is problem. The filesystem decreases the performance a little bit as expected, but by far not that much (write speed varying, but > 100 MB/s).
Summary: Disks + RAID5: good Disks + RAID5 + ext4: good Disks + RAID5 + encryption: bad SSD + encryption + LVM + ext4: good
The read performance is not affected by the encryption, it is 207 MB/s without and 205 MB/s with encryption (also showing that CPU power is not the problem). What can I do to improve the write performance of the encrypted RAID?
[1] All speed measurements were done with several runs of dd if=/dev/zero of=DEV bs=100M count=100 (i.e., writing 10G in blocks of 100M).
Edit: If this helps: I'm using Ubuntu 11.04 64bit with Linux 2.6.38. Edit2: The performance stays approximately the same if I pass a block size of 4KB, 1MB or 10MB to dd.
I'd like to know if there's a simple way to create a LUKS encryption drive with different passwords? A real one that leads to one set of data, and another that leads to a whole different set of data. Is this even possible with LUKS?
I know how to mount it manually. I've seen a howto on how to mount it automatically by loging in with the user, you type your username and password and it mounts your encrypted partition. But that's not what I want. My idea is to call cryptsetup and mount on boot, AND ask me for passphrase like when its loading the system, then if I don't type the right password it shouldn't mount /home, even though i type the correct USER password later when the system is loaded(and then I'd have an empty /home since my home partition wasn't mounted due to wrong passphrase).
This is what I tried: I added the commands to rc.local and I don't even feel like it was executed, no passphrase was asked. As a test if commands there were being executed, I tried simple commands lile mkdir /test and it worked. So commands there are executed, yet, no passphrase was asked to me, I looked on dmesg for crypt and found nothing, I pressed alt+ctrl+F1 desiring to find a passprhase-ask and again, nothing.
I have a single PC that has two hard disks in it. One is 250GB running Debian linux; the other 1TB running windows. I was switching between the two by going to the BIOS and changing the order of the hard disks to boot from. Both lived happily together in peaceful co-existance. Until....
Lately, I haven't been using Linux, so I decided to convert the 250GB to windows. So I put in the windows install CD, and it all started working fine, but when it came down to setting up a partition, Windows only recognized 130GB (out of the 250GB). I got confused so I decided to re-install linux. Linux recognizes the full 250GB; it recognized that there is a second hard disk running a different OS so the grub gave the option to boot from windows. So after a couple of reboots from both drives I decided to go ahead and install windows on the 250GB. Well again, windows only recognized 130GB, but this time, windows showed me another hard disk again with 130GB capacity. Apparently I stupid enough to proceed so now both hard disks - the 250GB and the 1TB - have capacity of 130GB each. And this is where I'm stuck.
I have tried fdisk, I have tried debug, but for some reason, windows can only recognize 130GB out of the entire disks; linux on the other hand recognizes the full capacity. I also used the seagate disk diagnostic tool (seatools for MS DOS) and it found no errors on either hard disk.
How can I reclaim the full capacity under windows?
Root LUKS to be broken by apt-get update? This did happen to me on 3 different laptops, both on previous install (from Debian 8.0), and also on clean installs (Debian 8.1), repeatedly.
When I reboot, grub starts, but then it cannot find the root file system (I end up with the emergency console).
Code: Select allLoading Linux 3.16.0-4-amd64 ... Loading initial ramdisk ... Loading, please wait... [many seconds waiting] ALERT! /dev/mapper/sda2_crypt does not exists. modprobe: modprobe ehci-orion not found in modules.dep
This is the most simple, clean, conservative install ever, no closed driver.
But LUKS on the root file system:
Code: Select allone ext4 partition on /boot one ext4 partition on / (trough LUKS, all defaults)
There is no LVM.
All the 3 laptops killed at different time, when updating. Clean install is fine until the first update.
Booting on the rescue system allows me to see everything.
Code: Select all$ update-grub Generating grub configuration file ... Found background image: /usr/share/images/desktop-base/desktop-grub.png Found linux image: /boot/vmlinuz-3.16.0-4-amd64 Found initrd image: /boot/initrd.img-3.16.0-4-amd64 No volume groups found
So, my issues since upgrading to Jessie seem to compound. When I fix one issue, two more arise. Right now, I have a full system disk. How it got so full. So I started poking around. I ran
Code: Select all find / -type f -size +50M -exec ls -lh {} ; | awk '{ print $NF ": " $5 }'
Found a few files I could delete, and did, but I also found Code: Select all/var/log/syslog.1: 33G /var/log/messages: 33G /var/log/user.log: 33G
What I find strange is that they're all exactly 33G each. So that accounts for the missing 99GB I deleted them, however only recovered 27Gb. Whats weird is when I type df -h I get
What are the tmpfs's and how can I reclaim that space, and what is /dev/dm-0 and why is that taking up so much space?
I have 2 LVGs vgdisplay -v
Code: Select allroot@SETV-007-WOWZA:~# vgdisplay -v DEGRADED MODE. Incomplete RAID LVs will be processed. Finding all volume groups Finding volume group "WOWZASERVER"
[Code] ....
After deleting the log files, I was able to regain access to my GDM session. But I still cant find out what /dev/dm-0 is, and where all the 75 GB is being taken up.
I just noticed, however, even though I can access the drive A-OK via browser, terminal, and web services (Our wowza) when I enter gParted I get this error for sda, my primary OS drive!
Code: Select all Libparted Bug Found!
Error informing the kernel about modifications to partition /dev/sda2 -- Invalid argument. This means Linux won't know about any changes you made to /dev/sda2 until you reboot -- so you shouldn't mount it or use it in any way before rebooting
Now that I'm in gParted I see 3 partitions: [URL] ....
It reports now, that I have used ALL of my disk space.
Post Log delete, and fresh reboot, this is what Code: Select alldf -h outputs
Is it possible to encrypt the entire drive and not be prompted for the passphrase?
I have a request for a demo of our application and I am looking to create a virtual for VMware's player but need to make sure that the vmdk file cannot be mounted and files pulled from it to protect us from reverse engineering of the application.
I am trying to upgrade to 9.10 but it fails because the disk is full. I am running a Dell Mini with 16GB SSD...so there isn't a lot of free space to begin with. Added to that, I have some hefty applications (rosegarden, audacity, skype, etc) which I kind of need. Am I better off just sticking to 9.04? Are there any good ways to clean up the system and get rid of stuff that might be sticking around? I did apt-get clean and it didn't clean enough.
