Total encryption of Arch

chulapaluma · 2008-01-26 20:38:18

Hi,

exist there a howto howto setup up an encrypted disk and only be able to boot up from an usb stick -> enrypting the disks and change system with chroot?

Or is there a better way?

Thx

bender02 · 2008-01-26 20:51:33

There are a few pages about encrypting root on the wiki (search for instance for "luks"), so take a look. Seems to me that the easiest way would be to have the boot partition unencrypted on the disk and boot from that; if you setup initcpio correctly, it should ask for a password. It doesn't matter that that partition is not encrypted, since there is only kernel and initcpio, which do not contain any personal data.

If you really want to encrypt the *whole* disk, you should be able to make a boot partition on a usb stick, boot from it, with "root=/dev/sda1", so that after loading the kernel and running hooks from initcpio, it just mounts the correct root partition (encrypted).

chulapaluma · 2008-01-26 21:02:50

The problem with this setup is that a sophisticated attacker could tamper with the kernel and/or initramfs archive and obtain passphrases for your partition(s).

Iam looking for something like this - for ARCH

http://gentoo-wiki.com/SECURITY_System_ … _with_LUKS

I know how to enrypt the root and home and swap device, but look at my text above.

barebones · 2008-01-27 04:17:20

This is the HOWTO that I used to encrypt my installation:
http://wiki.archlinux.org/index.php/LUKS_Encrypted_Root

When I set up my partition, I actually gave ~20 GB to the partition I used for /boot. After installation (and a couple boots to make sure everything was working) I copied all of /boot to a flash drive, and updated /etc/fstab and /boot/grub/menu.lst to reflect this. After another couple of boots from the flash drive to make sure everything worked, I installed windows over the 20 GB boot partition I had. This means that if I boot the computer without the flash drive in, it goes to windows, and if I boot it with the flash drive in it boots to linux. The whole thing is pretty simple, you don't have to do anything special to put /boot onto a flash drive.

bender02 · 2008-01-27 07:11:14

barebones: nice! actually it's better than what I was thinking of; I meant to install also grub onto the usb, so that one would boot from usb directly. I can see only one advantage to my approach, and that is that an attacker would at the first sight just see your windows and a partition with random data (but of course, with luks signature at the beginning).

chulapaluma · 2008-01-27 17:08:19

During the installation:
I put in my USB Stick - mount it. Then I encrypt my root and home device (swap of course too), and i dont setup a boot partition or something like this on the hard drive - i only install grub on my usb stick - and READY or?

bender02 · 2008-01-27 17:25:28

I would probably recommend doing it like barebones, since it's done in separate steps, so you can more easily fix it if something goes wrong.

But: during the install, you do need to have a boot partition, and have your usb mounted as that boot partition (so that kernel and initcpio get installed to usb). Wherever you put grub, you should make sure that entries in grub/menu.lst point to the right places (ie. root (<usbstick>), and 'root=' parameter on the kernel line points to your (encrypted) root partition). Also make sure that in your /etc/fstab, the partition which gets mounted as /boot is your usb stick.

barebones · 2008-01-28 00:17:35

bender02: I forgot to mention it, but I did install grub on the flash drive as well. To give you a little bit more coherent summary of what I did, heres a list:

-Install base system according to the wiki, with an overly large /boot so that I could put windows on there later
-cfdisk on the flash drive to make a bootable vfat partition. I chose vfat because it doesn't have any sort of journel, and therefor there's no chance of any secure info hanging out where you don't want it to be
-copy the hard drive's /boot partition to the flash disk
-run grub-install pointing at the flash disk
-update /etc/fstab and /boot/grub/menu.lst (the later on the flash drive)
-update the bios to boot from the flash drive first
-make sure everything is working
-wipe the hard drive's /boot and install windows on it

Installing windows will overwrite the version of grub that was installed by arch's installer with window's boot loader. With this setup, if the laptop tries to boot of the hard drive, it gets window's bootloader. If the flash drive is plugged in then the laptop tries to boot from there first and gets grub. I usually umount the flash drive pretty quick after I log on, but make sure it is mounted if you run pacman (just incase you get a kernel update or something that writes to /boot)

I've been thinking about adding this stuff to the wiki, but I haven't had time lately. I can post my config's and stuff later when I'm actually on the laptop, if you want them.

chulapaluma · 2008-01-28 22:58:10

Does it work, if i make it like this:

-create root and home ONLY
-mount usbstick
- cfdisk
- install basesystem (root)
- install grub on the usb device
??

with the first is working, is it possible to do this with an CD instead of USBSTICK? How can i make my own boot cd? With all Keys (luks)?

barebones · 2008-01-29 00:50:12

I would think that your method would work, although I haven't tried it.

As far as the cd goes, I would imagine that if you set up the install with the flash drive for /boot, you could then burn the contents of the flashdrive to a cd, ensuring that the cd is bootable. The only reason that I wouldn't recommend this is that you would have to re-burn the cd everytime you upgrade your kernel since it resides in /boot.

iBertus · 2008-01-29 01:11:23

This is off topic, but I was wondering how using drive encryption affected performance of the drive. How much does performance suffer from using a totally encrypted system?

F · 2008-01-29 01:22:10

iBertus wrote:

This is off topic, but I was wondering how using drive encryption affected performance of the drive. How much does performance suffer from using a totally encrypted system?

I have my partitions and swap encrypted (via one of the Arch wiki HOWTOs) and I can't say there's much loss in performance. Sometimes opera (why opera I have no clue...) hangs for several seconds making it a little annoying, but besides that I've found no other significant performance change.

Then again, I just use a laptop for day-to-day activity. I don't run a server or anything.

bender02 · 2008-01-29 02:20:50

I use encrypted partitions (not root partition, but /home and "data"). I think encryption affects mostly just cpu (since it has to encrypt on write and decrypt on read). Practically, when you copy a big file, you see cpu usage go up a bit. For normal usage, I don't see any difference in performance.

Opera... it started to crash on me lately... so it might be just opera...

barebones · 2008-01-29 03:16:49

When I first got this laptop, I installed arch with no encryption because I didn't have time to play around, and I figured I would have a really hard time with the encryption stuff (which I didn't, by the way). When I finally went on break, I dd'd random data onto the drive and installed the encrypted system I mentioned above. I've seen zero noticeable impact on performance, even when downloading large files via bittorrent.

scorpyn · 2008-02-10 22:33:17

iBertus wrote:

This is off topic, but I was wondering how using drive encryption affected performance of the drive. How much does performance suffer from using a totally encrypted system?

It depends on your computer and disk usage. I remember that I had some slowdowns on my amd athlon 3200+, but there is no noticeable performance loss on my Q6600. If you have a cpu with more than 1 core I don't think there'll be any problem.

Last edited by scorpyn (2008-02-10 22:33:42)

mrjwalsh · 2008-02-11 02:26:42

has anyone dabbled with the new version of true-crypt for linux? The key changes seem to be a setup gui for linux and support for whole drive encryption; the latter being the most interesting...

zyghom · 2008-02-11 05:06:08

mrjwalsh wrote:

has anyone dabbled with the new version of true-crypt for linux? The key changes seem to be a setup gui for linux and support for whole drive encryption; the latter being the most interesting...

and lack of possibility to use in text mode :-(

mrjwalsh · 2008-02-11 06:36:25

zyghom wrote:

and lack of possibility to use in text mode :-(

Can't truecrypt be run via the commandline? I did not know about this.

zyghom · 2008-02-11 09:53:48

mrjwalsh wrote:

zyghom wrote:
and lack of possibility to use in text mode :-(
Can't truecrypt be run via the commandline? I did not know about this.

without X is not working ANYMORE

Arch Linux

#1 2008-01-26 20:38:18

Total encryption of Arch

#2 2008-01-26 20:51:33

Re: Total encryption of Arch

#3 2008-01-26 21:02:50

Re: Total encryption of Arch

#4 2008-01-27 04:17:20

Re: Total encryption of Arch

#5 2008-01-27 07:11:14

Re: Total encryption of Arch

#6 2008-01-27 17:08:19

Re: Total encryption of Arch

#7 2008-01-27 17:25:28

Re: Total encryption of Arch

#8 2008-01-28 00:17:35

Re: Total encryption of Arch

#9 2008-01-28 22:58:10

Re: Total encryption of Arch

#10 2008-01-29 00:50:12

Re: Total encryption of Arch

#11 2008-01-29 01:11:23

Re: Total encryption of Arch

#12 2008-01-29 01:22:10

Re: Total encryption of Arch

#13 2008-01-29 02:20:50

Re: Total encryption of Arch

#14 2008-01-29 03:16:49

Re: Total encryption of Arch

#15 2008-02-10 22:33:17

Re: Total encryption of Arch

#16 2008-02-11 02:26:42

Re: Total encryption of Arch

#17 2008-02-11 05:06:08

Re: Total encryption of Arch

#18 2008-02-11 06:36:25

Re: Total encryption of Arch

#19 2008-02-11 09:53:48

Re: Total encryption of Arch

Board footer