/boot partition on USB disc for encryption scheme

undermind · 2010-05-30 13:10:25

Hello archers!

i have recently embarked on a project to create a fully encrypted harddrive with the boot routine entirely on a USB pen, as described in this guide
http://linuxreviews.org/howtos/security … ex.html.en

Now, seeing as Loop-AES is not supported in arch, it would mean i'd have to rebuild util-linux amongst other things, and it would be a hassle to maintain. I have taken a look at the dm-crypt + LUKS approach on the wiki, and i was wondering if it was possible to move the /boot partition to the USB pen along with a keyfile and the nessecary routines to make it boot? And if i can, could anyone give me some pointers as to how?

byte · 2010-05-31 01:35:05

As I have done exactly that - yes.
(well, with CF cards and not USB pen, but since the controller is USB it's technically the same)

First, prepare the USB stick.
- zero it: 'dd if=/dev/zero of=/dev/sdX (<- careful here!) bs=4M'
- put a partition on it; I used cfdisk, normal Linux type 83, and marked it bootable (not really necessary, but hey ;)
- put a filesystem on it; I used plain Ext2 minus all the fancy new stuff (no journal, no 256-byte inodes, no resize_inode, no dir_index, no reserved blocks...)
- make it bootable; I used Grub and had a hard time until I finally got to the normal Grub menu, but I don't remember why ... sorry ^.^

On the topic of Grub, you need a menu.lst:

title  Arch Linux
root   (hd0,0)
kernel /vmlinuz26 cryptkey=/dev/disk/by-uuid/<UUID-of-Ext2fs-On-UsbPen>:ext2:cryptvg.key cryptdevice=/dev/disk/by-uuid/<UUID-of-Encrypted-RootDisk>:vg root=/dev/mapper/vg-root ro radeon.modeset=1  # okay, KMS is a bit off-topic... :p
initrd /kernel26.img

That's already full-featured, as my setup uses a keyfile instead of a passphrase, and it's an LVM-on-LUKS setup.
Scrap the "cryptkey=..." if you want to input a passphrase on boot.
You really want to use the UUID scheme and for that, 'blkid' is your friend.

Next up is the initramfs, so edit /etc/mkinitcpio.conf.
I tend to keep it minimal (my CF card is not exactly huge - 8 MB ;-) so only the really required modules and hooks:
-> MODULES="intel-agp radeon ehci-hcd usb-storage ext2 sd_mod ahci jfs"
The first two because I want early KMS, the next two to recognize the USB reader, ext2 to read the keyfile, sd_mod is mandatory and you'd have to modify the last two for your setup - type of IDE/SATA controller and root filesystem
-> CRYPTO_MODULES="aes-i586 xts"
Pretty straightforward - you can simply omit the line, the image will just get a bit larger
-> HOOKS="base consolefont udev encrypt lvm2"
Simple again - you always want "base+udev", it's LUKS encrypted and in there lies the LVM stuff; "consolefont" just in case, so you have the same keyboard layout as in /etc/rc.conf right from the start.
-> COMPRESSION="lzma"
8 MB CF card, remember? >.<

Now rebuild the image: 'mkinitcpio -p kernel26' (or specify its location directly with -g)

Last but not least put the /boot stuff (minimum: System.map26, vmlinuz, kernel26.img and the grub/ dir) on the stick and have fun rebooting! :-p

You also might want to read the relevant wiki article a few times more, just in case.
And one final note: I didn't do this with a fresh install, but converted an existing Arch setup to LUKS+LVM after getting a new machine, so I can't say how this would work together with the current installer.

Last edited by byte (2010-05-31 01:43:46)

undermind · 2010-05-31 15:59:46

Thanks for the advice! I'll definately try it this weekend when i reinstall my system with encryption on my laptop. That way the thieves will get a nice 6 pound paperweight

Arch Linux

#1 2010-05-30 13:10:25

/boot partition on USB disc for encryption scheme

#2 2010-05-31 01:35:05

Re: /boot partition on USB disc for encryption scheme

#3 2010-05-31 15:59:46

Re: /boot partition on USB disc for encryption scheme

Board footer