The following howto has been partly stolen from somewhere else . I adapted it to my situation. The main setup is the same: The whole installation (swap + root fs + home) should reside in a single encrypted container so that at boot we only have to provide one password and hibernate is encrypted too. Only the bootloader is unencrpyted.
Partition table:
/dev/sda1 : 280 MB /boot /dev/sda2: Logical partition 800 GB, type 83 (Linux)
Create single LUKS container, spanning whole disk:
cryptsetup luksFormat /dev/sda5 cryptsetup luksOpen /dev/sda5 CryptDisk
With “cryptsetup status” you can check the used algorithm etc.:
cryptsetup status /dev/mapper/CryptDisk
Create LVM physical volume and volume group on LUKS container:
pvcreate /dev/mapper/CryptDisk vgcreate lvm-vg /dev/mapper/CryptDisk
17G SWAP partition (prepare for hibernate and 16GB memory):
lvcreate -n swap -L 17g lvm-vg
35g root partition should be enough:
lvcreate -n root -L 35g lvm-vg
Rest should go to /home:
lvcreate -n home -l +100%FREE lvm-vg
Create filesystems and SWAP
mkfs.ext4 -l /root /dev/mapper/lvm--vg-root mkfs.ext4 -l /home /dev/mapper/lvm--vg-home mkswap /dev/mapper/lvm--vg-swap
Install with the graphical installer, choose “other” as installation method and assign the proper mountpoint to the partition:
- /boot to /dev/sda1
- / to /dev/mapper/lvm–vg-root
- /home to /dev/mapper/lvm–vg-home
- swap for /dev/mapper/lvm–vg-swap
- Install bootloader on /dev/sda
After GUI installer finished select “continue testing”, because we are going to configure the system so that at startup it knows how to handle the encrypted disks.
During my installation the installer left the target system mounted under /target, so we can still use it (otherwise mount it yourself):
mount /dev/sda1 /target/boot mount /dev/mapper/lvm--vg-home /target/home mount --bind /dev /target/dev
The next steps are in the chroot environment:
chroot /target mount -t proc proc /proc mount -t sysfs sys /sys mount -t devpts devpts /dev/pts
/etc/crypttab has to point to the encrypted LUKS container, the information can be obtained by blkid:
$ blkid /dev/sda5 /dev/sda3: UUID="8b80b3a7-6a33-4db3-87ce-7f126545c74af" TYPE="crypto_LUKS" PARTUUID="12345678-12" $ cat /etc/crypttab CryptDisk UUID=8b80b3a7-6a33-4db3-87ce-7f126545c74af none luks,retry=1,lvm=lvm-vg
Create a file /etc/initramfs-tools/conf.d/cryptroot, the UUID should match that of the LUKS container:
CRYPTROOT=target=CryptDisk,source=/dev/disk/by-uuid/8b80b3a7-6a33-4db3-87ce-7f126545c74af
initramfs needs to be updated after that step:
update-initramfs -k all -c
The setting GRUB_CMD_LINUX in /etc/default/grub must contain the UUID of the encrypted partition:
GRUB_CMDLINE_LINUX="cryptopts=target=CryptDisk,source=/dev/disk/by-uuid/8b80b3a7-6a33-4db3-87ce-7f126545c74af,lvm=lvm-vg"
As a last action in the chroot environment run update-grub:
update-grub
After exit the chroot environment and boot into the new encrypted system.
Check /boot for tampering
With the described setup the /boot partition is unencrypted (because it contains the unencrypted kernel). Its a good idea to be at least able to detect changes. The german magazine Ct published a tool in 2012 called chckboot to do exactly this: Create checksums for stuff in /boot and detect changes at next boot.
There is an updated version available on github. After cloning it can be simply installed by
make install-systemd
Make sure to edit /etc/default/chkboot and change the variables
BOOTDISK and BOOTPART. In our example its the default setting:
$ grep -e "BOOTDISK\|BOOTPART" /etc/default/chkboot.conf BOOTDISK=/dev/sda BOOTPART=/dev/sda1
By default the change notification is available on text console only. To have the check done also after desktop environment login, run chkboot-desktopalert as one of your desktop startup programs.