Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Currently I'm using Ubuntu 9.04 and when I installed it I got a question if I want to encrypt disk contents. I answered no. Now I think it is good idea to have such possibility. So is it possible to have the same encryption on running system ? I mean to make system such as I had answered 'yes' to that question.
Thanks.
Click here to see the post LQ members have rated as the most helpful post in this thread.
It's not a trivial exercise, and if you've not much effort invested in your system then the best course of action is to start over with a fresh install. If you want to go ahead and encrypt your drive keeping your existing install then just say so and I'll outline the steps.
If this system is a server, then reconsider. A server is normally permanently turned on, and most compromises occur over the network, so an encrypted disk won't offer much in the way of protection.
The only time an encrypted drive offers protection is when the machine is turned off and is physically stolen. So a laptop is a good candidate for an encrypted drive.
This, assumes you want to encrypt everything on the drive. If you want encrypted containers that are only temporarily mounted for short periods of time then the above doesn't apply, and you should be able to get going with your existing system.
Thank you for answering. First, its server and its important to encrypt data in my case.
Now I'm considering about what you said and what to choose. If I would find fast way to restore existing system after installation then I would go with fresh install. Currently I have made a lot of configs and scripts in the system, so writing them from scratch would be so painful. If it is possible to save something and after install restore than ok. If not, I would choose encrypt existing installation.
So if you will help me I will be greatly thankful for your effort.
If there are multiple disk partitions on the system, you'll need to partition the backup drive into multiple partitions. If the backup drive needs partitioning, it will need formatting. The great thing about rsyncing entire disk partitions is this defragments the file system.
After you have a full backup, and rsync verifies files, preserves file attributes, copies links, and basically makes the system identical to what it was, if you use rsync -avH.
Then you can reinstall the system using the installation media. Boot up the new system, and restore the old system to the new system. The drive encryption info in embedded in the drive itself. If you ever want to change the password, you have do the whole process again. Or worse, if you ever forget the password, there is now way but guessing to get it back.
I can understand encrypting data, but binaries? A better way to go might be with an encrypted loop device. Because, if the whole drive in encrypted, whenever the system is running, none of the files are encrypted. Disk encryption is only an effective deterrent is the machine is turned off, and someone gains physical access to it while it's off.
When the machine is running, encryption is useless. Lets say you want to encrypt /etc/, but not the entire '/' directory. You'd make a sparse file like so:
dd if=/dev/urandom of=/etc.file bs=1M count=2000
That shouldn't take too long. Once the sparse file is made, load some modules:
modprobe loop
modprobe cryptoloop
modprobe aes
setup the loop device:
losetup -e aes /dev/loop1 /etc.file
password:
I'd pick at least a 20 character password. You can make good passwords, like I'll make an easy one to remember, but hard to guess: MarSh3333MarShmall0wS.
So now the loop device is setup with the sparse file. Format the loop device:
mkfs.ext3 /dev/loop1
Make a mount directory: mkdir /etchold
Mount the drive: mount -o loop,encryption=aes /etcfile /etchold
password:
Use the same password for mounting as for losetup.
/etchold is the encrypted loop device mount point.
Make links to loop in /etc/rc.d/rc.1, rc.2, rc.3, rc.5, place fairly early in the sequences for those runlevels. You'll figure it out. The same procedure applies to any directory, not only /etc
Just before we start, we can use `dpkg -l > pkgs.txt` to create a list of all installed packages and you can copy that with /etc to another hard drive. Then after you've reinstalled you can install all the packages from the list and copy the config files back into place.
OK, here we go:
First of all you will need a spare drive to backup to and a Live CD, the current Ubuntu one will be perfect. Boot your machine up using the live cd, and make a directory to work from, lets say /mnt/os.
Now, mount the paritions on your hardrive under /mnt/os in the same fasion as they would be mounted if the system was booted from disk, so mount your root partition to /mnt/os, if you have a /boot partition, mount that /mnt/os/boot, and the same with any other partitions you might have, for example /home or /usr.
Make another directory, for example /mnt/backup and mount your spare drive to that, then cd into /mnt/os and tar it all up to a file in /mnt/backup:
Code:
# cd /mnt/os
# tar czf /mnt/backup/server-20100102.tar.gz
Once that is completed, unmount everything.
Now, time to nuke the drive, even if we formatted at this point and created encrypted partitions, a determined individual/organisation may be able to recover what was on the drive prior to the encrypted drives.
This will take several hours, but should do the job nicely. If you want it done quicker then you can use a utility that does uses poorer quality randomisation.
Now you can create a new partition layout using cfdisk or fdisk, set the types correctly, 0x82 for swap and 0x83 for file system partitions. You _will_ need a separate /boot partition and that can't be encrypted otherwise the system won't be able to boot.
Mount the new filesystems as you did earlier to /mnt/os, so assuming you have the above paritions:
Code:
# mount /dev/mapper/root /mnt/os
# mount /dev/mapper/home /mnt/os/home
# mount /dev/sda1 /mnt/os/boot
Next step is to untar your files over the new layout:
Code:
# cd /mnt/os
# tar xzf /mnt/backup/server-20100102.tar.gz
We now need to make some final config changes, and for some stuff we need to chroot into the install.
Code:
# for d in dev proc sys; do mount --bind /$d /mnt/os/$d; done
# chroot /mnt/os
Change /etc/fstab to suit the new devices for example /dev/sda2 to /dev/mapper/root. Also, if you didn't previously have a /boot partition you will need to alter /boot/grub/menu.lst and set the paths correctly:
Once that is done you need to install grub back to the mbr and update the initramfs image:
Code:
# update-initramfs -u
# grub
> root (hd0,0)
> setup (hd0)
> quit/exit // I can never remember which on it is.
exit the chroot environment, unmount all the partitions and reboot, removing the cd. If all has gone to plan, your system should boot up from the hard drive, and everything is done and dusted.
Do not blindly follow this step by step. It isn't complete, it is intended to give you the order and what needs doing to accomplish this. Read the information at the links I've provided and think about what your doing. If a command doesn't do exactly what you thought, don't panic, think carefully about the error message. Have a look on google, or post the error here.
Also, a lot of the ubuntu how tos talk about creating hooks and editing configuration for initramfs-tools, I'm not sure this is necessary in the current version. My laptop is encrypted and has the default configuration, nothing specifically mentions encryption in /etc/initramfs-tools, so it looks like and encrypted root is support "out-of-the-box".
Thank you for this mega tutorial. Its a little bit too difficult for me. Anyway I need functionality like you said - only from physical intervention. If I need to encrypt only some file then I would use ccrypt. Therefore you gave me a very good idea - I don't need to encrypt binaries, basically I need to encrypt one partition /home. Is it possible ? I can freely move all files from this partition now and I can even delete it, but later I need it to act like it was encrypted originally from Ubuntu installation.
WOW. Great posts, great help. Yes it might be too complicated for me, but I think it is still possible. Thank you both very much for your effort and spent time writing these posts. Its great help.
Just encrypting /home is much more straightforward. You can either follow AwesomeMachine's tutorial, or follow this tutorial: https://help.ubuntu.com/community/En...lesystemHowto3 Stick with the Ubuntu 6.06 bits, they still apply, the 5.10 parts of the howto are not relevant.
Either method is fine, however using luks containers is a more modern method.
You should really consider encrypting the swap partition too.
Edit:
With a it being a server, your requirements might dictate that you need to keep the logs encrypted too, in which case you'll need to encrypt /var
Little more help needed. All my existing partitions in fstab is identified with UUID and there are no mountpoints with /dev/sda or /dev/hda. All partitions mounted as /dev/mapper. So the link for Ubuntu 6.04 is not good for me I think.....
Sounds like you may be using LVM, the UUID for /home will change
can you post the output of `sudo lvs`, `mount` and `cat /etc/fstab`. If you are using LVM then things will change a little, but most of the tutorial is still relevant.
/dev/mapper/as9723-root on / type ext3 (rw,relatime,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
varrun on /var/run type tmpfs (rw,nosuid,mode=0755)
varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
lrm on /lib/modules/2.6.28-17-server/volatile type tmpfs (rw,mode=755)
/dev/sda5 on /boot type ext2 (rw,relatime)
/dev/mapper/as9723-home on /home type ext3 (rw,relatime)
securityfs on /sys/kernel/security type securityfs (rw)
'cat /etc/fstab'
Code:
# /etc/fstab: static file system information.
#
# Use 'vol_id --uuid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
# / was on /dev/mapper/as9723-root during installation
UUID=93784424-6768-41f8-89aa-0eed93cbecbc / ext3 relatime,errors=remount-ro 0 1
# /boot was on /dev/sda5 during installation
UUID=4fb0b05b-2862-443e-922a-731b1f68dd97 /boot ext2 relatime 0 2
# /home was on /dev/mapper/as9723-home during installation
UUID=f0c9163f-f28b-4fcd-b549-61d79b954403 /home ext3 relatime 0 2
# swap was on /dev/mapper/as9723-swap_1 during installation
UUID=a4e69841-e676-4068-b18e-c53c9be076e5 none swap sw 0 0
Ok, encrypting /home is going to be quite straight forward.
Backup /home, then follow the tutorial but use /dev/mapper/as9723-home as the device to create the container on. Once you have formatted the encrypted container you will need to update the UUID in /etc/fstab.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.