Dear all,

Currently I'm using Ubuntu 9.04 and when I installed it I got a question if I want to encrypt disk contents. I answered no. Now I think it is good idea to have such possibility. So is it possible to have the same encryption on running system ? I mean to make system such as I had answered 'yes' to that question.
Thanks.

It's not a trivial exercise, and if you've not much effort invested in your system then the best course of action is to start over with a fresh install. If you want to go ahead and encrypt your drive keeping your existing install then just say so and I'll outline the steps.

If this system is a server, then reconsider. A server is normally permanently turned on, and most compromises occur over the network, so an encrypted disk won't offer much in the way of protection.

The only time an encrypted drive offers protection is when the machine is turned off and is physically stolen. So a laptop is a good candidate for an encrypted drive.

This, assumes you want to encrypt everything on the drive. If you want encrypted containers that are only temporarily mounted for short periods of time then the above doesn't apply, and you should be able to get going with your existing system.

Hello,

Thank you for answering. First, its server and its important to encrypt data in my case.
Now I'm considering about what you said and what to choose. If I would find fast way to restore existing system after installation then I would go with fresh install. Currently I have made a lot of configs and scripts in the system, so writing them from scratch would be so painful. If it is possible to save something and after install restore than ok. If not, I would choose encrypt existing installation.
So if you will help me I will be greatly thankful for your effort.

OK. Backup the existing system using rsync:

rsync -avH --exclude=<mount_point_of_backup drive> <mount_point_of_backup_drive>/

If there are multiple disk partitions on the system, you'll need to partition the backup drive into multiple partitions. If the backup drive needs partitioning, it will need formatting. The great thing about rsyncing entire disk partitions is this defragments the file system.

After you have a full backup, and rsync verifies files, preserves file attributes, copies links, and basically makes the system identical to what it was, if you use rsync -avH.

Then you can reinstall the system using the installation media. Boot up the new system, and restore the old system to the new system. The drive encryption info in embedded in the drive itself. If you ever want to change the password, you have do the whole process again. Or worse, if you ever forget the password, there is now way but guessing to get it back.

I can understand encrypting data, but binaries? A better way to go might be with an encrypted loop device. Because, if the whole drive in encrypted, whenever the system is running, none of the files are encrypted. Disk encryption is only an effective deterrent is the machine is turned off, and someone gains physical access to it while it's off.

When the machine is running, encryption is useless. Lets say you want to encrypt /etc/, but not the entire '/' directory. You'd make a sparse file like so:

dd if=/dev/urandom of=/etc.file bs=1M count=2000

That shouldn't take too long. Once the sparse file is made, load some modules:

modprobe loop
modprobe cryptoloop
modprobe aes

setup the loop device:

losetup -e aes /dev/loop1 /etc.file
password:

I'd pick at least a 20 character password. You can make good passwords, like I'll make an easy one to remember, but hard to guess: MarSh3333MarShmall0wS.

So now the loop device is setup with the sparse file. Format the loop device:

mkfs.ext3 /dev/loop1

Make a mount directory:
mkdir /etchold

Mount the drive:
mount -o loop,encryption=aes /etcfile /etchold
password:
Use the same password for mounting as for losetup.

/etchold is the encrypted loop device mount point.

Copy over /etc
rsync -avH /etc/* /etchold/
mv /etc /etc1
mv /etchold /etc

Write an /etc/init.d/ script, called loop:

#!/bin/bash
case "$1" in
start)

modprobe loop
modprobe cryptoloop
modprobe aes

losetup -e aes /dev/loop1 /etcfile
mount -o loop,encryption=aes /etcfile /etc
;;

stop)

losetup -d /dev/loop1
;;

*)
echo "usage: /etc/init.d/loop {start|stop}"

exit 1
;;

esac

exit 0

esac

Make links to loop in /etc/rc.d/rc.1, rc.2, rc.3, rc.5, place fairly early in the sequences for those runlevels. You'll figure it out. The same procedure applies to any directory, not only /etc

2 members found this post helpful.

bah, Wish I'd seen your post 1/2 an hour earlier.

Anyhow, while I've done it, here it is:

Hello,

Just before we start, we can use `dpkg -l > pkgs.txt` to create a list of all installed packages and you can copy that with /etc to another hard drive. Then after you've reinstalled you can install all the packages from the list and copy the config files back into place.

OK, here we go:

First of all you will need a spare drive to backup to and a Live CD, the current Ubuntu one will be perfect. Boot your machine up using the live cd, and make a directory to work from, lets say /mnt/os.

Now, mount the paritions on your hardrive under /mnt/os in the same fasion as they would be mounted if the system was booted from disk, so mount your root partition to /mnt/os, if you have a /boot partition, mount that /mnt/os/boot, and the same with any other partitions you might have, for example /home or /usr.

Make another directory, for example /mnt/backup and mount your spare drive to that, then cd into /mnt/os and tar it all up to a file in /mnt/backup:

Once that is completed, unmount everything.

Now, time to nuke the drive, even if we formatted at this point and created encrypted partitions, a determined individual/organisation may be able to recover what was on the drive prior to the encrypted drives.

This will take several hours, but should do the job nicely. If you want it done quicker then you can use a utility that does uses poorer quality randomisation.

Now you can create a new partition layout using cfdisk or fdisk, set the types correctly, 0x82 for swap and 0x83 for file system partitions. You _will_ need a separate /boot partition and that can't be encrypted otherwise the system won't be able to boot.

Follow sections 6 and 7 on the encryption page of the Arch Linux wiki: http://wiki.archlinux.org/index.php/...S_for_dm-crypt

Now create filesystems on the open containers:

Mount the new filesystems as you did earlier to /mnt/os, so assuming you have the above paritions:

Next step is to untar your files over the new layout:

We now need to make some final config changes, and for some stuff we need to chroot into the install.

Change /etc/fstab to suit the new devices for example /dev/sda2 to /dev/mapper/root. Also, if you didn't previously have a /boot partition you will need to alter /boot/grub/menu.lst and set the paths correctly:

From:
To:

Also, we need a new file: /etc/cryptsetup

Once that is done you need to install grub back to the mbr and update the initramfs image:

exit the chroot environment, unmount all the partitions and reboot, removing the cd. If all has gone to plan, your system should boot up from the hard drive, and everything is done and dusted.

Useful Links/Further reading:

https://help.ubuntu.com/community/EncryptedFilesystems
https://help.ubuntu.com/community/En...ilesystemHowto
https://help.ubuntu.com/community/En...stemOnIntrepid
http://wiki.archlinux.org/index.php/...S_for_dm-crypt


Disclaimer:

Do not blindly follow this step by step. It isn't complete, it is intended to give you the order and what needs doing to accomplish this. Read the information at the links I've provided and think about what your doing. If a command doesn't do exactly what you thought, don't panic, think carefully about the error message. Have a look on google, or post the error here.

Also, a lot of the ubuntu how tos talk about creating hooks and editing configuration for initramfs-tools, I'm not sure this is necessary in the current version. My laptop is encrypted and has the default configuration, nothing specifically mentions encryption in /etc/initramfs-tools, so it looks like and encrypted root is support "out-of-the-box".

1 members found this post helpful.

Hi,

Thank you for this mega tutorial. Its a little bit too difficult for me. Anyway I need functionality like you said - only from physical intervention. If I need to encrypt only some file then I would use ccrypt. Therefore you gave me a very good idea - I don't need to encrypt binaries, basically I need to encrypt one partition /home. Is it possible ? I can freely move all files from this partition now and I can even delete it, but later I need it to act like it was encrypted originally from Ubuntu installation.

WOW. Great posts, great help. Yes it might be too complicated for me, but I think it is still possible. Thank you both very much for your effort and spent time writing these posts. Its great help.

Just encrypting /home is much more straightforward. You can either follow AwesomeMachine's tutorial, or follow this tutorial: https://help.ubuntu.com/community/En...lesystemHowto3 Stick with the Ubuntu 6.06 bits, they still apply, the 5.10 parts of the howto are not relevant.

Either method is fine, however using luks containers is a more modern method.

You should really consider encrypting the swap partition too.

Edit:

With a it being a server, your requirements might dictate that you need to keep the logs encrypted too, in which case you'll need to encrypt /var

1 members found this post helpful.

Thanks again for your effort ! I'm very glad that I'm able to find a lot of help and support in these forums.
Now I'm gone to encrypt

Hello,

Little more help needed. All my existing partitions in fstab is identified with UUID and there are no mountpoints with /dev/sda or /dev/hda. All partitions mounted as /dev/mapper. So the link for Ubuntu 6.04 is not good for me I think.....

Sounds like you may be using LVM, the UUID for /home will change

can you post the output of `sudo lvs`, `mount` and `cat /etc/fstab`. If you are using LVM then things will change a little, but most of the tutorial is still relevant.

Hello,

Yes, I use LVM. Here is my outputs:

'sudo lvs'
'mount'
'cat /etc/fstab'

Ok, encrypting /home is going to be quite straight forward.

Backup /home, then follow the tutorial but use /dev/mapper/as9723-home as the device to create the container on. Once you have formatted the encrypted container you will need to update the UUID in /etc/fstab.

You can find out the new UUID by running:

I hope the same goes for swap ?

Yes you can do the same with swap.

Just make sure that in the boot process lvm is setup before the luks containers.