Encrypting the whole system after the installation and using an external device

netpumber · 11-21-2016, 05:08 PM

Hi!

I'm running a dual boot machine with Win7 and Arch Linux.

Arch linux is separated into 4 partitions.
1) SWAP
2) /
3) HOME
4) BOOT

The thing is that they are not encrypted. And now i really think to encrypt them. I read on the net that the only think i can do now (as is is already installed), is to encrypt only the home with ecryptfs method. I don't want to use that method but the LUKS one.

From the other hand I have my linux configured and i don't want to do format and all the configurations from the beginning.

So i came here to discuss the following idea. What if I transfer the my whole system (root , boot , home ) in a portable HDD, then boot from a live USB and create the new LUCKS partitions for boot, root home and when finish transfer back the whole data from the portable HDD to the local HDD ?

Is something like this going to work or not ?
If yes, could you please provide me with some additional tutorials or some hints from your own experience ?

Thank you.

syg00 · 11-21-2016, 06:32 PM

Yes it will work, but bootloader considerations are paramount.
Why haven't you perused the Arch wiki ? - on this subject (as most) it is one of the best resources on the web.

BlackRider · 11-22-2016, 08:34 AM

Transfering the data to an external drive, reformatting the internal drive according to your needs, dumping the data back from the external system to the internal and then configuring the bootloader will do the trick (I have done it in the past with other distributions). Remember to sanitize your external drive after you do this, in order to prevent forensic analists from retrieving information from it.

netpumber · 11-22-2016, 10:39 AM

Quote:

Why haven't you perused the Arch wiki ?

I don't think that there is such thread on Arch wiki. As i remember they discuss only the way, doing it from the start and before install the main system. That's why I'm asking here for ideas/hints/tutorials .

Quote:

I have done it in the past with other distributions

Are you able to give some more info ? For example , how did you transfer the whole system to the external drive? By something like this ( cp -rf * /mnt/usbDisk ) ?

It's the first time I'm dealing with something like this and i would like some better description.

Thank you again for your answers.

Emerson · 11-22-2016, 10:44 AM

I have used cp -a several times to move my Gentoo to a new hard drive.

BlackRider · 11-23-2016, 08:49 AM

Forewarning: If you are not familiar with your bootloader's configuration mechanisms or with creating initrds from your kernel, it is just easier to make a backup of your /home and the most valuable configuration files and just reinstall.

@netumber, there are many options. I just boot up the workstations using System Rescue CD, mount the computer under /mnt/custom and an external device under /mnt/backup and copy everything over using rsync.

Tar, partimage or fsarchive should also do the trick.

Once everything is copied to the external device, you can unmount /mnt/custom, reformat the internal workstation drive as you wish, mount its filesystems again and transfer the stuff back.

Code:

; Formatting the internal device - example.

; $partition_non_boot is the partition that is going to
; contain /home, / and swap within a LVM volume.
; $boot_partition is the partition designated to keep
; /boot. 

; Overwrite previous contents with pseudorandom data.
; It can take a looooong time.
# dd if=/dev/urandom of=$internal_drive
; Create new partition table.
# parted
; Give luks format to each partition.
; Remember that you need the boot partition to be unencrypted.
# cryptsetup luksFormat $partition_non_boot
; Establish LVM
; lvcreate will need additional options for setting the sizes of the
; logical volumes.
# cryptsetup luksOpen $partition_non_boot criticallvm
# pvcreate /dev/mapper/criticallvm
# vgcreate criticalgroup /dev/mapper/criticallvm
# lvcreate criticalgroup rootlv
# lvcreate criticalgroup homelv
# lvcreate criticalgroup swaplv
; You can then format every device using mkfs.
# mkfs.ext4 $boot_partition
# mkfs.ext4 /dev/criticalgroup/rootlv
# mkfs.ext4 /dev/criticalgroup/homelv
# mkswap /dev/criticalgroup/swaplv

Once you are done, you can mount everything under /mnt/custom and rsync the contents from the external drive into the internal drive. Once everything has been transfered over, you need to chroot into your arch installation and fix the bootloader and probably some things in /etc/fstab and /etc/crytptab.

Code:

; Chroot the proper way, should do the trick in most systems
# mount -o bind,dev /dev /mnt/custom/dev
# mount -o bind,sys /sys /mnt/custom/sys
# mount -o bind,run /run /mnt/custom/run
# mount -o bind,proc /proc /mnt/custom/proc
# chroot /mnt/custom

How you fix the bootloader depends on what your bootloader is. You also need to generate a new initrd for your kernel.

netpumber · 11-24-2016, 09:53 AM

Thank you very much. Your answer is very descriptive. When i'll find some time I'll try to expand it with bootloader and kernel information and discuss on them.

Thank you once more.

AwesomeMachine · 11-25-2016, 07:24 PM

I would use rsync to move the files around. You don't need to copy

Code:

/tmp, /proc, /dev, /sys, /var/run, /var/tmp, /run

When you dump the files back after encryption, just make those directories.

netpumber · 12-11-2016, 02:40 PM

Hello again. Here is revision of the steps. Could you please read it and fix any misconceptions if there are any or suggest something different?

1) Back up the whole system into external drive from the existing OS.

Code:

# rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} / /mnt/usbDisk/oldSys

2) Umount the /mnt/usbDisk

Code:

# umount /mnt/usbDisk

3) Boot from a live USB

4) Delete all the existing linux partitions and overwrite the merged partition (sda4) with random data
[info] /dev/sda1,2,3 are the partitions for the windows.

Code:

dd if=/dev/urandom of=/dev/sda4

5) Create new partition table a boot partition and an LVM one with cfdisk
a) /dev/sda5 - 512M - bootable - Partition type: Linux (83)
b) /dev/sda6 - 230G - no bootable - Partition type: Linux (83)

6) Load the kernel module for dm_crypt

Code:

# modprobe dm_crypt

7) Encrypt the whole partition NOT the bootable one

Code:

# cryptsetup -c aes-xts-plain64 -s 512 -h sha512 -i 5000 -y luksFormat /dev/sda6

-c specifies the algorithm (here AES with XTS)
-s specifies the length of the encryption key (XTS uses two keys, therefore the key size here is 256)
-h specifies the hashing algorithm
-i specifies the number of milliseconds to spend with PBKDF2 passphrase processing (our hashing algorithm is stronger than sha1, thus this number should be higher than the default 1000)
-y asks for the passphrase two times (as confirmation)

8) Check if everything went ok with encrypting. This should return data about encryption type etc.

Code:

# cryptsetup luksDump /dev/sda6

9) Mount the encrypted disk /dev/mapper/lvm-crypt

Code:

# cryptsetup luksOpen /dev/sda6 lvm-crypt

10) Setting up LVM in the /dev/mapper/lvm-crypt

Code:

# lvm pvcreate /dev/mapper/lvm-crypt
# lvm vgcreate lvmpool /dev/mapper/lvm-crypt

11) Create all logical volumes needed

Code:

# lvm lvcreate -L 100GB -n root lvmpool
# lvm lvcreate -L 4GB -n swap lvmpool
# lvm lvcreate -l 100%FREE -n home lvmpool

12) Format all the partitions

Code:

# mkfs.ext4 /dev/sda5 # boot partition
# mkfs.ext4 /dev/mapper/lvm-crypt/root
# mkfs.ext4 /dev/mapper/lvm-crypt/home
# mkswap /dev/mapper/lvm-crypt/swap

13) Mount back the external Disk with the backup file system

Code:

# mount /dev/sdb1 /media/usbDisk

14) Mount all LVMs and transfer the old system. ( I have doubts for this step. What is your opinion ? )

Code:

# mount /dev/mapper/lvm-crypt/root /mnt  # / partition
# mkdir /mnt/home
# mount /dev/mapper/lvm-crypt/home /mnt/home # home partition
# mkdir /mnt/boot
# mount /dev/sda5 /mnt/boot # boot partition

Code:

# rsync -axX /media/usbDisk/oldSys /mnt

Also create and the folders i didn't get

Code:

mkdir /mnt/dev /mnt/proc /mnt/sys /mnt/tmp /mnt/run /mnt/mnt /mnt/media /mnt/lost+found

15) Edit bootloader ( I have doubts for this step. What is your opinion ? )

Code:

vim /mnt/boot/grub/grub.cfg

here is my current grub.cfg http://pastebin.com/hkACD6Z8
and change the line 15

Code:

linux   /vmlinuz-linux root=UUID=27ae6f98-7203-480e-abb1-097e606d9e01 rw  quiet

to

Code:

linux   /vmlinuz-linux cryptdevice=UUID=<u-u-i-d>:<n-a-m-e> root=/dev/mapper/lvm-crypt/root rw quiet

To take the <u-u-i-d> and <n-a-m-e> i will use lsblk -f .
If I get such a result for example :

Code:

    └─sda6                                        crypto_LUKS       e99fc375-b62d-4f45-8fd0-baf2370309d3   
      └─luks-e99fc375-b62d-4f45-8fd0-baf2370309d3 LVM2_member       KNPfie-1mhh-eRZs-okZ0-CycS-kBsC-08Osxf 
        ├─lvmpool-root                            ext4              0020cff6-d95a-4afd-921d-5c7faac83a4c   /
        └─lvmpool-home                            ext4              b202f5f3-eb1d-4f0a-ba75-bb56af91a2cd   /home

The <u-u-i-d> is e99fc375-b62d-4f45-8fd0-baf2370309d3
and the <n-a-m-e> is luks-e99fc375-b62d-4f45-8fd0-baf2370309d3

so the above line becomes :

Code:

linux   /vmlinuz-linux cryptdevice=UUID=e99fc375-b62d-4f45-8fd0-baf2370309d3:luks-e99fc375-b62d-4f45-8fd0-baf2370309d3 root=/dev/mapper/lvm-crypt/root rw quiet

16) Create a new fstab file

Code:

# genfstab -U -p /mnt >> /mnt/etc/fstab

17) Create a new mkinitcpio.conf

Code:

# chroot /mnt

Add the appropriate hooks to the /etc/mkinitcpio.conf

Code:

HOOKS="base udev autodetect modconf block keymap encrypt lvm2 filesystems keyboard fsck"

Code:

mkinitcpio -p linux

Finally remove the /etc/machine-id so that a new one to be created.

20) Reboot

Umount all and reboot

BlackRider · 12-12-2016, 01:41 PM

Most of it looks fine.

1) I would not backup from a running operating system, there is always the risk of inconsistencey. It is better to backup from a live system.

4) Seems fine, you can use the bs=1M with dd for improved speed.

14) It does not look like your way of mounting the LVMs would work. You can check the correct paths of your lvm volumes using lvscan.

15) I have disavowed grub so I don't know how that works in Arch. I am also not familiar with 17) because it looks like it is Arch specific.