Cifratura di un disco in Ubuntu

From RVM Wiki
Revision as of 10:40, 18 December 2012 by Gabriele.vivinetto (talk | contribs)
Jump to navigation Jump to search

Installazione da zero

  • Viene fatto tutto da menù con l'alternate cd


Reinstallazione senza upgrade, ma conservazione dei volumi cryotati

  • Oppure da desktop cd per recuperare dei volumi in uso, ad esempio /home
sudo apt-get install lvm2 cryptsetup

vgchange -ay

cryptsetup luksOpen /dev/vg0/lv0 cryptroot
cryptsetup luksOpen /dev/vg0/lv1 crypthome
cryptsetup luksOpen /dev/vg0/lv2 cryptswap
  • Installare formattando la cryptroot, ma non la crypthome
  • Prima di riavviare, chrootare nella root, montando in bind i sysfs e installare quello che serve
sudo mount /dev/mapper/cryptroot /mnt/root
mount -o bind /dev /mnt/root/dev
...
chroot /mnt/cryotroot
root /mnt/cryotroot
sudo apt-get install lvm2 cryptsetup
...

Conversione di un'installazione plain in una criptata

  • Fare un tar di tutto
  • tenere /boot non cifrato
  • Configurare lvm
  • Configurare cryptsetup su lvm
  • Creare cryptroot con questo nome
  • Creare crypthome con questo nome
  • Creare crytswap con questo nome
  • Modificare /etc/fstab
  • Reinstallare grub2
  • Creare la crypttab per fare in modoc he venga richiesto al boot di aprire tutti i dispositivi:
sudoedit /etc/crypttab

# <target name> <source device>                 <key file>      <options>
cryptroot                       /dev/mapper/vg0-lv0             none           luks
crypthome                       /dev/mapper/vg0-lv1             none           luks
cryptswap                       /dev/mapper/vg0-lv2             none           luks
  • Aggiungere la specifica di come montare la cyptroot come paraemtro del kernel
sudoedit /etc/default/grub

GRUB_CMDLINE_LINUX="splash cryptopts=source=/dev/mapper/vg0-lv0,target=cryptroot"
  • In pratica, il formato è
cryptopts=source=DEVICE_CHE_CONTIENE_IL_VOLUME_CIFRATO,target=NOME_DEL_VOLUME_CIFRATO_COME_IN_CRYPTTAB"
  • Aggiornare grup ed initrd:
sudo update-grub
sudo update-initramfs -u -k all

I am currently using everything in my message... posting from a computer with everything except /boot encrypted.

The swap partition is set up with a random key. I am pretty sure the luks and swap options probably don't work together, but the swap by itself works fine.

As for initramfs-tools, to autoconfigure it also needs the partitons to be mounted. On the other hand, you can pass all the options on the kernel command line in grub. 

root=/dev/mapper/zeuslvm-root
cryptops="target=cryptroot,source=/dev/sda4,lvm=zeuslvm-root "

then this is used instead of whatever the mkinitramfs script found, so could be used the first time you boot before mkinitramfs can run correctly.

The lvm option tells the initramfs script to test the partiton created by the cryptmap for lvm, and if so configure it... the root= option then uses the lvm partition found. If you didn't have lvm, you could just use something like (I haven't tested this, but it should work) 

root=/dev/mapper/cryptroot
cryptops="target=cryptroot,source=/dev/sda4"

As for the installer, what I did is created a 2G swap partition, and installed debian (basic) into the swap partition. I then created the crypt partition and set up lvm and everything, and then used debootstrap to install. After it was installed and booting, I tured the swap partiton back into a swap partiton.


  • Se al boot non fa il mount, aprire la cryptroot con
vgchange -ay

cryptsetup luksOpen /dev/vg0/lv0 cryptroot
cryptsetup luksOpen /dev/vg0/lv1 crypthome
cryptsetup luksOpen /dev/vg0/lv2 cryptswap


Riferimenti

Retrieved from "https://kb.rvmgroup.it/index.php?title=Cifratura_di_un_disco_in_Ubuntu&oldid=8743"