Академический Документы
Профессиональный Документы
Культура Документы
BY MICHAEL NERB
E
ncrypting individual filesystems means you’ll need to roll up your shirt
is no big deal; in fact, some dis- sleeves for some hands-on configuration.
tributions allow you to encrypt In this workshop, we will start by in-
directories as part of the installation rou- stalling a standard Linux system and
tine. But encrypting the home directory then progress to encrypting the existing
on your laptop is a job half done. Dis- filesystems one at a time. We will finish
honest finders can still draw conclusions off by deleting the unprotected partition
from log and configuration files. If you’re and using the space for other tasks, such
serious about providing security through as swapping out the /home directory to
encryption, you need to protect the an encrypted partition of its own.
whole hard disk against spying – some- Our goal is to encrypt the entire hard
thing that no distribution can do out of disk (with the exception of the partition
the box. table in the Master Boot Record). Be-
Things start to become more complex cause it isn’t possible to encrypt the boot
if you need to protect the root filesystem. partition, we will move /boot to an exter-
Neither Suse nor Debian Linux give nal medium – a USB stick, in this case.
users a tool to help encrypt the root file- To boot from the stick, we will need to
system during the install (or later). That modify the BIOS and GRUB bootloader
settings. The USB stick then creates an
additional layer of security by serving as
a kind of “key” that the thief will need to
possess in order to gain access to the
laptop. If this approach seems impracti-
cal for your purposes, you can keep the
boot partition on your hard disk. How-
ever, /boot must be on an unen-
crypted partition of its own.
In this article, we’ll use DM-
Crypt [1] for our filesystem en-
www.photocase.com
The newly en- Now use chroot to work with the en-
Application layer
Mountpoint: crypted root file- crypted system. Start by setting up the
/tmp system is now missing mountpoints, and mount the
Filesystem layer Ext 2 mounted below memory stick as /boot.
Kernel layer
Depending on the integration status of More changes are required to the /boot/initrd command to create a new
cryptsetup for your distribution, there are /sbin/mkinitrd program: you might like initial RAM disk on the memory stick.
different approaches to doing this. to create a backup copy before you con-
tinue. In the mkinitrd_kernel function, The Tension Mounts
Debian Ramdisk look for the lines that copy /sbin/insmod Before rebooting, modify the /boot/grub/
Debian Sarge has some fairly useful sup- to the ramdisk; depending on your Suse menu.lst file on your memory stick.
port here. Add the aes-i586 and sha256 version, they may look slightly different. Change the root kernel parameter in the
modules to /etc/mkinitd/modules (each For Suse Linux 10.1 the lines look like: menu entry that launches the Linux sys-
in a separate line); add the following line tem to point to the virtual block device,
to the existing /etc/crypttab file: if ! cp_bin $initrd_insmod U /dev/mapper/dm-root. You also need to
$tmp_mnt/sbin/insmod 2>U modify the initrd entry (/boot/initrd).
dm-root /dev/hda3 none U /dev/null ; then A typical entry will look like this:
luks,cipher=aes-cbc-essiv:sha256 error 5 "no static insmod"
fi title Suse Linux 10.0 U
In a similar way, change the root file- (USB-Boot, Encrypted Root)
system in /etc/fstab to point to /dev/ Add the following two lines immediately kernel (hd0,0)/vmlinuz U
mapper/dm-root: below this: root=/dev/mapper/dm-root
initrd (hd0,0)/initrd
/dev/mapper/dm-root / U cp_bin /sbin/cryptsetup-luks U
ext3 defaults 0 1 $tmp_mnt/sbin/ 2>U Reboot the laptop. Make sure you have
/dev/null \ || error 5 U set USB as the default boot device in the
Then run yaird -o /boot/initrd to create a "no static cryptsetup-luks" BIOS boot order. cryptsetup-luks will
working initrd on the memory stick. now prompt you for the passphrase for
yaird (yet another initrd) replaces the In the udev_discover_root function, add the root filesystem, and assuming that
standard mkinitrd tool, which can’t han- the following as the first command: you provide the correct password, boot
dle encrypted root filesystems in the to the login screen. Calling mount re-
Debian version. | echo "Setting up LUKS U moves any trace of doubt (Figure 3). If
device $rootdev. U this does not work, try booting without
Suse Ramdisk Provide pass phrase now." the memory stick: you still have the un-
For Suse Linux, you'll need to add the | /sbin/cryptsetup-luks U encrypted Linux system on the hard
required kernel modules dm-mod, luksOpen /dev/hda3 dm-root
dm-crypt, aes-i586, sha256, and ext3, INFO
using the INITRD_MODULES parameter Then you just need to change the entry [1] DM-Crypt:
to the /etc/sysconfig/kernel file. (The for the root filesystem to /dev/mapper/ http://www.saout.de/misc/dm-crypt
module names must be separated by dm-root (for the ext3 filesystem) in /etc/ [2] Device Mapper Resource Page:
blanks.) fstab. Finally, give the /sbin/mkinitrd -o http://sources.redhat.com/dm/
[3] “Secret Messages: Hard disk encryp-
Security 101 tion with DDM-Crypt, LUKS, and
Encrypting your laptop hard disk is just supervisor password in your laptop’s cryptsetup,” by Clemens Fruhwirth
one layer in an all-encompassing secu- BIOS; only allow a USB stick as the and Markus Schuster, Linux Magazine
12/05, pg. 65.
rity policy – and it is no replacement for a boot medium.
security policy, as it only protects the [4] Linux Unified Key Setup (LUKS):
• Use robust passwords, and change
data while the computer is switched off. http://luks.endorphin.org/dm-crypt
them at regular intervals.
If you lose your laptop after entering the [5] Peter Gutmann, “Secure Deletion of
• Do not work with root privileges if you Data from Magnetic and Solid-State
correct pass phrases and with a user ses-
can avoid doing so. Memory”: http://www.cs.auckland.ac.
sion running on the Linux system, an at-
tacker would have the same access as to • Use a restrictive (personal) firewall nz/~pgut001/pubs/secure_del.html
a completely unprotected machine. This configuration. [6] Suspend 2: http://www.suspend2.net
warning also applies to threats from the • Use at least one virus scanner with [7] Wipe – Secure File Deletion:
Internet, assuming the laptop has an In- current virus signatures. http://wipe.sourceforge.net
ternet connection. Malware has unre-
• Set up a password-protected screen- [8] Luksopen script on the DM-Crypt
stricted access to your data once it gains
saver, and let the screensaver enable Wiki: http://www.saout.de/tikiwiki/
access to the system.
automatically. tiki-index.php?page=luksopen
In other words, this workshop cannot
• Check your logfiles for suspicious en- [9] Shell script cryptfs: http://www.
give you absolute security; but following
tries at regular intervals. linux-magazine.com/Magazine/
these rules will keep your laptop as se-
Downloads/72/DM-Crypt
cure as possible: • Check for and install security patches
[10] Clemens Fruhwirth: “New Methods
• Store the laptop and memory stick and updates for any software you use.
in Hard Disk Encryption,”
separately. • Back up your data at regular intervals; http://clemens.endorphin.org/
• Configure a power-on password and a keep the backups in a safe place. nmihde/nmihde-A4-ds.pdf
advertisement