The dream of paranoid or Once again about encryption

    In the light of recent events with and the activation of state groups of anti-piracy agencies, I think many people thought about how to protect themselves or their server in case unexpected “guests” come. So the task for me was to protect the local media server from encroachments, after spending a couple of days googling and reading manuals / howto - I managed to implement this. I will say right away that there are a lot of encryption articles, but they are mainly designed to encrypt only certain sections, or they are outdated / contain many errors.


    1. All screw (s) must be securely encrypted
    2. There should be absolutely no breakdown on the screws, as if it is a new (or worn) screw
    3. OS must be on encrypted partitions
    4. It should be possible to increase disk space by adding new screws
    5. Boot the system without entering the encryption key


    First, I’ll briefly explain the theory of how this all works: the bootloader and the passkey will be stored on a small (<50Mb) section of the flash drive, when it is turned on, the bootloader will unlock access to the encrypted screw, load the kernel, connect virtual partitions (LVM), then normal boot system.
    Ububtu Server 9.10 was chosen as the operating system, but you can implement this task on any UNIX-like system. Immediately make a reservation, in the installer there is the possibility of encrypting the system at the installation stage, but it is impossible to implement points 1 and 2 from the list above, therefore we will act manually.
    We will need:
    1. Ubuntu Server 9.10 Image
    2. LiveCD distribution. I took a regular Ubuntu Desktop CD, since it can work with encrypted partitions out of the box.
    3. A flash drive that will be used to boot the system
    4. Basic knowledge of * nix systems
    5. Straight arms

    STEP 1. Preparing a flash drive and hard drive

    A) Partitioning the flash drive into partitions and creating a key
    We connect the USB flash drive to the computer on which the screw will be encrypted and boot from the LiveCD. Our task is to create 2 partitions on our flash drive: the first will occupy almost all the space and be formatted in FAT16, FAT32, NTFS (of your choice), the second partition will be done at the end of the flash drive at 50MB and formatted in ext2. Such a breakdown is not accidental - thanks to the initial section, the flash drive will be fully functional in any OS. Also in windows the second section will be unavailable - which is a plus if your flash drive falls into the wrong hands. To create partitions, I used the GParted graphics utility (it was on LiveCD), but no one bothers you with fdisk. After creating the partitions, mount them in the system:
    sudo su
    mkdir /mnt/flash /mnt/boot
    mount /dev/sdb1 /mnt/flash
    mount /dev/sdb2 /mnt/boot

    Now create a key file with which we will encrypt the screw and make a duplicate of it (just in case):
    dd if=/dev/random of=/mnt/boot/mykey bs=1 count=256
    cp /mnt/boot/mykey /mnt/flash/

    B) Preparing the screw for encryption
    First, we need to hammer our screw with completely random data. This is done so that it is impossible to determine in which sectors your data is located and how much space they occupy, roughly speaking, the entire screw opened in the HEX editor should look like evenly clogged with incoherent garbage, regardless of the amount of your information. There are 2 standard ways to do this, both are slow, so be patient.
    The first way. Random information is taken from a pseudo-random number generator and written to the screw in blocks of 2MB. The data generation speed on the Core Quad Q6600 was only 6Mb / s, so the 80Gig test screw filled up in 4 hours.
    sudo dd if=/dev/urandom of=/dev/sda bs=2M

    I personally did not check the second method since I found it after preparing the screw. It uses a screw test program for BAD blocks. I can not say anything about the speed of this method and the "quality" of random data.
    sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda

    Now that the disk surface is full, it's time to encrypt it. To do this, we use LUKS technology .
    sudo cryptsetup -h=sha256 -c=aes-cbc-essiv:sha256 -s=256 luksFormat /dev/sda /mnt/boot/mykey

    You will be warned about data destruction, for confirmation you need to write YES (in capital letters). We connect the encrypted disk:
    sudo cryptsetup -d=/mnt/boot/mykey luksOpen /dev/sda drivespace

    Enter the password and get the new block device / dev / mapper / drivespace . With the resulting device, you can work with a regular screw.
    C) Creating a virtual partitioning (LVM)
    You can create regular partitions and format them, but this method will not allow expanding our partitions in the future (you will have to add new ones), so we will use LVM technology . In short, it allows you to add new screws to the pool at any time and expand the logical partitions to the added free space. My LiveCD booted without the necessary packages, so first we install them, and then create a physical partition from our decrypted screw and divide it into logical ones.
    sudo su
    apt-get install lvm2
    pvcreate /dev/mapper/drivespace
    vgcreate vg /dev/mapper/drivespace
    lvcreate -L1G -nswap vg
    lvcreate -L3G -nroot vg
    lvcreate -l 100%FREE -ndata vg

    Now we have 3 more block devices / dev / mapper / vg-swap / dev / mapper / vg-root / dev / mapper / vg-data . We format them in the necessary FS.
    sudo su
    mkswap /dev/mapper/vg-swap
    mkfs.ext4 /dev/mapper/vg-root
    mkfs.xfs /dev/mapper/vg-data

    All! Our screw is ready to transfer the OS to it. To prepare the system, we need the UUIDs of the screw and partitions, therefore we will save them to a file on a USB flash drive
    ls -l /dev/disk/by-uuid >/mnt/flash/uuid.txt

    STEP 2. Preparing the operating system

    A) System Installation
    You need to install our OS either on a separate screw or on a second computer (virtual machine). Before installation, we connect our flash drive. It is better to do the installation in the minimum configuration, select the settings for your needs. The only important point is that you need to specify that / boot is installed on the second section of the flash drive immediately (so as not to transfer it later) and make sure that the Grub bootloader is installed on the flash drive.
    B) Installing additional packages, changing settings
    After the installation is complete, we need to add packages to the system to support encryption and LVM and fix some configs. Install packages (with an Internet connected):
    sudo apt-get -y install cryptsetup lvm2
    Edit the GRUB config. Ubuntu uses GRUB2, therefore we edit /boot/grub/grub.cfg. We are looking for the menuentry "Ubuntu, Linux 2.6.31-14-server" and just below we change
    linux   /vmlinuz-2.6.31-14-server root=UUID=9a651089-88fa-46d6-b547-38d3e10d4e67 ro   quiet splash

    on the
    linux   /vmlinuz-2.6.31-14-server root=/dev/mapper/vg-root ro   quiet splash

    Edit / etc / fstab
    proc            /proc           proc    defaults        0       0
    UUID=eb7f5e37-b957-43dd-8af6-3c8983670df5       /boot           ext2    defaults        0       2
    /dev/mapper/vg-root       /               ext4    errors=remount-ro 0       1
    /dev/mapper/vg-data      /home           xfs     defaults        0       1
    /dev/mapper/vg-swap       none            swap    sw              0       0

    For / boot, we indicate the mount point in the form of the UUID of the second section of the flash drive (you can take it from the file on the flash drive or see it again in the system), this is necessary so that the system always mounts the correct partition regardless of the number of connected flash drives / screws.
    Edit / etc / crypttab
    drivespace   UUID=090d14c1-e3c8-48e7-b123-6d9b8b2e502b       /boot/mykey      luks,cipher=aes-cbc-essiv:sha256

    here we indicate the UUID from our encrypted screw (we look at it in a file on a USB flash drive)
    C) Change initrd
    Preparing initrd to work with encryption and LVM. In the file / etc / initramfs-tools / modules add:

    Create the file / etc / initramfs-tools / hooks / cryptokeys with the following script:
            echo "$PREREQ"
    case $1 in
            exit 0
    if [ ! -x /sbin/cryptsetup ]; then
            exit 0
    . /usr/share/initramfs-tools/hook-functions
    mkdir ${DESTDIR}/etc/console
    cp /boot/mykey ${DESTDIR}/etc/console
    copy_exec /sbin/cryptsetup /sbin

    He will copy our key file to an unusual place inside the initrd image so that the flash drive will not be mounted again. Create the file / etc / initramfs-tools / scripts / local-top / cryptokeys with the script:
            echo "$PREREQ"
    case $1 in
    # get pre-requisites
            exit 0
    modprobe -b dm_crypt
    modprobe -b aes_generic
    modprobe -b sha256
    while ! /sbin/cryptsetup -d=/etc/console/mykey luksOpen /dev/disk/by-uuid/090d14c1-e3c8-48e7-b123-6d9b8b2e502b drivespace; do
           echo "Try again..."

    It will be executed during the initrd boot process, load the necessary kernel modules, and will try to open our encrypted screw with UUID = 090d14c1-e3c8-48e7-b123-6d9b8b2e502b. (The loop was made for the case with a passphrase instead of a key). You need to enter here your UUID from the encrypted screw.
    Now we execute:
    sudo chmod +x /etc/initramfs-tools/hooks/cryptokeys
    sudo chmod +x /etc/initramfs-tools/scripts/local-top/cryptokeys
    sudo update-initramfs -u -k all

    D) Packing system for transfer
    We mount our partition from the root fs in a separate folder and pack it on the first section of the flash drive:
    mkdir /mnt/root && mount /dev/sda1 /mnt/root && cd /mnt/root
    tar cfjv /mnt/flash/systembackup.tar.bz2 .  #НЕ ПРОПУСТИТЕ ТОЧКУ В КОНЦЕ СТРОКИ

    Now you can transfer the system.

    STEP 3. System Transfer

    Everything is simple: connect our flash drive with backup, boot from LiveCD, connect the encrypted screw, install the LVM support package, mount the virtual root partition (you may have to run vgscan and vgmknodes first so that the system sees the partitions), mount the flash drive and unpack the archive with the system.
    sudo su
    mkdir /mnt/flash 
    mount /dev/sdb1 /mnt/flash
    cryptsetup -d=/mnt/flash/mykey luksOpen /dev/disk/by-uuid/090d14c1-e3c8-48e7-b123-6d9b8b2e502b drivespace
    apt-get install lvm2
    #vgscan && vgchange -a y && vgmknodes vg  #Выполняем если система не увидела виртуальные разделы
    mkdir /mnt/root
    mount /dev/mapper/vg-root /mnt/root
    mkdir /mnt/root/home
    mount /dev/mapper/vg-home /mnt/root/home
    cp /mnt/flash/systembackup.tar.bz2 /mnt/root && cd /mnt/root  #переносим архив на винт, для ускорения распаковки
    tar xfvj systembackup.tar.bz2

    Well, that’s all, we reboot the computer and boot from the USB flash drive. If everything is done correctly, then after a few seconds you will see the inscription Key slot 0 unlocked, then your screw has decrypted and connected, after that the standard system boot will go.

    Notes, Sources

    In the case of a home computer, such a system allows you to reliably protect your personal information and will not allow anyone to use the computer without your knowledge (without a flash drive); in the case of a server in the organization, if a check came to you - they pulled out a USB flash drive and poked reset and for the experts you have a non-working / new computer; for a server at the host, I would complicate the system and store the key somewhere on the network, if the server is disconnected and taken away, it will not boot without Internet (and you need to quickly remove access to the key so that it does not boot at all).

    If everything worked for you the first time, then you can safely delete all files from the first section of the flash drive.

    Be sure to make a copy of your key so as not to lose access to your data. It is also a good idea to add a second key in the form of a password (how to do this can be found in the LUKS / cryptsetup documentation). Organization of fault-tolerant storage based on RAID1,5,6 will also not be superfluous when storing valuable information.

    When setting up this entire system, I initially modeled it on a virtual machine, and then only transferred it to a real computer. I would also very much like to know the opinion of lawyers (preferably from Ukraine) regarding the provability of guilt in distributing pirated content if experts cannot get to the information (which is impossible without a key), but find that the screw is encrypted.

    LUKS Wikipedia
    EncryptedFilesystemHowto5- the most useful of the articles I found, almost everything was done on it.
    UPD Corrected the screw encryption command. Thanks ITpower

    Also popular now: