-
Notifications
You must be signed in to change notification settings - Fork 3
Encryption
see also:
* moving most OUT from here to there- [general](https://github.com/artmg/lubuild/blob/master/help/configure/Disks-and-layout.md)
- [disk](https://github.com/artmg/lubuild/blob/master/help/configure/Disks-and-layout.md)
- [about](https://github.com/artmg/lubuild/blob/master/help/configure/Disks-and-layout.md)
_Move to one of the above, once split out - maybe **Layouts**?_
Encrypted Home folders can have issues, such as swap or hibernate or system temp files being outside the encryption, or even sometimes bugs with the setup. As an alternative Full Disk Encryption with LVM requires a key to unlock the 'whole' disk at boot, then everything in there is encrypted and protected. Note that 'whole' disk has exceptions: 1) the Boot partition which must remain unencrypted to allow boot up, 2) any dual boot partitions such as Windows, and 3) optionally data partitions for sharing between dual boot OSes
The "ubiquity" installer's option for Full Disk Encryption means full disk, and cannot cater for additional un-encrypted volumes such as dual booting. Therefore you probably still want to "do something else" during install.
Boot partition: you will need a (Logical) encrypted Boot partition of between at least 100 MB and maybe as much as 200 MB to start. Choose 'something else' create it as Ext4 and set it to mount as /boot.
LVM partition: now create a (Logical) partition to hold your system apps and data as "Physical Volume for Encryption", enter the encryption key twice, and you will see it created under /dev/mapper as /sdxn_crypt
credit - http://www.hecticgeek.com/2012/10/how-to-setup-encrypted-ubuntu-installation/
Note that by default the label is blank, so if you auto mount the volume in another system it will base the mount folder name on the full UUID. If you want to change the label to something friendlier, use the command-line util e2label /dev/name NewLabel
see also the section "LVM on LUKS" in the article https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system which has way more detail than you should need for a while.
if the installer fails with "Unsafe swap space detected" then try
sudo swapoff -a
before restarting the installer
If you want swap or home 'partitions' under this LVM volume you should use pvcreate for the LVM physical volume, vgcreate for the volumne group inside it, and lvcreate for the logical volumes within.
e.g.
# help - https://help.ubuntu.com/community/SettingUpLVM-WithoutACleanInstall
Encrypted Home Folders is more secure than no encryption at all, and has a place where multiple users share a single device (where sharing a boot decyption password is less convenient)
# credit - http://askubuntu.com/a/53244 # # is home drive encrypted? # sudo ls -lA /home/username/ # # should include entries like # lrwxrwxrwx 1 username username 56 2011-05-08 18:12 Access-Your-Private-Data.desktop -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop # lrwxrwxrwx 1 username username 38 2011-05-08 18:12 .ecryptfs -> /home/.ecryptfs/username/.ecryptfs # lrwxrwxrwx 1 username username 37 2011-05-08 18:12 .Private -> /home/.ecryptfs/username/.Private # lrwxrwxrwx 1 username username 52 2011-05-08 18:12 README.txt -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt
Your home folder encryption key is different from your login passphrase. You can keep it for future reference
# enter your passphrase and SECURELY store the key it generates ecryptfs-unwrap-passphrase
Alternatively, if you later want to access an encrypted home folder later (e.g. you access the storage media from another device or distro) you can recover the passphrase by locating the folder and file named below:
# enter your login passphrase to see your encryption passphrase ecryptfs-unwrap-passphrase /path/to/the/file/.ecryptfs/wrapped-passphrase # credit - http://askubuntu.com/questions/238047/ # paste that encryption passphrase after running the following command # and note the SECOND signature output by it sudo ecryptfs-add-passphrase --fnek # now mount the home folder sudo mount -t ecryptfs /path/to/the/folder/.Private /path/to/mount/into/ # help - https://help.ubuntu.com/community/EncryptedPrivateDirectory#Live_CD_method_of_opening_a_encrypted_home_directory
== Encrypted Swap
Follow instructions to set up Encrypted Swap in https://github.com/artmg/lubuild/blob/master/help/configure/Disks-and-layout.md#encrypted-swap
- Create a new user account and choose to encrypt the home folder
- Use a strong passphrase as the user logon password, as this is the key who's entropy determines the strength of the encryption against brute force
With previous versions it was much harder - here are some notes for posterity
uses pam_mount to authenticate the user and use their password to mount the cryptoloop device
http://blog.felipe-alfaro.com/2006/08/19/encrypted-home-on-ubuntu-using-cryptoloop/
using pam_mount to encrpyt at a block file with LUKS or alternatively file by file with ecryptfs (the way the ubuntu encrypts user homes) - http://www.mayrhofer.eu.org/encrypted-home-dirs - EncFS may be a file-level alternative
Background on Ubuntu Encryption - mentions some of the folders that may contain sensitive data outside of the home folder - https://help.ubuntu.com/community/EncryptedFilesystemHowto
Forensic Distro 'Kali' has on option where the entire persistence partition is encrypted (using a LUKS nuke key): http://www.offensive-security.com/kali-linux/kali-encrypted-usb-persistence/
Here's an example from an old Ubuntu release, which states the way the user got this working fine in later 11.04 release https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/563907
Q? Can the new user have a mount passphrase without needing a user login password?
G?: ecryptfs FAQ
G?: persistent casper ecryptfs encrypted home
G?: Subject: [Bug 545570] Re: Oops when mounting ecryptfs on
persistent live usb system - msg#64799
!!!!!!!!!
https://bugs.launchpad.net/ecryptfs/+bug/1021376
"mount: Operation not permitted" on every login or after ecryptfs-mount-private on persistent USB
!!!!!!!!!!
http://web.archiveorange.com/archive/v/PqQ0RHxJfbrKzoNQuG6E
[NEW] Oops when mounting ecryptfs on persistent live usb system
?????????
http://ubuntuforums.org/archive/index.php/t-1882157.html
http://forumarray.com/ubuntu-home-directory-not-decrypting-on-login-1004-ecryptfs-668050
CRAP aggregator, but has similar Qs as mine for more learning
https://help.ubuntu.com/community/EncryptedHome
ABOUT
http://bodhizazen.net/Tutorials/Ecryptfs/
LOADS ABOUT encrypted homes, put SIMPLY
e.g. How to use F6 Esc to add 'user-setup/encrypt-home=true' during a Full Install
http://askubuntu.com/questions/239503/how-to-log-in-after-logout-in-l-ubuntu-live-persistent-usb
States that Lubuntu 12.10 used and new user added, and only issue was that couldn't log BACK on with builtin (lubuntu) account unless rebooted
http://ubuntuforums.org/showthread.php?t=1702816
mentions CLI for creating encrypted homed user requires ecryptfs-utils and is...
sudo adduser --encrypt-home username
to encrypt later use ecryptfs-migrate-home - doh!
http://blog.dustinkirkland.com/2011/04/introducing-ecryptfs-recover-private.html
and run 'sudo ecryptfs-recover-private' from LiveUSB to recover data from encrypted home
https://wiki.ubuntu.com/LiveUsbPendrivePersistent
explains how to partition USB stick for Persistent Live in early ubuntu versions - may give some ideas if encrypted home cannot go inside casper drive
http://manpg.es/ecryptfs-setup-swap
If you want to encrypt swap use ecryptfs-setup-swap to alter /etc/fstab and /etc/crypttab that ensure your swap space is encrypted at every boot
https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage
using cryptsetup to encrypt whole filesystems - not much use :(
http://ubuntuforums.org/showthread.php?t=1014968&p=6466219#post6466219
mentions that setting a password for the live session user makes the account unusable - this is aimed at the auto session user but may apply to others in persistent live?? Unfortunately no explanation is given :(
http://shallowsky.com/blog/linux/install/ubuntu-persistent-live-cd.html
Vague mention of issues with password entry when creating users in Ubuntu Oneric
research - http://shallowsky.com/blog/linux/install/ubuntu-persistent-live-cd.html
Vague mention of issues with password entry when creating users in Ubuntu OnericThese were not on track for the solution we wanted:
- Full Install (not Live) and Full Disk Encryption - blow by blow for Ubuntu 12.04 Alternate: http://members.iinet.net/~herman546/p19.html
- Similar (but much simpler) description of installing Mint with option "use entire disk and set up encrypted LVM": http://www.itninja.com/blog/view/create-a-bootable-encrypted-usb-running-linux-mint-16