Using Luks encrypted partitions in linux
This post continues my updating of earlier posts on encryption. A future post will cover the use of an encrypted LVM.
This post will describe how to setup encrypted partitions during installation or later. I currently have both “/home” and swap encrypted this way in a test install of opensuse 12.2 M3 (a beta version).
A major reason for using encrypted partitions is privacy. If you have a laptop, it might be stolen. The disk on your laptop will eventually be trashed or recycled. If your private data is on encrypted partitions, then you won’t have to worry about somebody going through the disks to uncover information that should be private.
Which partitions to encrypt
Ultimately, the choice is yours. If you are encrypting anything then, at a minimum, you should probably encrypt both “/home” and swap. I previously described how to encrypt swap with a random encryption key. However, if you are using Luks on another partition, then I now recommend that you also use Luks encryption for swap. And I recommend that you use the same encryption key for all Luks encrypted partitions on the one computer.
As far as I can tell, you cannot easily encrypt the root partition this way, at least when using the opensuse installer. The documentation says that you can for opensuse 11.2 and newer:
Encrypting the root file system, as well as the home, tmp and other partitions is now fully supported in the Opensuse graphical installer.
However, that has not been my experience. I first tried that with opensuse 11.3, and the installer told me that it could not encrypt the root partition. I recently tried again with 12.2M3, and the installer said that I could not encrypt root, “/var” “/usr” or “/boot”. I did have a separate “/boot” configured, and was not trying to configure that. So the documentation does not match what happens. If you want an encrypted root file system, it will be easier to use an encrypted LVM which is supported by the installer.
If you are going to use an encrypted “/home” or other partition that already has user data, then start with a backup of existing data. You won’t need to backup swap. And if this is a completely new install, with no existing “/home” then you won’t have to backup that either because you don’t have any data there.
Using the installer
During the install you are normally asked about partitioning. At this stage, you need to either take the option to create partitions or to edit partitions. Either way, once you have satisfactory partitioning, you can right-click on the partitions that you want to encrypt. That will allow you to give options for those partitions. Since you are encrypting, you will also need to format. So first select the option to format the partition, and then select the option to encrypt the partition. You will be prompted for a password or key to use for the encryption. In fact, you will be prompted twice, as a cross check that you typed it in without error. Whatever key you use here, be sure that you remember it. Otherwise you will lose data. There is no recovery from a forgotten key. Some people use the login password for the main user of the computer as the encryption key, though it is not necessary to use that. It is possible to have several alternate keys, but I don’t think you can set that up during installation (you can add keys later).
Once you have selected encryption for your partitions, proceed with the remainder of the install as usual..
The first boot after install
On the first boot after install, you will be prompted for the encryption key. If you encrypted three partitions, then you will be prompted three times for a key. This will be annoying, but you can fix that later as long as you used the same key for all encrypted partitions.
Hibernation won’t work at first with Luks encrypted swap. That’s because the check for recovery from hibernation is done before the decryption, so a recovery from hibernation won’t be recognized. We will fix that, too.
Restore from backup
If you had to backup an existing partition before going with encryption, then now is the time to restore the backed up data for that partition.
Changes after install
Now that everything is working, you will want to make some small changes so that you only need to enter the key once, and so that hibernation will work. To make these changes, you will need to run some commands as the root user. So open a terminal session (Konsole in KDE, gnome-terminal in Gnome, or xterm for any desktop). If your desktop has an option for a root terminal session, use that. Otherwise open a terminal then use the “su” command to become root (requires the root password).
You will first need to edit the file “/etc/crypttab”. You can use “vi” or “kwrite” or “gedit” for that. There will be one or more lines in that file (one for each encrypted partition). The lines will look like
cr_sda5 /dev/disk/by-id/gobbledygook-part5 none none
You will want to change that last “none” to “initrd” in each affected line. If it says “defaults” instead of “none”, just change that to “initrd”. If it instead has one or more options, then add “,initrd” to the end.
Next, as root, enter the command
That should regenerate the “initrd” (initial ram disk used during boot). Once that is done, the decryption should be handled earlier in the boot, you should only need to enter the crypto key once, and recovery from hibernation should work.
Command line access
If you ever need to repair your system, you might be booting from a live CD or booting to repair mode from an install DVD. You may need to use commands to make the encrypted file system available. I will describe how to do that.
I shall assume that the encrypted partition is “/dev/sda5”.
Here are the commands to use
# cryptsetup luksOpen /dev/sda5 cr_sda5 # mount /dev/mapper/cr_sda5 /mnt
This will make the file system available as “/mnt” in your repair system. You could use the full “by-id” name instead of the device name, but use of the device name is easier. The name you use (last option in the “cryptsetup” command needs to match what you use following “/dev/mapper/” in the “mount” command. You could call in “home” instead of “cr_sda5” – use what is convenient for you.
It is possible to setup encryption manually, and that should work on most linux systems, not just opensuse. Don’t try this unless you are reasonably adept at the use of the command line and the use of the “man” command.
I will outline the steps:
- Edit “/etc/fstab” and comment out the entries for the partitions that you plan to encrypt.
- Create or modify “/etc/crypttab”. You will need an entry for each Luks encrypted partition. Check the line earlier in this post for details of the format. Use copy/paste to get the device id for each line. Copy from the line you commented out in “/etc/fstab” and paste into the second field of the line of “/etc/crypttab”. The first field is just a convenient name to use. Choosing a name based on the partition (device name), as suggested above, would be a good choice.
- Setup encryption on each device, using
# cryptsetup luksFormat device
- Decrypt the partitions with
# cryptsetup luksOpen device name
- Format the decrypted file systems. You would use something like “/dev/mapper/cr_sda5” to reference the file system. Then format with “mkfs” for a regular file system, or “mkswap” for swap.
- Update “/etc/fstab”. Uncomment the entry that was earlier commented out, but change the device id to “/dev/mapper/whatever-name” as appropriate.
- Reboot, and see if it all works.
The above steps won’t work for encrypting root. You would also need a separate “/boot” partition (unencrypted), and you would have to modify the boot parameters so that the path to the encrypted filesystem is used for root. You would need to put “initrd” in the options field of “crypttab” and run “mkinitrd”. And you would have to get all of that right before attempting a reboot.