Encrypt Fedora
From VVCWiki
Jump to navigationJump to search
This article will help you to encrypt your existing Fedora 10 installation
Where we begin
We have the following disk configuration:
# fdisk -l /dev/sda Disk /dev/sda: 40.0 GB, 40000000000 bytes 255 heads, 63 sectors/track, 4863 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x000e6cc7 Device Boot Start End Blocks Id System /dev/sda1 * 1 13 104391 83 Linux /dev/sda2 14 4863 38957625 8e Linux LVM
- /dev/sda1 is our /boot partition
- /dev/sda2 is physical volume for existing volume group vg0
# cat /etc/fstab /dev/vg0/root / ext3 noatime 1 1 /dev/vg0/tmp /tmp ext2 noatime 1 2 /dev/vg0/home /home ext3 noatime 1 2 /dev/vg0/var /var ext3 noatime 1 2 /dev/vg0/usr /usr ext3 noatime 1 2 LABEL=boot /boot ext2 noatime 1 2 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/vg0/swap swap swap defaults 0 0
Install required packages
- dump
- plymouth-system-plugin
- cryptsetup-luks
yum install dump plymouth-system-plugin cryptsetup-luks
Create backup
Mount your external USB disk, for example, to /mnt and use dump to backup your current installation. Make two copies, on two different disks, to be sure, this is the most important step
dump -0 -f /mnt/root.dump / dump -0 -f /mnt/usr.dump /usr dump -0 -f /mnt/var.dump /var dump -0 -f /mnt/home.dump /home
Boot in rescue mode
Skip mounting existing installation, we are going to destroy it in the next step
- Make the existing data unrecoverable
shred -v -n 1 -z /dev/sda2
- Create new encrypted physical volume
cryptsetup --verify-passphrase luksFormat --cipher aes-cbc-essiv:sha256 --key-size 256 /dev/sda2 cryptsetup --verbose luksOpen /dev/sda2 cryptpv
- recreate volume group and logical volumes
lvm pvcreate /dev/mapper/cryptpv lvm vgcreate -s 32M vg0 /dev/mapper/cryptpv lvm lvcreate --size 512 --name root vg0 lvm lvcreate --size 2G --name swap vg0 lvm lvcreate --size 4G --name usr vg0 lvm lvcreate --size 1G --name var vg0 lvm lvcreate --size 1G --name home vg0 lvm lvcreate --size 256 --name tmp vg0 mke2fs -j -L root /dev/vg0/root mkswap -L swap /dev/vg0/swap mke2fs -j -L usr /dev/vg0/usr mke2fs -j -L var /dev/vg0/var mke2fs -j -L home /dev/vg0/home mke2fs -L tmp /dev/vg0/tmp
- remount backup and root
mkdir /tmp/root mkdir /tmp/mnt mount /dev/sdb1 /tmp/mnt mount -t ext3 /dev/vg0/root /tmp/root
- restore root
cd /tmp/root restore -r -f /tmp/mnt/root.dump rm restoresymtable
- mount and restore remaining file systems
mount -t ext3 -o noatime /dev/vg0/usr /tmp/root/usr cd /tmp/root/usr restore -r -f /tmp/mnt/usr.dump rm restoresymtable mount -t ext3 -o noatime /dev/vg0/var /tmp/root/var cd /tmp/root/var restore -r -f /tmp/mnt/var.dump rm restoresymtable mount -t ext3 -o noatime /dev/vg0/home /tmp/root/home cd /tmp/root/home restore -r -f /tmp/mnt/home.dump rm restoresymtable mount -t ext2 -o noatime /dev/vg0/tmp /tmp/root/tmp chmod 1777 /tmp/root/tmp
- unmount backup, create all device nodes for chrooted environment
umount /tmp/mnt cp -ax /dev/* /tmp/root/dev mkdir /tmp/root/dev/shm mount -t proc proc /tmp/root/proc mount -t sysfs sysfs /tmp/root/sys
- chroot into restored system
chroot /tmp/root mount -a swapon -a vgcfgbackup
- recreate initrd image
cd /boot mkinitrd -v -f `ls initrd*` `ls /lib/modules`
- force fsck check and selinux relabeling of the new system
touch /.autofsck /.autorelabel
You are done
exit reboot