Encrypt Fedora

From VVCWiki
Revision as of 20:44, 6 February 2009 by Dburdick (talk | contribs) (→‎Create backup)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

This article will help you to encrypt your existing Fedora 10 installation

Where we begin

We have the following disk configuration:

# fdisk -l /dev/sda

Disk /dev/sda: 40.0 GB, 40000000000 bytes
255 heads, 63 sectors/track, 4863 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x000e6cc7

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          13      104391   83  Linux
/dev/sda2              14        4863    38957625   8e  Linux LVM
  • /dev/sda1 is our /boot partition
  • /dev/sda2 is physical volume for existing volume group vg0
# cat /etc/fstab
/dev/vg0/root           /                       ext3    noatime         1 1
/dev/vg0/tmp            /tmp                    ext2    noatime         1 2
/dev/vg0/home           /home                   ext3    noatime         1 2
/dev/vg0/var            /var                    ext3    noatime         1 2
/dev/vg0/usr            /usr                    ext3    noatime         1 2
LABEL=boot              /boot                   ext2    noatime         1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/vg0/swap           swap                    swap    defaults        0 0

Install required packages

  • dump
  • plymouth-system-plugin
  • cryptsetup-luks
yum install dump plymouth-system-plugin cryptsetup-luks

Create backup

Mount your external USB disk, for example, to /mnt and use dump to backup your current installation. Make two copies, on two different disks, to be sure, this is the most important step

dump -0 -f /mnt/root.dump /
dump -0 -f /mnt/usr.dump /usr
dump -0 -f /mnt/var.dump /var
dump -0 -f /mnt/home.dump /home

Boot in rescue mode

Skip mounting existing installation, we are going to destroy it in the next step

  • Make the existing data unrecoverable
shred -v -n 1 -z /dev/sda2
  • Create new encrypted physical volume
cryptsetup --verify-passphrase luksFormat --cipher aes-cbc-essiv:sha256 --key-size 256 /dev/sda2
cryptsetup --verbose luksOpen /dev/sda2 cryptpv
  • recreate volume group and logical volumes
lvm pvcreate /dev/mapper/cryptpv
lvm vgcreate -s 32M vg0 /dev/mapper/cryptpv
lvm lvcreate --size 512 --name root vg0
lvm lvcreate --size 2G  --name swap vg0
lvm lvcreate --size 4G  --name usr  vg0
lvm lvcreate --size 1G  --name var  vg0
lvm lvcreate --size 1G  --name home vg0
lvm lvcreate --size 256 --name tmp  vg0
mke2fs -j -L root /dev/vg0/root
mkswap -L swap /dev/vg0/swap
mke2fs -j -L usr /dev/vg0/usr
mke2fs -j -L var /dev/vg0/var
mke2fs -j -L home /dev/vg0/home
mke2fs -L tmp /dev/vg0/tmp
  • remount backup and root
mkdir /tmp/root
mkdir /tmp/mnt
mount /dev/sdb1 /tmp/mnt
mount -t ext3 /dev/vg0/root /tmp/root
  • restore root
cd /tmp/root
restore -r -f /tmp/mnt/root.dump
rm restoresymtable
  • mount and restore remaining file systems
mount -t ext3 -o noatime /dev/vg0/usr /tmp/root/usr 
cd /tmp/root/usr
restore -r -f /tmp/mnt/usr.dump
rm restoresymtable
mount -t ext3 -o noatime /dev/vg0/var /tmp/root/var 
cd /tmp/root/var
restore -r -f /tmp/mnt/var.dump
rm restoresymtable
mount -t ext3 -o noatime /dev/vg0/home /tmp/root/home 
cd /tmp/root/home
restore -r -f /tmp/mnt/home.dump
rm restoresymtable
mount -t ext2 -o noatime /dev/vg0/tmp /tmp/root/tmp
chmod 1777 /tmp/root/tmp
  • unmount backup, create all device nodes for chrooted environment
umount /tmp/mnt
cp -ax /dev/* /tmp/root/dev
mkdir /tmp/root/dev/shm
mount -t proc proc /tmp/root/proc
mount -t sysfs sysfs /tmp/root/sys
  • chroot into restored system
chroot /tmp/root
mount -a
swapon -a
vgcfgbackup
  • recreate initrd image
cd /boot
mkinitrd -v -f `ls initrd*` `ls /lib/modules`
  • force fsck check and selinux relabeling of the new system
touch /.autofsck /.autorelabel

You are done

exit
reboot