Linux full system encryption

Truecrypt is a famous solution for encrypting hard disks, but the support for ciphering the system partition is restricted to Windows users. For Linux the most common method to do this is Luks. There are various HOWTO’s on setting up full disk encryption using Luks [1] [2], but most of them need a manual setup and encryption of each partition and separate configuration in order to build a fully ciphered system.
On Debian based Linux distributions there is a more comfortable way to solve this issue. The precondition is that the alternate installation CD for Ubuntu or a recent Debian installation image has to be chosen. The main focus is then on the partitioning menu.

  1. The first step is to choose the manual way of partitioning the hard disk
  2. Here the first partition to create is “/boot”, using a normal unencrypted file system like ext3
  3. The whole rest of the hard disk is used for the second partition. Here not e.g. ext3, but “physical volume for encryption” is the preferred option to choose.
  4. Now, in the main menu of the partitioner the new option “Configure encrypted volumes” is selected. Here the password of the 2nd partition is defined, and the partition is formatted (encrypted in this case)
  5. By default the new encrypted partition appears as ext3 in the main partitioning menu. This has to be changed from ext3 to use it as “physical volume for LVM” – the Linux Volume Manager
  6. Another new menu entry in the main window of the partition manager appears: “Configure the Logical Volume Manager”.
    • Here a new volume group has to be created using the encrypted 2nd partition which was set up just before. Within this volume group different logical volumes can be created. For example the Linux root volume “/”, “/home” and “swap”.
    • It is important that the volume groups are created in decreasing order of the size. (first the biggest, the smallest as the last) If not an error will show up.
  7. After creating the volume groups, they appear in the main menu of the partitioner and can be formated with the preferred file system format (e.g. ext3 or swap)
Here is a screenshot after making all these steps:

From here on the installation of the Linux system is “business as usual”..

In addition to all the advantages of a Logical Volume, a possible attacker even cannot see the partition table of the system, because it is encrypted within the LV.

In general Truecrypt and Luks are software based encryption methods which are not immune against attacks. The best solution is hardware encryption where the ciphering and storing of the keys is made within a special designated chip.

Clemens Kurtenbach
S21sec labs

Deja un comentario