How to Encrypt Root Filesystem in Linux

An understanding of how your computer boots is required, because unlocking an encrypted root filesystem is integral to the bootstrap process. The current, stable kernel series, 2.6, optionally uses initramfs to help boot, Initramfs is a cpio archive that the kernel now knows how to unpack into a RAM-based disk. This unpacked filesystem contains a script that traditionally loads kernel modules needed to mount the root filesystem. In our case, this script also unlocks the encrypted root filesystem.

Several filesystem encryption interfaces are available for Linux. Several cryptoloop variations that provide an encrypted loopback device also exist. This article focuses on the dm-crypt interface provided by the recent 2.6 Linux kernels. This interface currently is preferred by the Fedora Project, and dm-crypt modules are provided by Fedora's kernel packages. Also required is a statically linked cryptsetup. This utility simplifies the management of dm-crypt devices. Finally, parted and hfsutils are used to manage the boot filesystem. Now similar interface are ported to new CentOS/RHEL 6 2.6 kernel by default, I will show you after this traditional episode that describes the method used by Fedora based modules.

Before an encrypted filesystem is set up, you should randomize the partition it will occupy. This eliminates a potential leak of information about the disk's contents. A partition is randomized by overwriting its contents with random data, for ex:if the partition is /dev/hda1

# dd if=/dev/urandom of=/dev/hda1

This process can take a long time, because creating random data is somewhat difficult.

Steps to Encrypt Filesystem

There are steps to be followed for encryption

1) Ensure that the aes, dm-mod and dm-crypt modules have been loaded into the kernel.

2) Unmount the partition that will host the encrypted root filesystem, /dev/hda4, from /home

# umount /dev/hda1

3) Create a random 256-bit encryption key and store it at /etc/root-key

# dd if=/dev/urandom of=/etc/root-key bs=1c count=32

This key will be copied to the Flash disk later.

4) Create a dm-crypt device, encrypted using the key you just generated

# cryptsetup -d /etc/root-key create root /dev/hda1

Accessing '/dev/mapper/root' now provides an encrypted layer on top of /dev/hda4. By default, cryptsetup creates an AES-encrypted dm-crypt device and assumes a keyspace of 256 bits.

5) Create an ext3 filesystem on '/dev/mapper/root'

# mkfs.ext3 /dev/mapper/root

6) Mount the new filesystem

# mkdir /mnt/encroot
# mount /dev/mapper/root /mnt/encroot

7) Now that you have an encrypted filesystem, you must populate it with the contents of /dev/hda5 (the original root filesystem)

# cp -ax / /mnt/encroot

8) Finally, create an entry in '/mnt/encroot/etc/crypttab' so that various utilities know how the filesystem was configured

root /dev/hda1 /etc/root-key cipher=aes

Now we have our encrypted filesystem ready.

A similar and rather an easy perspective can be found in new RHEL6 where we have the concept of LUKS (volume encryption) whose looks are really killing ( Linux Unified Key Setup) and also ecryptfs , a "pseudo-file system" which provides data and filename encryption on a per-file basis. The term "pseudo-file system" refers to the fact that eCryptfs does not have an on-disk format; rather, it is a file system layer that resides on top of an actual file system. The eCryptfs layer provides encryption capabilities.

eCryptfs works like a bind mount, as it intercepts file operations that write to the underlying (i.e. encrypted) file system. The eCryptfs layer adds a header to the metadata of files in the underlying file system. This metadata describes the encryption for that file, and eCryptfs encrypts file data before it is passed to the encrypted file system. Optionally, eCryptfs can also encrypt filenames.

eCryptfs is not an on-disk file system; as such, there is no need to create it via tools such asmkfs. Instead, eCryptfs is initiated by issuing a special mount command. To manage file systems protected by eCryptfs, the ecryptfs-utils package must be installed first.

Diving deep in such topics will require another article and is out of scope fo this tutorial as of now. If you have any questions or feedback, feel free to leave a comment.

Leave a Comment