Transferring the operating system Ubuntu on encrypted disks
we will focus on how to encrypt an already running Linux operating system. Suppose you have a server already running your website or on which you stored a lot of personal information. Of course you don't want to fall into the wrong hands. Also, if you use the server as storage this is clearly not desirable that this data was something used when removing hard drives. Situations can be many... which is why we need to protect our content from prying eyes.
I installed a fresh Ubuntu 12.04 on a virtual machine and added to it another disk of 1 GB (/dev/sdb) that will be migrated the boot partition with the /boot folder. As I wrote in previous article the only unencrypted element needs to be boot information(i.e., the kernel image, initramfs, and grub), which is needed to decrypt the disk before mounting the root file system.
the
First you need to mount the drive as a new boot-a and transfer all the folder /boot.
the
At this stage we moved the boot folder, boot to the new drive. Now we need to register the necessary settings in fstab for the correct mount.
the
You can now update the grub settings and safely restart the system.
the
After rebooting – connect and see what we have going on in the file system.
the
As you can see, we now have the bootloader, kernel image and initramfs are on a separate drive.
Next we need to migrate the entire file system on the encrypted disk that will be mounted in /. For this I added another disk (/dev/sdс) as a new root (system) disk is /dev/sda1.
Encrypted disk sdс and mounted to transfer all of the files.
the
Now, modify the fstab, crypttab, also updated the initramfs and percidae on the encrypted disk sdc all of the old root disk /dev/sda1.
the
If after the reboot gave You the following window – so it all worked out. If you got a kernel-panic – write in the comments, tell me what could be the problem and what step came failt.
After authorization – see what we've got.
the
As you can see, the root file system of the encrypted volume is mounted. And the old drive /dev/sda, which can be deleted.
If you are interested in a full encryption system from A to z, starting with encryption when setting up and ending a remote releasing and unlock luks volumes — here I describe it in detail.
Article based on information from habrahabr.ru
I installed a fresh Ubuntu 12.04 on a virtual machine and added to it another disk of 1 GB (/dev/sdb) that will be migrated the boot partition with the /boot folder. As I wrote in previous article the only unencrypted element needs to be boot information(i.e., the kernel image, initramfs, and grub), which is needed to decrypt the disk before mounting the root file system.
the
root@test-winxp-ie7d:~# cat /etc/issue
Ubuntu 12.04.1 LTS \n \l
root@test-winxp-ie7d:~# df-h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 9.0 G 1.2 G 7.4 G 14% /
udev 486M 4.0 K 486M 1% /dev
304K tmpfs 198M 198M 1% /run
none 5.0 M 0 5.0 M 0% /run/lock
none 495M 0 495M 0% /run/shm
root@test-winxp-ie7d:~# fdisk-l
Disk /dev/sda: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000649ec
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 18874367 9436160 83 Linux
/dev/sda2 18876414 20969471 1046529 5 Extended
/dev/sda5 18876416 20969471 1046528 82 Linux swap / Solaris
Disk /dev/sdb: 1073 MB, 1073741824 bytes
255 heads, 63 sectors/track, 130 cylinders, total 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
Disk /dev/sdb doesn't contain a valid partition table
root@test-winxp-ie7d:~#
First you need to mount the drive as a new boot-a and transfer all the folder /boot.
the
root@test-winxp-ie7d:~# mkfs.ext4 /dev/sdb
mke2fs 1.42 (29-Nov-2011)
/dev/sdb is entire device, not just one partition!
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
65536 inodes, 262144 blocks
13107 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=268435456
8 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
Allocating group tables: done
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
root@test-winxp-ie7d:~# mkdir /mnt/newboot
root@test-winxp-ie7d:~# mount /dev/sdb /mnt/newboot/
root@test-winxp-ie7d:~# cp-R /boot/* /mnt/newboot/
root@test-winxp-ie7d:~# mv /boot /boot_old
root@test-winxp-ie7d:~# mkdir /boot
At this stage we moved the boot folder, boot to the new drive. Now we need to register the necessary settings in fstab for the correct mount.
the
root@test-winxp-ie7d:~# echo "/dev/sdb /boot ext4 defaults 0 0" >> /etc/fstab
You can now update the grub settings and safely restart the system.
the
root@test-winxp-ie7d:~# update-grub
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-3.2.0-29-generic
Found initrd image: /boot/initrd.img-3.2.0-29-generic
Found memtest86+ image: /memtest86+.bin
done
root@test-winxp-ie7d:~# grub-install /dev/sda
Installation finished. No error reported.
root@test-winxp-ie7d:~# reboot
root@test-winxp-ie7d:~#
Broadcast message from alex@test-winxp-ie7d
(/dev/pts/0) at 6:06 ...
The system is going down for reboot NOW!
After rebooting – connect and see what we have going on in the file system.
the
root@test-winxp-ie7d:~# df-hT
Filesystem Type Size Used Avail Use% Mounted on
/dev/sda1 ext4 9.0 G 1.2 G 7.4 G 14% /
udev devtmpfs 486M 4.0 K 486M 1% /dev
304K tmpfs tmpfs 198M 198M 1% /run
none tmpfs 5.0 M 0 5.0 M 0% /run/lock
none tmpfs 495M 0 495M 0% /run/shm
/dev/sdb ext4 1021M 71M 900M 8% /boot
root@test-winxp-ie7d:~# ls /boot/
abi-3.2.0-29-generic grub lost+found memtest86+_multiboot.bin vmlinuz-3.2.0-29-generic
config-3.2.0-29-generic initrd.img-3.2.0-29-generic memtest86+.bin System.map-3.2.0-29-generic
As you can see, we now have the bootloader, kernel image and initramfs are on a separate drive.
Next we need to migrate the entire file system on the encrypted disk that will be mounted in /. For this I added another disk (/dev/sdс) as a new root (system) disk is /dev/sda1.
Encrypted disk sdс and mounted to transfer all of the files.
the
root@test-winxp-ie7d:~# mkdir /mnt/newroot
root@test-winxp-ie7d:~# cryptsetup luksFormat /dev/sdc
WARNING!
========
This will overwrite data on /dev/sdc irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
root@test-winxp-ie7d:~# cryptsetup luksOpen /dev/sdc encryptroot
Enter passphrase for /dev/sdc:
root@test-winxp-ie7d:~# mkfs -t ext4 /dev/mapper/encryptroot
mke2fs 1.42 (29-Nov-2011)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
196608 inodes, blocks 785920
39296 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=805306368
24 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
root@test-winxp-ie7d:~# mount-t ext4 /dev/mapper/encryptroot /mnt/newroot/
Now, modify the fstab, crypttab, also updated the initramfs and percidae on the encrypted disk sdc all of the old root disk /dev/sda1.
the
root@test-winxp-ie7d:~# ls-l /dev/disk/by-uuid/
total 0
...
lrwxrwxrwx 1 root root 10 Sep 16 06:46 5e5fac1c-080b-437a-96ff-d9e4e3b04759 -> ../../sda1
lrwxrwxrwx 1 root root 9 Sep 16 06:47 d08aab55-a935-4155-aea0-b6fd5da8bed3 -> ../../sdc
...
root@test-winxp-ie7d:~# cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# proc /proc proc nodev,noexec,nosuid 0 0
# / was on /dev/sda1 during installation
#UUID=5e5fac1c-080b-437a-96ff-d9e4e3b04759 / ext4 errors=remount-ro 0 1
/dev/mapper/encryptroot / ext4 errors=remount-ro 0 1
# swap was on /dev/sda5 during installation
UUID=eae26cf5-303a-4c17-ac63-d7dd82891c09 none swap sw 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
/dev/sdb /boot ext4 defaults 0 0
root@test-winxp-ie7d:~# cat /etc/crypttab
#
encryptroot UUID=d08aab55-a935-4155-aea0-b6fd5da8bed3 none luks
root@test-winxp-ie7d:~# sed -i-e "s|root=UUID=5e5fac1c-080b-437a-96ff-d9e4e3b04759|root=/dev/mapper/encryptroot|" /boot/grub/grub.cfg
root@test-winxp-ie7d:~# ln-s /boot/vmlinuz-3.2.0-29-generic /mnt/newroot/vmlinuz
root@test-winxp-ie7d:~# update-initramfs-u
update-initramfs: Generating /boot/initrd.img-3.2.0-29-generic
root@test-winxp-ie7d:~# rsync-aHx / /mnt/newroot
root@test-winxp-ie7d:~# rsync-aHx /dev /mnt/newroot/
root@test-winxp-ie7d:~# reboot
If after the reboot gave You the following window – so it all worked out. If you got a kernel-panic – write in the comments, tell me what could be the problem and what step came failt.
After authorization – see what we've got.
the
root@test-winxp-ie7d:~# df-hT
Filesystem Type Size Used Avail Use% Mounted on
/dev/mapper/ext4 encryptroot 3.0 G 1.1 G 1.8 G 38% /
udev devtmpfs 485M 4.0 K 485M 1% /dev
312K tmpfs tmpfs 198M 198M 1% /run
none tmpfs 5.0 M 0 5.0 M 0% /run/lock
none tmpfs 495M 0 495M 0% /run/shm
/dev/sdb ext4 1021M 74M 897M 8% /boot
root@test-winxp-ie7d:~# fdisk-l
Disk /dev/sda: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000649ec
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 18874367 9436160 83 Linux
/dev/sda2 18876414 20969471 1046529 5 Extended
/dev/sda5 18876416 20969471 1046528 82 Linux swap / Solaris
Disk /dev/sdb: 1073 MB, 1073741824 bytes
255 heads, 63 sectors/track, 130 cylinders, total 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
Disk /dev/sdb doesn't contain a valid partition table
Disk /dev/sdc: 3221 MB, 3221225472 bytes
255 heads, 63 sectors/track, 391 cylinders, total 6291456 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x08040000
Disk /dev/sdc doesn't contain a valid partition table
Disk /dev/mapper/encryptroot: 3219 MB, 3219128320 bytes
255 heads, 63 sectors/track, 391 cylinders, total sectors 6287360
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
Disk /dev/mapper/encryptroot doesn't contain a valid partition table
root@test-winxp-ie7d:~#
As you can see, the root file system of the encrypted volume is mounted. And the old drive /dev/sda, which can be deleted.
If you are interested in a full encryption system from A to z, starting with encryption when setting up and ending a remote releasing and unlock luks volumes — here I describe it in detail.
Комментарии
Отправить комментарий