Transferring the operating system Ubuntu on encrypted disks

we will focus on how to encrypt an already running Linux operating system. Suppose you have a server already running your website or on which you stored a lot of personal information. Of course you don't want to fall into the wrong hands. Also, if you use the server as storage this is clearly not desirable that this data was something used when removing hard drives. Situations can be many... which is why we need to protect our content from prying eyes.

I installed a fresh Ubuntu 12.04 on a virtual machine and added to it another disk of 1 GB (/dev/sdb) that will be migrated the boot partition with the /boot folder. As I wrote in previous article the only unencrypted element needs to be boot information(i.e., the kernel image, initramfs, and grub), which is needed to decrypt the disk before mounting the root file system.
the
root@test-winxp-ie7d:~# cat /etc/issue
Ubuntu 12.04.1 LTS \n \l

root@test-winxp-ie7d:~# df-h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 9.0 G 1.2 G 7.4 G 14% /
udev 486M 4.0 K 486M 1% /dev
304K tmpfs 198M 198M 1% /run
none 5.0 M 0 5.0 M 0% /run/lock
none 495M 0 495M 0% /run/shm
root@test-winxp-ie7d:~# fdisk-l

Disk /dev/sda: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000649ec

Device Boot Start End Blocks Id System
/dev/sda1 * 2048 18874367 9436160 83 Linux
/dev/sda2 18876414 20969471 1046529 5 Extended
/dev/sda5 18876416 20969471 1046528 82 Linux swap / Solaris

Disk /dev/sdb: 1073 MB, 1073741824 bytes
255 heads, 63 sectors/track, 130 cylinders, total 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/sdb doesn't contain a valid partition table
root@test-winxp-ie7d:~#


First you need to mount the drive as a new boot-a and transfer all the folder /boot.

the
root@test-winxp-ie7d:~# mkfs.ext4 /dev/sdb
mke2fs 1.42 (29-Nov-2011)
/dev/sdb is entire device, not just one partition!
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
65536 inodes, 262144 blocks
13107 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=268435456
8 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376

Allocating group tables: done
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done

root@test-winxp-ie7d:~# mkdir /mnt/newboot
root@test-winxp-ie7d:~# mount /dev/sdb /mnt/newboot/
root@test-winxp-ie7d:~# cp-R /boot/* /mnt/newboot/
root@test-winxp-ie7d:~# mv /boot /boot_old
root@test-winxp-ie7d:~# mkdir /boot


At this stage we moved the boot folder, boot to the new drive. Now we need to register the necessary settings in fstab for the correct mount.

the
root@test-winxp-ie7d:~# echo "/dev/sdb /boot ext4 defaults 0 0" >> /etc/fstab


You can now update the grub settings and safely restart the system.

the
root@test-winxp-ie7d:~# update-grub
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-3.2.0-29-generic
Found initrd image: /boot/initrd.img-3.2.0-29-generic
Found memtest86+ image: /memtest86+.bin
done
root@test-winxp-ie7d:~# grub-install /dev/sda
Installation finished. No error reported.
root@test-winxp-ie7d:~# reboot
root@test-winxp-ie7d:~#
Broadcast message from alex@test-winxp-ie7d
(/dev/pts/0) at 6:06 ...

The system is going down for reboot NOW!


After rebooting – connect and see what we have going on in the file system.

the
root@test-winxp-ie7d:~# df-hT
Filesystem Type Size Used Avail Use% Mounted on
/dev/sda1 ext4 9.0 G 1.2 G 7.4 G 14% /
udev devtmpfs 486M 4.0 K 486M 1% /dev
304K tmpfs tmpfs 198M 198M 1% /run
none tmpfs 5.0 M 0 5.0 M 0% /run/lock
none tmpfs 495M 0 495M 0% /run/shm
/dev/sdb ext4 1021M 71M 900M 8% /boot
root@test-winxp-ie7d:~# ls /boot/
abi-3.2.0-29-generic grub lost+found memtest86+_multiboot.bin vmlinuz-3.2.0-29-generic
config-3.2.0-29-generic initrd.img-3.2.0-29-generic memtest86+.bin System.map-3.2.0-29-generic


As you can see, we now have the bootloader, kernel image and initramfs are on a separate drive.
Next we need to migrate the entire file system on the encrypted disk that will be mounted in /. For this I added another disk (/dev/sdс) as a new root (system) disk is /dev/sda1.
Encrypted disk sdс and mounted to transfer all of the files.
the
root@test-winxp-ie7d:~# mkdir /mnt/newroot
root@test-winxp-ie7d:~# cryptsetup luksFormat /dev/sdc

WARNING!
========
This will overwrite data on /dev/sdc irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
root@test-winxp-ie7d:~# cryptsetup luksOpen /dev/sdc encryptroot
Enter passphrase for /dev/sdc:
root@test-winxp-ie7d:~# mkfs -t ext4 /dev/mapper/encryptroot
mke2fs 1.42 (29-Nov-2011)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
196608 inodes, blocks 785920
39296 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=805306368
24 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912

Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

root@test-winxp-ie7d:~# mount-t ext4 /dev/mapper/encryptroot /mnt/newroot/


Now, modify the fstab, crypttab, also updated the initramfs and percidae on the encrypted disk sdc all of the old root disk /dev/sda1.

the
root@test-winxp-ie7d:~# ls-l /dev/disk/by-uuid/
total 0
...
lrwxrwxrwx 1 root root 10 Sep 16 06:46 5e5fac1c-080b-437a-96ff-d9e4e3b04759 -> ../../sda1
lrwxrwxrwx 1 root root 9 Sep 16 06:47 d08aab55-a935-4155-aea0-b6fd5da8bed3 -> ../../sdc
...
root@test-winxp-ie7d:~# cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# proc /proc proc nodev,noexec,nosuid 0 0
# / was on /dev/sda1 during installation
#UUID=5e5fac1c-080b-437a-96ff-d9e4e3b04759 / ext4 errors=remount-ro 0 1
/dev/mapper/encryptroot / ext4 errors=remount-ro 0 1
# swap was on /dev/sda5 during installation
UUID=eae26cf5-303a-4c17-ac63-d7dd82891c09 none swap sw 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
/dev/sdb /boot ext4 defaults 0 0

root@test-winxp-ie7d:~# cat /etc/crypttab
#
encryptroot UUID=d08aab55-a935-4155-aea0-b6fd5da8bed3 none luks

root@test-winxp-ie7d:~# sed -i-e "s|root=UUID=5e5fac1c-080b-437a-96ff-d9e4e3b04759|root=/dev/mapper/encryptroot|" /boot/grub/grub.cfg
root@test-winxp-ie7d:~# ln-s /boot/vmlinuz-3.2.0-29-generic /mnt/newroot/vmlinuz
root@test-winxp-ie7d:~# update-initramfs-u
update-initramfs: Generating /boot/initrd.img-3.2.0-29-generic
root@test-winxp-ie7d:~# rsync-aHx / /mnt/newroot
root@test-winxp-ie7d:~# rsync-aHx /dev /mnt/newroot/
root@test-winxp-ie7d:~# reboot


If after the reboot gave You the following window – so it all worked out. If you got a kernel-panic – write in the comments, tell me what could be the problem and what step came failt.
image

After authorization – see what we've got.

the
root@test-winxp-ie7d:~# df-hT
Filesystem Type Size Used Avail Use% Mounted on
/dev/mapper/ext4 encryptroot 3.0 G 1.1 G 1.8 G 38% /
udev devtmpfs 485M 4.0 K 485M 1% /dev
312K tmpfs tmpfs 198M 198M 1% /run
none tmpfs 5.0 M 0 5.0 M 0% /run/lock
none tmpfs 495M 0 495M 0% /run/shm
/dev/sdb ext4 1021M 74M 897M 8% /boot
root@test-winxp-ie7d:~# fdisk-l

Disk /dev/sda: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000649ec

Device Boot Start End Blocks Id System
/dev/sda1 * 2048 18874367 9436160 83 Linux
/dev/sda2 18876414 20969471 1046529 5 Extended
/dev/sda5 18876416 20969471 1046528 82 Linux swap / Solaris

Disk /dev/sdb: 1073 MB, 1073741824 bytes
255 heads, 63 sectors/track, 130 cylinders, total 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/sdb doesn't contain a valid partition table

Disk /dev/sdc: 3221 MB, 3221225472 bytes
255 heads, 63 sectors/track, 391 cylinders, total 6291456 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x08040000

Disk /dev/sdc doesn't contain a valid partition table

Disk /dev/mapper/encryptroot: 3219 MB, 3219128320 bytes
255 heads, 63 sectors/track, 391 cylinders, total sectors 6287360
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/mapper/encryptroot doesn't contain a valid partition table
root@test-winxp-ie7d:~#


As you can see, the root file system of the encrypted volume is mounted. And the old drive /dev/sda, which can be deleted.
If you are interested in a full encryption system from A to z, starting with encryption when setting up and ending a remote releasing and unlock luks volumes — here I describe it in detail.
Article based on information from habrahabr.ru

Комментарии

Популярные сообщения из этого блога

Integration of PostgreSQL with MS SQL Server for those who want faster and deeper

Parse URL in Zend Framework 2

Custom database queries in MODx Revolution