Tips and Instructional topics. Not for support questions.
Post a reply

encrypted install

Fri Mar 11, 2011 5:47 am

work in progress:

If you are somehow like me (you hate reading), scroll down to the bottom and read the last two lines.
Do it once or twice in Vbox or qemu and it should work.

What you need:
refracta-live-CD
http://www.ibiblio.org/refracta/

zinstaller by fsmithred:
https://github.com/fsmithred/refracta

a) boot the refracta CD

b) download the zinstaller-script

c)
apt-get install cryptsetup
modrobe dm-mod

d) run the script by:
bash zinstaller.02

e) it asks you to use gparted: say yes.
create a boot partition and a partition for root.
i also created a partition for /home and for swap.
My size for VBox (i want to use grml-iso in boot!):
/boot -> 1GB -> ext2
/ -> 3.5 GB -> ext4
/home -> 3.5GB -> ext4
swap -> 1GB
close gparted

f) questions by zenity:
pick the mbr-partition for grub, in case you want to install it. For me /dev/sda
pick the /boot partition. For me /dev/sda1. make it ext2
pick a partition for /. For me /dev/sda2. make it ext3 or ext4
It asks you if you want to encrypt it. Chose yes.
pick a partition for /home in case you want that. For me /dev/sda3. make it ext3 or ext4.
It asks you if you want to encrypt it. Chose yes.
Last question: You will be asked if all is ok. Have a sharp look and say yes, in case all your choice are correct.
Zenity will close

g)
to encrypt the / partiton you will be asked and warned:
Are you sure? (type uppercase yes):
Type "YES"
enter a passphrase and confirm it.
To mount it you will have to enter the set passphrase immediatly.
Do the same for /home

h) wait.

Done.
Nice and easy.

The short version:
download refracta, download zinstaller.sh, run bash zinstaller and make use of common sense.
you will need a /boot partition, all the rest if self-explanatory. I think.

Re: encrypted install

Fri Mar 11, 2011 12:17 pm

Good explanation. I was going to complain about your /boot size, but then I saw your reason for it. I've been going with 50MB on the tests, and only 18MB of that are used. No grml here, but maybe I'll have better luck with grml in a vm. (Wouldn't display correctly on my hardware.)

There is a major deficiency in the encrypted install that should be mentioned. The installer does not write random data to the partition before doing its thing. Everything works correctly, and you end up with an encrypted partition, but if you're really concerned about security, you're giving your attacker a lot less work to do by not burying your encrypted data in random data.

I think I found the solution to why I couldn't get it to work, but it hasn't been implemented yet. (Need to turn off error logging for the dd command, so you can see when it's finished.) In the meantime, if you want higher security, do the following before you run the installer.

Partition the drive, and then for each partition you intend to encrypt, run the following.
Code:
dd if=/dev/urandom of=/dev/sdXn
Where X is the drive letter and n is the partition number. If you're doing this on a large hard drive (hundreds of gigabytes or more) plan on it taking a day or longer.

When that's done, run the installer and skip past the partitioner, since you already did it.
Post a reply