In the last post, I showed how to set up disk encryption in CBC-ESSIV mode in Debian and Ubuntu. This mode was used by default because
partman-crypto did not support LRW and XTS modes. Now, I’ll show how to make it use XTS instead, which is more secure.
First, get to this screen:
Then, load the XTS kernel module. A big hassle here is that the installer
.udebs do not contain the requisite
xts module (and its dependency
gf128mul). That means we have to extract this by hand (press Alt-F2 to get to a console, and Alt-F1 to return to the installer):
mkdir -p /tmp/linux cd /tmp/linux ar x /cdrom/pool/main/l/linux/linux-image-*.deb tar xjf data.tar.bz2
(You can’t use
udpkg --unpack for this, since it doesn’t support bzip2 archives.)
Now, we can go and load those modules:
cd lib/modules/*/kernel/crypto insmod gf128mul.ko insmod xts.ko
Now that the module is loaded, we can then perform the
cd $(dirname /var/lib/partman/devices/=dev=sda/*/ivalgorithm) echo xts-plain > ivalgorithm echo 256 > keysize
(For XTS, keysize 256 means AES-128; you can also use 384 for AES-192 and 512 for AES-256.)
If you did everything right, then when you leave that crypto selection screen and come back to it, you should see this:
Recently, work has begun issuing new, high-end laptops to engineers, and I felt it was a good time to emphasise the need to encrypt everything on the laptop. There is virtually no overhead for doing this—it’s just a matter of getting it set up.
Below, I describe how to do this on Ubuntu 12.04 (precise). The procedure is all the same on recent versions of Debian and Ubuntu, though—they all just use
partman-crypto to do the configuration.
On Ubuntu, you need to use the
alternate CD, not the
desktop one. On Debian, just use the standard text-mode installer. Do the configuration up to the disk partitioning section:
If you normally use guided partitioning, just use the “Guided—use entire disk and set up encrypted LVM”. The only extra thing you have to do is type in the encryption passphrase. It’s as simple as that, and you can stop reading here. :-)
The rest of this article is for people who like to do manual partitioning. Because of this, I will go into a fair amount of detail, so you can see how to control the whole process. (However, to be kind to my workmates, I am doing this using non-expert mode. The steps may be different for expert mode.)
The general principle of the process is this:
/bootvolume so that the
initramfscontaining the crypto bootstrap code has somewhere to live. (This is the Achilles’ heel of the whole system, and I don’t know how to work around it.)
Okay, so, here we go. :-)
First, create an empty partition table on your disk if necessary, then add a small partition for
/boot. I usually use 64 MB.
So now, we should have most of our disk still free:
Set up that free space for encryption:
You can choose between AES-128, AES-192, and AES-256. I think AES-128 is sufficient, but that’s your choice.
The encryption mode (listed as “IV algorithm”) in that window is more significant. Wikipedia has a good overview of the various modes, but the long and short is that there are only three modes that you are supposed to use:
Of the three, XTS is the most secure and is the industry standard for disk encryption. (BTW, never use
lrw-plain; they are insecure modes.) However,
partman-crypto does not currently support LRW or XTS modes, so if you want to use XTS, there is more work to do (covered in a later article). However, if industry standard is not a big deal for you, ESSIV is probably sufficient.
Okay, let’s set up the encrypted volume’s passphrase:
There, just select “Configure encrypted volumes”, then “Finish”, and you’ll be prompted for the passphrase to use. Then we’re ready for LVM setup:
Select the line after “Encrypted volume”, then set that up as “physical volume for LVM”. Then we’re ready to configure LVM:
Create a volume group containing the encrypted volume:
Then add the volumes you want to use. For example, some people might want to have
home. At a minimum, you will need
swap, so that’s what I’ve used for the next screenshot for simplicity. When done, you should see the following:
Now just set up each of the LVM volumes with filesystem or swap volumes, and you’re done: