Full disk encryption on Ubuntu with dm-crypt + luks

Linux
Security
Author

Vinh Nguyen

Published

August 6, 2011

REMINDER: PASSHPHRASE SHOULD BE 42+ CHARACTERS LONG TO BE EQUIVALENT TO A 256 BIT KEY.

In this post, I will outline my experience doing a full disk encryption on an Ubuntu computer. Note that this option is available through the installer only on the server edition or the alternate CD of ubuntu (not desktop).

Why would one want to encrypt their disk? A few scenarios:

  1. Suppose someone steals your laptop. Do you want them to have access to your files? With full disk encryption, they won't even be able to boot up the laptop.
  2. Suppose you send in your disk for repair or exchange. Do you want your personal files to be freely accessible by others?
  3. Suppose the goverment wants to infringe on your right to privacy. Do you want them to easily access your files? Any access to my files will have to be consented by me.

To achieve full disk encryption, what we will do is set up an encrypted LVM. Before getting started, read this to know more about the benefits of an LVM. Then read this which explains the difference between a RAID setup and LVM. They are different things, and can be configured together. Then read this post which benchmarks the performance of the system with an encrypted and unencrypted disk. The difference in performance is negligible for the benefit of having secured data. Also look at this post which shows how one can gain access to an encrypted LVM drive; the bulk of the information came from here.

My setup: I have two 1.5TB disks set up using hardware RAID via the mobo's BIOS. I then followed the instructions outlined here for setting up the encrypted LVM; the only difference is that I have a RAID1 configuration and did not a separate volume for "/home". The setup is identical. Prior to trying this out, my concerns were addressed in the comments of that page and here. I ran into some issues as described in the comments of that page. Basically, I got a blank or unresponsive screen after the BIOS pages. I was not asked for my passphrase. Rebooting the computer yields the grub boot menu. Selecting recovery-mode, I was asked for my passphrase before the recovery menu appeared. I then selected boot normally and the server started. This was quite annoying because I did not want to do that many steps just to get a system booted each time. After a few hours of trying to find out what's wrong and re-installing (thinking the culprit was the RAID setup), I found out that the passphrase is asked for in TTY7 (Control-alt-F7). I didn't see it because I think TTY1 is Ubuntu's Server default, hence I saw a blank or unresponsive screen. Now I know the installation process went well and it wasn't because of RAID. However, I will have to go to TTY7, type in passphrase, and go back to TTY1 to log in. I guess this issue isn't too problematic since it is a remote server, and don't plan to be in front of it at each reboot. I plan to follow this post to set up early-ssh and dropbear to be able decrypt the drive via ssh. I haven't figured out how to use it yet though because my username and password isn't accepted by dropbear. I'll update this post once I figure out how to login and submit the script to decrypt the drive.

In the future, I plan to add two more hard drives configured as RAID1. I guess I can just encrypt the drive like usual via dm-crypt and automount it by modifying crypttab/fstab.

UPDATE 9/9/2011 Changing passphrase by adding the new one and removing the old one

Changing a passphrase in dm-crypt was discussed here. Since I was on RAID1 and encrypted my entire LVM, I couldn't operate on devices like /dev/sda5, etc. Actually, sda# and sdb# weren't even in /dev/ even though they were listed in sudo fdisk -l. I tried cryptsetup luksDump on /dev/sda, /dev/sdb, and all in /dev/mapper/. The only one that was a valid LUKS device was pdc_dejidcjhg5. Thus, I did

sudo cryptsetup luksAddKey /dev/mapper/pdc_dejidcjhg5 ## added my new long passphrase
sudo cryptsetup luksRemoveKey /dev/mapper/pdc_dejidcjhg5 ## entered in passphrase I wanted removed
sudo cryptsetup luksDump /dev/mapper/pdc_dejidcjhg5 ## should show slot 0 is disabled, slot 1 is enabled