Cryptsetup /tmp /swap & /home on LVM

This guide will assist you in setting up /tmp, /swap, and /home to be encrypted using cryptsetup LUKS. I'll assume that you already have an installed system, and need to add encryption for /tmp, /swap, and /home. I'll assume you have data in /home, so be very careful to backup /home before proceeding. There is a guide on the CentOS wiki, but it is for encrypting files, not partitions, so I wanted a guide more specific to /tmp, /swap, and /home. This guide assumes you want the entire partitions encrypted, so the data on them will be erased.

System:

CentOS 5.x

References:

Encrypted Filesystem
Encrypted /tmp & /swap

System Setup

Unless you unchecked base during installation, and chose to install basically nothing, then you should already have the tools necessary to do encryption. Verify first, and then proceed.

# rpm -q cryptsetup device-mapper util-linux
# modprobe dm_crypt
# lsmod | grep dm_crypt

Backup /home

I shouldn't have to tell you again, but make sure you backup /home onto an external source before proceeding! Even if you have space on your local drive, get a backup off your current disk since you'll be mucking with the local filesystem.

# cp -arfp /home /some/external/storage

Encrypting /swap

Let's start with encrypting /swap first, verify it works, and then move onto /tmp. I would suggest shutting your host down, but you don't absolutely have to if you don't want. Since swap won't be touched again until next boot, you can do this one live. Go ahead and create an /etc/crypttab file, and add the swap parameters.

# vim /etc/crypttab
swap    /dev/vg0/swap   /dev/urandom    swap,cipher=aes-cbc-essiv:sha256

Depending on your volume group names and layout, change the path to suit your needs. This specifies to the encryption system to use AES and SHA256 bit encryption during startup, with a random key. Every boot, a new key will be generated for use while the system is running. When it shuts off, the key won't be alive, and therefor /swap is protected.

Next, edit /etc/fstab to reflect the changes as well.

/dev/mapper/swap     none     swap     defaults     0 0

That's it for encrypting swap. You can reboot now and see that swap turns back on, or you can continue and do /tmp at the same time.

Encrypting /tmp

Encrypting /tmp is slightly different than doing so with /swap. You'll need to use a script to mount /tmp after /etc/fstab has been read. Credit for the script goes to clasohm.com where I found it. The encrypted volume is created after /etc/fstab has processed, and do to the way /tmp needs accessed (I assume), /tmp has be handled specially.

First, add the necessary lines in /etc/crypttab and also take out the necessary lines in /etc/fstab that normally mounts /tmp.

# vim /etc/crypttab
tmp     /dev/vg0/tmp    /dev/urandom    tmp,cipher=aes-cbc-essiv:sha256

# vim /etc/fstab
# Make sure to comment this out below.
#/dev/vg0/tmp     /tmp     ext3     defaults     1 2

Copy and paste the script from clasohm.com and place it in /etc/init.d .

# vim /etc/init.d/cryptotmp

#!/bin/bash
#
# cryptotmp setup crypted tmp partition
#
# chkconfig: 2345 01 90
# description: adds crypted tmp partition.

. /etc/init.d/functions

# See how we were called.
case "$1" in
    start)
        mount /dev/mapper/tmp /tmp
        restorecon /tmp

        action "Adding encrypted tmp"

        touch /var/lock/subsys/cryptotmp
        ;;
    stop)
        rm -f /var/lock/subsys/cryptotmp
        ;;
    *)
        echo $"Usage: $0 {start|stop}"
        exit 1
esac

exit 0

Make the script executable and chkconfig it on.

# chmod +x /etc/init.d/cryptotmp
# chkconfig --add cryptotmp

This does the same thing as /swap now. When the system boots, a key is generated and used to encrypt /tmp. When the system shuts down, the key is lost and therefor /tmp is protected. If you have scripts writing to /tmp for something, however, be aware that the contents of /swap and /tmp will be wiped when the system shuts down. Also, clasohm.com states that suspend to disk will fail after encrypting /swap and /tmp, understandable so. To verify things are working before encrypting your /home partition, reboot your system and make sure it comes back online using /swap and /tmp.

Encrypting /home

Next, let's encrypt /home. Again, you can do this live, but if you're logged into your machine, you'll need to log out of your profile and get to a root command line. You'll have to unmount /home so you can encrypt the partition, and re-create a filesystem on it. For the third warning, back up your /home partition off your local disk!

If you haven't done so already, then do it. Then unmount /home.

# cp -arfp /home /some/external/storage
# umount /home

Setup the LUKS passphrase on the container. Make sure you choose a good strong passphrase. Meaning, something with uppercase, lowercase, symbols, and numbers in the passphrase. You're encryption is guarded by this, so don't be afraid to make it a nice long passphrase.

# cryptsetup luksFormat /dev/vg0/home

WARNING!
========
This will overwrite data on /dev/vg0/home irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

Next, open up the encrypted partition with the passphrase you created.

# cryptsetup luksOpen /dev/vg0/home home
Enter LUKS passphrase:

Fill the device with random data, so anyone that exams the disk can't determine how much data is on the drive. If you have a large partition, this could take awhile, so go have some coffee, soda, or beer, and come back later. You can skip this step, but you will strengthen your encryption greatly by taking the time to do so.

# dd if=/dev/urandom of=/dev/mapper/home

Since dd has no status display, here's a trick to watch how long the process is taking. First, find out the process ID of your dd command from above, then use watch and kill to display some status information.

# ps uxa | grep dd
# watch -n 20 kill -USR1 PID

Now you need create the filesystem on the partition.

# mke2fs -j -O dir_index /dev/mapper/home
# tune2fs -l /dev/mapper/home

Last, close the encrypted partition back up.

# crypsetup luksClose home

Just like with the /swap partition, you'll need to edit /etc/fstab and add the correct path.

# vim /etc/fstab

#/dev/vg0/home           /home                   ext3    defaults        1 2
/dev/mapper/home        /home                   ext3    defaults        1 2

Lastly, add the path to the /etc/crypttab path. If you just specify the partition and home directory as the first two parameters, then at boot time you'll be asked for the LUKS passphrase protecting your data. You can get into some fancy things, like storing your key on a USB key, and having it automount that and boot, but I didn't see a need for that.

# vim /etc/crypttab

home    /dev/vg0/home

Go ahead and reboot now. It should come up and ask you for the LUKS passphrase. Enter it, and it will mount your /home directory. You can then sync back all your old data, and presto, you're now protected by encryption with /tmp, /swap, and /home being all encrypted. If someone steals your hardware, you should be safe. Obviously, if you want other partitions encrypted, just replace /home with something else. For instance, a backup directory that you use at home to backup machines. I'll be replicating this setup on my desktop at home, but I'll also encrypt /srv where my laptop backups are stored. Also, if you still aren't sure about this encryption stuff, boot up a livd CD like Knoppix and poke around the filesystem to see if you can get /home mounted.

Hint about Knoppix and LVM. After you boot it up, make sure you run the following two commands to force Knoppix to see volume groups.

# vgscan
# vgchange -a y

You'll be able to now see /dev/vg0/home partition as being there, however, you won't actually be able mount it directly just using mount. You'd have to use cryptsetup luksOpen and luksClose to gain access to the partition. Therefor, there's your proof that your partition is safe. As usual, please correct anything wrong, leave comments for improvements, and all the usual. Also, thanks to clasohm.net for the help on getting /tmp and /swap encrypted, as well as the script to mount /tmp at boot.

Adding LUKS Keys

You can add up to four or five keys to an encrypted device, so if you need to allow someone else access to the drive, do so like this.

# cryptsetup luksAddKey /dev/vg0/home

Note about LVM resizing

Here's a small note about LVM resizing in the future, since you added encryption. You can use the normal commands, but have to remember one thing. After you extend the logical volume, you'll need to use encrypted mapper device to resize, not the typical LVM path.

# lvextend -L+512M /dev/vg0/home
# resize2fs /dev/mapper/home

Typically, you would have to use /dev/vg0/home as your path for resize2fs, but since it's not really mounted there, per se, substitute it with the path for the encrypted filesystem.

HowTos/EncryptTmpSwapHome (last edited 2009-09-17 15:11:09 by MaxHetrick)