The goal of this guide is to show you how to install CentOS 5 on a machine such that the root filesystem is encrypted.
This guide is targeted at intermediate and advanced Linux users and administrators.
Patch mkinitrd to modify the initrd to handle an encrypted drive;
Use LUKS to perform the encryption and provide key/passphrase management;
Use LVM to provide easier drive management, and to allow us to encrypt the entire disk.
Although CentOS's Anaconda doesn't have the ability to create an encrypted root filesystem, we can modify an installed system so that the root filesystem is encrypted. In fact, almost the entire hard drive will be encrypted.
We'll format the spare partition sda2 with LUKS. LUKS allows an encrypted partition to be decrypted on-the-fly for usage as a regular block device. Because it's decrypted and encrypted on-the-fly, nothing unencrypted is stored on the disk.
By installing fresh, this walk-through is much simpler, thus improving your chances for success. Once you've done it once, you can try it on an existing system; you'll know what's normal and what's not, and have a better chance of successful troubleshooting. Remember: always back up your data.
- Some familiarity with installing Linux, preferably Fedora and/or ~CentOS
- Some familiarity with using a shell
Understanding of disk partitioning (eg: use of fdisk to change edit partition the table)
- Knowledge of how to edit plain text files
- A PC with at least a 10GB HD
- A CentOS 5.0, or CentOS 5.1 install DVD
- A SystemRescueCD (optional, but very handy to have for recovering after a failed kernel upgrade, mkinitrd patch, etc)
You can not recover a lost password. Do note, though, that LUKS will allow you to have more than one passphrase, more than one key file, or a mixture of passphrases and key files, allowing you to give a different password to a trusted friend or colleague.
LUKS' flexibility also allows a corporate environment to benefit, by allowing the use of a central key for system administrators, while allowing each user to have their own key.
Many of the things you are asked to do in this guide are destructive. If your setup differs at all from what is assumed in here (chances are that it will), then you will likely make a mistake and break/format/delete something. Try this on an unused machine first, then when you succeed, experiment on that machine.
While I've tried to make these instructions relatively simple, they are intended for an intermediate or advanced audience.