0xdecafbad.com

I have an Asus 1000HE eeepc.  I like it, mostly its battery life.  I installed eeebuntu not being a big windows fan and was displeased when I discovered that you could not directly install to a root cryptofs.  I did it anyway, although it takes a round-a-bout method to accomplish.

For those that do not know, cryptofs is a whole disk encryption solution in linux.  It is transparent to the user, aside from having to enter a passphrase (which can be very long) when you mount the disk.  Making / (root) cryptofs requires some modification to the initrd so that it will load the appropriate modules, set up the proper pseudodevice entries, and then mount the disk.  Swap can also be made encrypted making it even more difficult for anyone to get anything out of your system should it fall into the wrong hands.

Unlike some of the other tutorials out there I do not require you to do an intermediate temporary install, this means that your entire disk except /boot can be encrypted in one go.First get the eeebuntu install disk which doubles as a liveCD.  Flash that to appropriate media such as a USB drive following the normal directions on the eeebuntu website.  I used NBR 3.0.1 when I performed this, but it should work on most systems.

Boot into the live CD.  I wiped my entire disk, if you do not wish to do that you should alter the instructions below.

First you need to install some stuff.

sudo apt-get update
sudo apt-get install cryptsetup hashalot initramfs-tools

You may have some of this already installed but that is ok.  Now determine the disk geometry that you want, I have a 160GB so I partitioned it with fdisk like this:

/boot     100M        /dev/sda1
swap      2048M       /dev/sda2
/         the rest    /dev/sda3

Next I prepared the / partition to be encrypted.

sudo dd if=/dev/urandom of=/dev/sda3

This places entropy on your disk making it more difficult to read, this does take hours and hours though, so if you are in a hurry and are willing to give up some paranoia (which may be justified) then you may omit this stage.

Now you need to prepare the real drive to be encrypted and exposed as a virtual drive.

sudo modprobe dm_crypt sha256_generic
sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda3
sudo cryptsetup luksOpen /dev/sda3 cryptoroot

Now install as usual, but when you select your / partition use /dev/mapper/cryptoroot (it will be displayed in the GUI installer).  DO NOT REBOOT AFTER INSTALL! You have more work to do before you can reboot.

Open an Xterm or something that will let you navigate, enter commands and such.  You should have your install partitions mounted in /target.  So you will want to execute the following.

sudo -i # make yourself root
chroot /target # make this the new /
mount /proc
mount /dev
cd /etc/initramfs-tools/scripts/local-top #create if required
nano cryptoroot

Now Insert the following into the file

PREREQ="udev"

prereqs()
{
        echo "$PREREQ"
}

case $1 in
# get pre-requisites
prereqs)
        prereqs
        exit 0
        ;;
esac

/bin/loadkeys -q /etc/console-setup/boottime.kmap.gz
modprobe -qb dm_crypt
modprobe -qb sha256_generic

# The following command will ensure that the kernel is aware of
# the partition before we attempt to open it with cryptsetup.
/sbin/udevadm settle

if grep -q splash /proc/cmdline; then
    /bin/chvt 1
fi
/sbin/cryptsetup luksOpen /dev/sda3 cryptoroot
if grep -q splash /proc/cmdline; then
       /sbin/usplash -c &
       sleep 1
fi

Save that file and exit.

cd /etc/initramfs-tools/hooks
nano cryptoroot

Now paste this into this file

PREREQ=""

prereqs()
{
        echo "$PREREQ"
}

case $1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

if [ ! -x /sbin/cryptsetup ]; then
        exit 0
fi

. /usr/share/initramfs-tools/hook-functions

mkdir -p ${DESTDIR}/etc/console-setup
cp /etc/console-setup/boottime.kmap.gz ${DESTDIR}/etc/console
copy_exec /bin/loadkeys /bin
copy_exec /bin/chvt /bin
copy_exec /sbin/cryptsetup /sbin
copy_exec /sbin/vol_id /sbin

Now you just have to update the initial ramdisk and you should be done.

sudo update-initramfs -u ALL
umount /dev
umount /proc
exit

You should now be able to reboot and shortly after showing the usplash screen it will switch to VT1 where you will be asked to enter your LUKS passphrase that you typed in when you set up the disk before installing. If everything worked then you should boot up and not notice that you are in a cryptofs, aside from having to enter the passphrase at boot.