Sackville-West Clan Wiki/ tech/ Disk Encryption

Disk Encryption For Laptops

The next step in getting my laptop into shape is setting up disk encryption. In my hurry to set this laptop up for our trip last summer, I didn't bother with encryption. Now that I'm preparing to go back to school and will be using the lappy a lot more, I really need to get it properly set up. This involves getting it reconfigured with encryption, a properly installed dev environment, etc etc etc...

The first step is encrypting the system. I'm going to try to get proper encryption (of /, /home, swap) without wiping an reinstalling...

more

Why?

Because I can? (I think...) Debian is known for never needing to be reinstalled unless you crash a small plane into the case, or something like that. So I want to see if I can get the whole lappy converted over without having to wipe the system. I've got the system more-or-less configured the way I like and don't want to do that again. And, its a challenge, so why not...

Current Configuration

delappy:/# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/hda3             9.2G  1.9G  6.9G  22% /
tmpfs                 249M     0  249M   0% /lib/init/rw
udev                   10M  108K  9.9M   2% /dev
tmpfs                 249M     0  249M   0% /dev/shm
/dev/hda1              96M   47M   44M  52% /boot
/dev/hda6              42G  2.6G   37G   7% /home
/dev/hda5             3.7G  991M  2.6G  28% /var
delappy:/# fdisk -l

Disk /dev/hda: 60.0 GB, 60011642880 bytes
255 heads, 63 sectors/track, 7296 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00055945

   Device Boot      Start         End      Blocks   Id  System
/dev/hda1   *           1          13      104391   83  Linux
/dev/hda2              14         136      987997+  82  Linux swap / Solaris
/dev/hda3             137        1353     9775552+  83  Linux
/dev/hda4            1354        7296    47737147+   5  Extended
/dev/hda5            1354        1840     3911796   83  Linux
/dev/hda6            1841        7296    43825288+  83  Linux

As you can see, I've already got the disk partitioned out, and while I'd like to use something like LVM, at the moment, I don't think I will.

The Plan

The plan is pretty simple. First, since there's room on hda3 (current /), I'll just move the existing data (home and var) into that partition and go from there. I can lay encryption over the existing partitions and move the data back. I'll use hda6 as / temporarily while working on encrypting hda3 that and then move it all back, carve it up into its various parts and then be fully encrypted except for swap.

There are other details to work out as well. For example, I plan to put the root key on a sd card so that it can be used as a boot key. This will be much easier than keeping track of a really really long passkey, though the passkey will still work if I somehow lose the sd card.

I'm sure there are more details to be worked out and I plan to keep notes on it all as I go along and ultimately, I'll post the results here.

Sources

These are the places I've used for research prior to embarking on this:

http://www.hermann-uwe.de/blog/towards-a-moderately-paranoid-debian-laptop-setup--part-1-base-system http://wejn.org/how-to-make-passwordless-cryptsetup.html http://www.debian-administration.org/articles/428 http://www.saout.de/tikiwiki/tiki-index.php

and surely others. I'll try to add them as I go.

hide