I have a small netbook that I use when I travel, one of the original Asus EeePC’s, the 900.\u00a0 It has a 9″ screen and a 16GB flash drive.\u00a0 It runs Linux, and it’s just about right for accessing email, some light surfing, and doing small tasks like writing blog posts and messing with my checkbook.\u00a0 And since it runs Linux, I can do a lot of nice network stuff with it, like SSH tunneling, VPN’s, and I can even make it act like a wireless access point.<\/p>\n
However, the idea of leaving my little PC in a hotel room while I am out having fun leaves me a little uneasy.\u00a0 I am not concerned with the hardware… it’s not worth much.\u00a0 But I am concerned about my files, and the temporary files like browser cookies and cache.\u00a0 I’d hate for someone to walk away with my EeePC and also gain access to
\ncountless other things with it.<\/p>\n
So this week, I decided to encrypt the main flash drive.\u00a0 Before, the entire flash device was allocated as one device:<\/p>\n
partition 1\u00a0 –\u00a0 16GB\u00a0 –\u00a0 the whole enhilada<\/p>\n
Here’s how I made my conversion.<\/p>\n
(0) What you will need<\/strong>:<\/p>\n (1) Boot the system using a “live USB stick”<\/strong> (you can create one in Ubuntu by going to “System \/ Administration \/ Startup Disk Creator”.\u00a0 Open up a terminal and do “sudo -i” to become root.<\/p>\n (2) Install some tools that you’ll need<\/strong>… they will be installed in the Live USB session in RAM, not on your computer.\u00a0 We’ll install them on your computer later.<\/p>\n (3) Insert an SD card and format it.<\/strong> I formatted the entire card.\u00a0 Sometimes, you might want to make partitions on it and format one partition.<\/p>\n (4) Back up the main disk onto the SD card.<\/strong> The “numeric-owner” option causes the actual owner and group numbers to be stored in the tar file, rather than trying to match the owner\/group names to the names from \/etc\/passwd and \/etc\/group (remember, we booted from a live USB stick).<\/p>\n (5) Re-partition the main disk.<\/strong> I chose 128MB for \/boot.\u00a0 The rest of the disk will be encrypted.\u00a0 The new layout looks like this:<\/p>\n partition 1\u00a0 –\u00a0 128MB\u00a0 –\u00a0 \/boot, must remain unencrypted (6) Make new filesystems on the newly-partitioned disk.<\/strong><\/p>\n (7) Restore \/boot to sda1.<\/strong> It will be restored into a “boot” subdirectory, because that’s the way it was on the original disk.\u00a0 But since this is a stand-alone \/boot partition, we need to move the files to that filesystem’s root.<\/p>\n (8) Make an encrypted filesystem on sda2.<\/strong> We will need a label, so I will call it “cryptoroot”.\u00a0 You can choose anything here.<\/p>\n (9) Restore the rest of the saved files<\/strong> to the encrypted filesystem that lives on sda2.\u00a0 We can remove the extra files in \/boot, since that will become the mount point for sda1.\u00a0 We need to leave the empty \/boot directory in place, though.<\/p>\n (10) Determine the UUID’s<\/strong> of the sda2 device and the encrypted filesystem that sits on top of sda2.<\/p>\n Notice that you’ll also see sda1 (\/boot) and sdb (the SD card) as well as some others, like USB stick.\u00a0 Below, I will refer to the actual UUID’s that we read here as [UUID-LUKS] and [UUID-ROOT].<\/p>\n (11) Do a “chroot” inside the target system.<\/strong> A chroot basically uses the kernel from the Live USB stick, but the filesystem from the main disk.\u00a0 Notice that when you do this, the prompt changes to what you usually see when you boot that system.<\/p>\n (12) Install cryptsetup on the target.<\/strong><\/p>\n (13) Change some of the config files<\/strong> on the encrypted drive’s \/etc so it will know where to find the new root filesystem.<\/p>\n (14) Rebuild the GRUB bootloader<\/strong>, since the files have moved from sda1:\/boot to sda1:\/ .<\/p>\n (15) Update the initial RAM disk<\/strong> so it will know to prompt for the LUKS passphrase so it can mount the new encrypted root filesystem.<\/p>\n (16) Reboot.<\/strong><\/p>\n When it has shut down the Live USB system, you can remove the USB stick and let it boot the system normally.\u00a0 If all went well, you will be prompted for the LUKS passphrase a few seconds into the bootup process.<\/p>\n","protected":false},"excerpt":{"rendered":" I have a small netbook that I use when I travel, one of the original Asus EeePC’s, the 900.\u00a0 It has a 9″ screen and a 16GB flash drive.\u00a0 It runs Linux, and it’s just about right for accessing email, some light surfing, and doing small tasks like writing blog posts and messing with my […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,5,12,15],"tags":[],"class_list":["post-338","post","type-post","status-publish","format-standard","hentry","category-software","category-geek","category-security","category-tips-tricks","count-0","even alt","author-alan","last"],"_links":{"self":[{"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/posts\/338","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/comments?post=338"}],"version-history":[{"count":0,"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/posts\/338\/revisions"}],"wp:attachment":[{"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/media?parent=338"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/categories?post=338"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/tags?post=338"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
ubuntu@ubuntu:~$ sudo -i\nroot@ubuntu:~$ cd \/\nroot@ubuntu:\/$<\/pre>\n
root@ubuntu:\/$ apt-get install cryptsetup<\/pre>\n
root@ubuntu:\/$ mkfs.ext4 \/dev\/sdb\nroot@ubuntu:\/$ mkdir \/mnt\/sd\nroot@ubuntu:\/$ mount \/dev\/sdb \/mnt\/sd\nroot@ubuntu:\/$<\/pre>\n
root@ubuntu:\/$ tar --one-file-system --numeric-owner -zcf \/mnt\/sd\/all.tar.gz .\nroot@ubuntu:\/$<\/pre>\n
\npartition 2\u00a0 –\u00a0 15.8GB\u00a0 –\u00a0 everything else, encrypted<\/p>\nroot@ubuntu:\/$ fdisk -l\n\nDisk \/dev\/sda: 16.1 GB, 16139354112 bytes\n255 heads, 63 sectors\/track, 1962 cylinders\nUnits = cylinders of 16065 * 512 = 8225280 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\nDisk identifier: 0x0002d507\n\nDevice Boot\u00a0\u00a0\u00a0\u00a0\u00a0 Start\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 End\u00a0\u00a0\u00a0\u00a0\u00a0 Blocks\u00a0\u00a0 Id\u00a0 System\n\/dev\/sda1\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 17\u00a0\u00a0\u00a0\u00a0\u00a0 136521\u00a0\u00a0 83\u00a0 Linux\n\/dev\/sda2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 18\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1962\u00a0\u00a0\u00a0 15623212+\u00a0 83\u00a0 Linux\nroot@ubuntu:\/$<\/pre>\n
root@ubuntu:\/$ mkfs.ext4 \/dev\/sda1\nroot@ubuntu:\/$ mkfs.ext4 \/dev\/sda2\nroot@ubuntu:\/$<\/pre>\n
root@ubuntu:\/$ mkdir \/mnt\/sda1\nroot@ubuntu:\/$ mount \/dev\/sda1 \/mnt\/sda1\nroot@ubuntu:\/$ cd \/mnt\/sda1\nroot@ubuntu:\/mnt\/sda1$ tar --numeric-owner -zxf \/mnt\/sd\/all.tar.gz .\/boot\nroot@ubuntu:\/mnt\/sda1$ mv boot\/* .\nroot@ubuntu:\/mnt\/sda1$ rmdir boot\nroot@ubuntu:\/mnt\/sda1$ cd \/\nroot@ubuntu:\/$ umount \/mnt\/sda1\nroot@ubuntu:\/$<\/pre>\n
root@ubuntu:\/$ cryptsetup luksFormat \/dev\/sda2\n\nWARNING!\n========\nThis will overwrite data on \/dev\/sda2 irrevocably.\n\nAre you sure? (Type uppercase yes): YES\nEnter LUKS passphrase: ********\nVerify passphrase: ********\nroot@ubuntu:\/$ cryptsetup luksOpen \/dev\/sda2 cryptoroot\nroot@ubuntu:\/$ mkfs.ext4 \/dev\/mapper\/cryptoroot\nroot@ubuntu:\/$<\/pre>\n
root@ubuntu:\/$ mkdir \/mnt\/sda2\nroot@ubuntu:\/$ mount \/dev\/mapper\/cryptoroot \/mnt\/sda2\nroot@ubuntu:\/$ cd \/mnt\/sda2\nroot@ubuntu:\/mnt\/sda2$ tar --numeric-owner -zxf \/mnt\/sd\/all.tar.gz\nroot@ubuntu:\/mnt\/sda2$ rm -rf boot\/*\nroot@ubuntu:\/mnt\/sda2$ cd \/\nroot@ubuntu:\/$<\/pre>\n
root@ubuntu:\/$ blkid\n\/dev\/sda1: UUID=\"285c9798-1067-4f7f-bab0-4743b68d9f04\" TYPE=\"ext4\"\n\/dev\/sda2: UUID=\"ddd60502-87f0-43c5-aa28-c911c35f9278\" TYPE=\"crypto_LUKS\"\u00a0\u00a0 << [UUID-LUKS]\n\/dev\/mapper\/root: UUID=\"a613df67-3179-441c-8ce5-a286c16aa053\" TYPE=\"ext4\"\u00a0\u00a0 << [UUID-ROOT]\n\/dev\/sdb: UUID=\"41745452-3f89-44f9-b547-aca5a5306162\" TYPE=\"ext3\"\nroot@ubuntu:\/$<\/pre>\n
root@ubuntu:\/$ mount \/dev\/sda1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/mnt\/sda2\/boot\nroot@ubuntu:\/$ mount --bind \/proc\u00a0\u00a0\u00a0 \/mnt\/sda2\/proc\nroot@ubuntu:\/$ mount --bind \/dev\u00a0\u00a0\u00a0\u00a0 \/mnt\/sda2\/dev\nroot@ubuntu:\/$ mount --bind \/dev\/pts \/mnt\/sda2\/dev\/pts\nroot@ubuntu:\/$ mount --bind \/sys\u00a0\u00a0\u00a0\u00a0 \/mnt\/sda2\/sys\nroot@ubuntu:\/$ chroot \/mnt\/sda2\nroot@enigma:\/$<\/pre>\n
root@enigma:\/$ apt-get install cryptsetup\nroot@enigma:\/$<\/pre>\n
root@enigma:\/$ cat \/etc\/crypttab\ncryptoroot\u00a0 UUID=[UUID-LUKS]\u00a0 none\u00a0 luks\nroot@enigma:\/$ cat \/etc\/fstab\nproc\u00a0 \/proc\u00a0 proc\u00a0 nodev,noexec,nosuid\u00a0 0\u00a0 0\n# \/ was on \/dev\/sda1 during installation\n# UUID=[OLD-UUID-OF-SDA1]\u00a0 \/\u00a0 ext4\u00a0 errors=remount-ro\u00a0 0\u00a0 1\nUUID=[UUID-ROOT]\u00a0 \/\u00a0 ext4\u00a0 errors=remount-ro\u00a0 0\u00a0 1\n\/dev\/sda1\u00a0 \/boot\u00a0 ext4\u00a0 defaults\u00a0 0\u00a0 0\n# RAM disks\ntmpfs\u00a0\u00a0 \/tmp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 tmpfs\u00a0\u00a0 defaults\u00a0\u00a0 0\u00a0 0\ntmpfs\u00a0\u00a0 \/var\/tmp\u00a0\u00a0 tmpfs\u00a0\u00a0 defaults\u00a0\u00a0 0\u00a0 0\ntmpfs\u00a0\u00a0 \/var\/log\u00a0\u00a0 tmpfs\u00a0\u00a0 defaults\u00a0\u00a0 0\u00a0 0\ntmpfs\u00a0\u00a0 \/dev\/shm\u00a0\u00a0 tmpfs\u00a0\u00a0 defaults\u00a0\u00a0 0\u00a0 0\nroot@enigma:\/$<\/pre>\n
root@enigma:\/$ update-grub\nroot@enigma:\/$ grub-install \/dev\/sda\nroot@enigma:\/$<\/pre>\n
root@enigma:\/$ update-initramfs -u -v\nroot@enigma:\/$<\/pre>\n
root@enigma:\/$ exit\nroot@ubuntu:\/$ umount \/mnt\/sda2\/sys\nroot@ubuntu:\/$ umount \/mnt\/sda2\/dev\/pts\nroot@ubuntu:\/$ umount \/mnt\/sda2\/dev\nroot@ubuntu:\/$ umount \/mnt\/sda2\/proc\nroot@ubuntu:\/$ umount \/mnt\/sda2\/boot\nroot@ubuntu:\/$ umount \/mnt\/sda2\nroot@ubuntu:\/$ reboot<\/pre>\n