HOWTO: Install Ubuntu 7.04 using debootstrap to an encrypted root partition
Background
I have wanted to run my laptop with an encrypted root partition for a while now, I have finally sat down and worked out how to do it without using any temporary partitions like other guides do. I use debootstrap on another GNU/Linux host to prepare the hard disc. I am using a 20GB 2.5″ laptop hard disc connected up to a USB adapter on my workstation to install Ubuntu. This is still work in progress, as with all things YMMV.
Disclaimer
Please be aware this guide contains some nasty lines of shell script which will eradicate the contents of /dev/sdb by default, please change this to suit your situation. I am not responsible for your actions whether you use my guide or not, I may not be held responsible for anything you do to your system(s) no matter how destructive/terminal. That said I have used this guide to the letter at four times over and have not had a single problem.
You have been warned.
Method
-
Getting Started
We need to set up our host machine with a few utilities to be able to install our new system. I am assuming for this guide you are running Debian or Ubuntu GNU/Linux
$ sudo aptitude install debootstrap cryptsetup hashalot xfsprogs fdisk grub
debootstrap notes for specific Ubuntu/Debian versions:-
Ubuntu 6.06
Install debootstrap from edgy-backports.
-
Ubuntu <6.06 and Debian GNU/Linux
Install debootstrap by downloading manually from the Ubuntu archive.
Connect up your hard disc drive to the host computer.
-
-
Prepare the disc
Partition the disc, I use fdisk personally.
WARNING: This will reset write a new partition table preventing access to any data currently on the disc, ensure you are have selected the correct disc
$ echo -e "o\nn\np\n1\n\n+100M\nn\np\n2\n\n+200M\nn\np\n3\n\n\na\n1\nw\n" | sudo fdisk /dev/sdb
You can do the same in parted like this but, fdisk is preferred.
$ sudo parted /dev/sdb mklabel msdos mkpart primary ext2 0 100MB mkpart primary ext2 100MB 300MB mkpart primary ext2 300MB 100% set 1 boot on
This creates a 100MB boot partition, a 200MB partition for swap and the rest is used for the root.
-
Wipe the disc clean
Erase all the data off the hard disc, we don’t want the bad guys finding all your old pr0n right?
$ sudo /sbin/badblocks -s -w -t random -v /dev/sdb1 $ sudo /sbin/badblocks -s -w -t random -v /dev/sdb2 $ sudo /sbin/badblocks -s -w -t random -v /dev/sdb3 $ sudo dd if=/dev/urandom of=/dev/sdb{1,2,3}These extra steps are untested by me.
If you want a bit more security install wipe and then run it over the three partitions like so:
$ sudo aptitude install wipe $ wipe -kq /dev/sdb{1,2,3}If you really want to be secure then you should use dban.
-
Create the file systems
Now we need to prepare the partitions with some file systems, I am going to be using ext2 for the first partition (boot), swap for the second (swap) partition and an xfs partition on top of a luks encrypted partition for the system root. You can use ext3 instead of xfs it should work just as well.
$ sudo mkfs -t ext2 /dev/sdb1 $ sudo mkswap /dev/sdb2 $ sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sdb3 $ sudo cryptsetup luksOpen /dev/sdb3 root $ sudo mkfs -t xfs /dev/mapper/root
-
Mount the root
Now we need to mount the root partition, like so:
$ sudo mount /dev/mapper/root /mnt
-
Install Ubuntu 7.04
This is where be begin to create our base installation of Ubuntu using debootstrap.
$ export DEBOOTSTRAP_DIR="/usr/lib/debootstrap" $ sudo debootstrap --include="language-pack-en,language-pack-en-base,dmsetup,cryptsetup,hashalot,initramfs-tools,nano" --components=main,universe --verbose --arch i386 feisty /mnt http://archive.ubuntu.com/ubuntu $DEBOOTSTRAP_DIR/scripts/feisty
You can adjust http://archive.ubuntu.com/ubuntu with a mirror closer to you and this will help speed up the process and reduce load on the master Ubuntu mirror.
You are able to change the en to your native language, list of language packs.
Go get either a beverage, a light snack, or my personal favourite some confectionery this will take a short while, depending on your Internet connection.
-
Configure Networking
Once we have our Ubuntu installation we need to configure it, normally the installer would do this but today we take its place. Be careful not to nuke your hosts configuration.
$ # Set Hostname $ echo "hostname" | sudo tee /mnt/etc/hostname $ # Network Config (adjust as required) $ sudo cp /etc/network/interfaces /mnt/etc/network/ $ sudo cp /etc/resolv.conf /mnt/etc/ $ # Setup hosts file (adjust as required) $ cat /etc/hosts | sed "s/`cat /etc/hostname`/`cat /mnt/etc/hostname`/" | sudo tee /mnt/etc/hosts
-
Configure the boot image
$ sudo nano /mnt/etc/initramfs-tools/modules
# List of modules that you want to include in your initramfs. # # Syntax: module_name [args ...] # # You must run update-initramfs(8) to effect this change. # # Examples: # # raid1 # sd_mod # IDE Discs ide-core ide-cd ide-disk ide-generic # SCSI Discs scsi_mod sd_mod # USB Discs #usbcore #ehci-hcd #ohci-hcd #uhci-hcd #usbhid #usb-storage # Encryption Stuff aes cbc sha1 sha256
$ sudo cp /mnt/usr/share/initramfs-tools/hooks/cryptroot /mnt/etc/initramfs-tools/hooks/ $ sudo cp /mnt/usr/share/initramfs-tools/hooks/udev /mnt/etc/initramfs-tools/hooks/ $ sudo cp /mnt/usr/share/initramfs-tools/scripts/local-top/cryptroot /mnt/etc/initramfs-tools/scripts/local-top/ $ sudo cp /mnt/usr/share/initramfs-tools/scripts/init-premount/udev /mnt/etc/initramfs-tools/scripts/init-premount/ $ echo -e "--- /mnt/usr/share/initramfs-tools/scripts/local-top/cryptroot 2007-02-04 20:46:06.000000000 +0000\n+++ /mnt/etc/initramfs-tools/scripts/local-top/cryptroot 2007-02-05 02:13:53.975074750 +0000\n@@ -173,0 +174,5 @@\n+ # Try waiting a little while, maybe udev is being slow (Chris Smith <chris.smith@cs278.org>)\n+ if [ ! -e $cryptsource ]; then\n+ sleep 1\n+ fi\n+\n" | sudo patch -u /mnt/etc/initramfs-tools/scripts/local-top/cryptroot -
The patch adds a one second sleep in if the device is not found, this is because sometimes the udev symlinks can take a little while to be instated, I have not found a more elegant solution to this that works all the time.
-
Configure the file systems
We need to configure the system so it can mount the required partitions once it boots.
$ sudo nano /mnt/etc/fstab
# /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 # /dev/hda3 /dev/mapper/root / xfs defaults 0 1 # /dev/hda1 UUID=hda1_uuid /boot ext2 defaults 0 2 # /dev/hda2 UUID=hda2_uuid none swap sw 0 0 /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0
We are unable to use the UUID for the root partition because the initramfs-tools cannot handle it, and we are left with an unbootable system
$ sudo nano /mnt/etc/crypttab
# <target name> <source device> <key file> <options> root /dev/disk/by-uuid/hda3_uuid none luks
-
Configure the Kernel
$ echo "do_initrd = yes" | sudo tee -a /mnt/etc/kernel-img.conf
-
Prepare to chroot
Now we need to prepare to chroot into the installation and actually do all the configuration, lets mount all the required bits.
$ sudo mount /dev/sdb1 /mnt/boot $ sudo mount -o bind /dev /mnt/dev $ sudo mount -o bind /sys /mnt/sys $ sudo mount -t proc proc /mnt/proc
-
chroot and configure
Lets chroot in and perform the steps we need to take.
$ sudo chroot /mnt # Configure the keyboard # dpkg-reconfigure console-setup # aptitude update # aptitude install grub linux-image-generic
If you are not using xfs for the root file system you can skip this step.
# aptitude install xfsprogs
-
Leave the chroot
# exit
-
Install Bootloader
We must install grub now, from another terminal (outside the chroot).
$ sudo grub-install --recheck --root-directory=/mnt/ /dev/sdb $ sudo rm -f /mnt/boot/grub/device.map
-
Wrapping Up
Finally:
$ sudo chroot /mnt update-grub -y $ sudo umount /mnt/{sys,dev,proc,boot,} $ sudo cryptsetup luksClose root $ sudo eject /dev/sdb -
First Boot
The first time you boot the newly prepared installation all should go smoothly, to login use the user name root. You now need to install some important packages to turn this very primitive system in to a full Ubuntu beast.
Make sure your network is working before you move on!
WIP:# dpkg-reconfigure --all --unseen-only
# aptitude -dy install ubuntu-standard ubuntu-desktop # tasksel install ubuntu-desktop # reboot
References
- Howto install Debian GNU/Linux onto a USB thumbdrive with the root partition encrypted (using UUIDs, Initramfs-tools & Dm-Crypt)”
- Encrypted root, swap, and home using LUKS with no unencrypted key files available anywhere after boot
- Installing Ubuntu 6.06 on an Encrypted LVM Partition For Root, Swap, and Home
- Installing new Debian systems with debootstrap
- HOWTO – Install Debian Onto a Remote Linux System
- Installing Ubuntu from a Unix/Linux System
- Debian GNU/Linux Installation with Knoppix and debootstrap
Change Log
0.9.1 * Added <http://www.inittab.de/manuals/debootstrap.html> as a reference -- Chris Smith <null@cs278.org> Tue, 6 Feb 2007 05:24:56 +0000 0.9.0 * Initial Version -- Chris Smith <null@cs278.org> Sun, 4 Feb 2007 16:35:00 +0000
[...] am in the process of writing a guide detailing how it is possible to install Ubuntu 7.04 (yet to be released) on to a hard disc for a [...]
[...] explicar porque estoy en fase de experimentación y aprendizaje, pero por ejemplo podeis mirar aquí que explican como hacerlo, eso si, en inglés y para Ubuntu 7.04. Obviamente no lo sigais a [...]
[...] Observera att det är skillnader mellan Debian och Ubuntu, t ex console-data vs console-setup. Ubuntu-info: http://www.cs278.org/blog/ubuntu-configuration/feisty-debootstrap-encrypted-install/ [...]