Linode Library Home
Linode Library RSS Feed
Home :: Security
Print View View Source

Full Disk Encryption

Published: by

Full disk encryption protects the information stored on your Linode's disk images by converting it into unreadable code that can only be deciphered by authorized individuals. Nearly everything on the disk is encrypted, including the swap space and temporary files. This guide will help you implement full disk encryption on a Linode running Debian 7 (Wheezy). You'll learn how to:

Contents

Potential Drawbacks

Full disk encryption does a great job of keeping your data secure, but there are a few caveats. To decrypt and mount the disk image, you'll need to enter the encryption passphrase in the console every time your Linode boots. And some Linode Manager tools may not work as expected if your disk images are encrypted. You'll need to manually resize your filesystem if you want to resize your disk image. You'll also need to implement your own backup solution since the Linode Backup Service can't mount encrypted disk images.

Getting Started

Ready to encrypt your Linode's disk images? Here's how to prepare a Linode for full disk encryption:

  1. Create a new Linode in the data center of your choice.

  2. Make at least three unformatted / raw disk images for your Linode. You'll probably want to use the rest of your disk quota for your main disk image.

    • A /boot image, which will be unencrypted. In most cases, 128-256MB will be suitable for /boot.
    • A swap image. You'll need to choose an appropriate swap size based your particular needs.
    • A root image to store the files in the root of your filesystem.
  3. After you have created these disk images, you'll want to boot into Finnix from the Rescue tab. Ensure that your disk images are attached as follows:

    • /boot xvda
    • swap xvdb
    • / xvdc

You've successfully created the disk images for your Linode.

Creating a Configuration Profile

Next, you'll need to create a configuration profile for the new Linode. Here's how to do it:

  1. Create a new configuration profile in the Linode Manager.
  2. Select the pv-grub-x86_64 kernel from the Kernel menu.
  3. In the Block Device Assignment section, select the disk images you created in the previous section of this guide.
  4. Disable the Automount devtmpfs and Xenify Distro settings.
  5. Save the configuration profile.

Congratulations! You're now ready to set up full disk encryption on your Linode.

Enabling Full Disk Encryption

Now you're ready to enable full disk encryption on your Linode running Debian 7 (Wheezy). Here's how to do it:

  1. Reboot into Finnix from the Rescue tab in the Linode Manager.

  2. Connect to LISH, which will allow you to access the Linode's virtual console.

  3. Enter the following command to create an encrypted volume. You'll be prompted for a passphrase. Make sure that you enter a very strong passphrase, and that you store the passphrase in a physically secure location. Or better yet, memorize the passphrase and don't store it anywhere!

    cryptsetup luksFormat /dev/xvdc
    

Warning

If you lose this passphrase your data will be irretrievable!

Note

You may receive a FATAL notice about loading a kernel modeule used for hardware crypto acceleration. This message can be safely ignored.

  1. Open this encrypted device for access by entering the following command. Enter your passphrase when prompted.

    cryptsetup luksOpen /dev/xvdc crypt-xvdc
    
  2. Create the file systems by entering the following commands, one by one. Use ext2 for /boot, and ext3 for /.

    mke2fs /dev/xvda
    mke2fs -j /dev/mapper/crypt-xvdc
    
  3. Create and activate your swap partition by entering the following commands, one by one:

    cryptsetup -d /dev/urandom create crypt-swap /dev/xvdb
    mkswap /dev/mapper/crypt-swap
    swapon /dev/mapper/crypt-swap
    

Note

Swap will not persist through reboots, so a random key will be used to encrypt swap data.

  1. Mount the encrypted volume to make it writable by entering the following commands, one by one:

    mkdir mnt
    mount /dev/mapper/crypt-xvdc mnt/
    

You have successfully enabled full disk encryption, created the file systems, and mounted the encrypted volume.

Installing Debian and Mounting the Disks

Now it's time to install Debian 7 (Wheezy) and mount the disks. Here's how to do it:

  1. Use debootstrap to install a minimal Debian installation by entering the following command:

    debootstrap --arch=amd64  --include=openssh-server,vim,nano,cryptsetup wheezy mnt/
    
  2. Mount /dev/xvda and a few other things in preparation for changing root into the newly created Debian system, then changing root into the new install. Enter the following commands, one by one:

    mount /dev/xvda mnt/boot/
    mount -o bind /dev mnt/dev/
    mount -o bind /dev/pts/ mnt/dev/pts
    mount -t proc /proc/ mnt/proc/
    mount -t sysfs /sys/ mnt/sys/
    chroot mnt/ /bin/bash
    

You have successfully installed Debian and mounted the disks on your Linode.

Configuring Debian

Now that you're "inside" the newly installed Debian system, you'll need to make the following changes to create a system that boots and works correctly. Please follow these steps with care. Any error will mean your system will not boot! Here's how to configure Debian:

  1. Edit /etc/crypttab to match the following:

    crypt-xvdc      /dev/xvdc               none            luks
    crypt-swap      /dev/xvdb               /dev/urandom    swap
    
  2. Edit /etc/fstab to match the following:

    /dev/xvda               /boot   ext2    defaults
    /dev/mapper/crypt-xvdc  /       ext3    noatime,errors=remount-ro
    /dev/mapper/crypt-swap  none    swap    sw
    proc                    /proc   proc    defaults
    
  3. Modify /etc/mtab by entering the following command:

    cat /proc/mounts > /etc/mtab
    
  4. Configure console access. Note that your console must be configured correctly to boot. Edit /etc/inittab and find the following line:

    0:2345:respawn:/sbin/getty 38400 tty1
    
  5. Change the line in /etc/inittab to match the following:

    0:2345:respawn:/sbin/getty 38400 hvc0
    
  6. Install a kernel and a bootloader, and then configure the bootloader to boot your kernel by entering the following commands, one by one:

    mkdir /boot/grub
    apt-get install grub-legacy
    apt-get install linux-image-amd64
    
  7. Locate the following line in /boot/grub/menu.lst:

    # kopt=root=/dev/mapper/crypt-xvdc ro
    
  8. Change the line in /boot/grub/menu.lst to match the following. This will allow update-grub to properly generate a new menu.lst when you update your kernel.

    # kopt=root=/dev/mapper/crypt-xvdc cryptdevice=/dev/xvdc:crypt-xvdc console=hvc0 ro
    
  9. Run update-grub and generate a new initramfs by entering the following commands, one by one:

    update-grub
    update-initramfs -u
    

You have successfully configured Debian for full disk encryption.

Tidying Up

You're almost finished! Just a couple more steps and you'll have a Linode with encrypted disk images:

  1. You'll need to make some changes to the structure in /boot due to the way pvgrub expects to see your boot disk. Enter the following commands, one by one:

    cd /boot
    mkdir boot/
    mv grub boot/
    ln -nfs boot/grub grub
    
  2. Set the password for the root user by entering the following command:

    passwd
    
  3. Configure networking by editing /etc/network/interfaces to match the following:

    auto lo eth0
    iface lo inet loopback
    iface eth0 inet dhcp
    
  4. Now exit chroot, unmount your disk images, and reboot. You can do this by detaching the screen session and entering the "reboot" command in LISH:

    exit
    umount -l mnt/
    ^a^d
    reboot 1
    

If everything is configured properly your Linode will boot and prompt you for the encryption passphrase. Enter the passphrase on your console to mount your encrypted disk image and boot your Linode. Now you'll want to follow the steps in our Getting Started guide.

Creative Commons License

This guide is licensed under a Creative Commons Attribution-NoDerivs 3.0 United States License.

Last edited by Tim Heckman on Friday, August 16th, 2013 (r3610).