- INSTRUMENTS FOR DISK ENCRYPTION ON UBUNTU 22.04
- REFERENCE INFORMATION
- USEFUL LINKS
Security and privacy are very important, especially for those who stores important data on the computer.
It is very important to prevent data leakage, for example in case of theft laptop, since the operation to eliminate such an “incident” may be tens of times more expensive than the cost of even the most sophisticated laptop. (This is especially true for DevOps engineers.)
And in general, for an IT specialist, having an encrypted disk is easy a sign of professionalism - for example, as a neat appearance for bank employee.
This article is for those who want to set up disk encryption using LUKS technology on your computer (running Ubuntu 22.04). Here Setup instructions are provided (in the “Instructions” section), excerpts from articles for those who want to understand the problem in more depth (in the section “Reference Information”), as well as some useful articles (in the section “Sources”).
If you like to understand what is described in the instructions before you start do tasks step by step, then we have compiled a brief description for you instructions:
- We divide the physical disk into logical parts (partitions, volumes).
- We create encrypted partitions using virtual volumes.
- Install the operating system.
- Setting up the operating system.
Brief description of the technology (can be skipped)
A physical disk can be divided into logical parts (partitions, volumes) to ease of use. For example, on one disk partition we store all information about the system, files for loading the operating system, on friend - user information (photos, contacts, important information), on the third - games and films. In order to take advantage With these technologies, we need to “partition” our disk into these partitions during the installation of the operating system (this can be done and on an already installed system, we will consider the option of installing only operating system).
As mentioned earlier, one of our partitions will store information about loading the operating system. Our device through which we are using a disk, it must recognize the partition on which it is stored operating system, so that after turning it on, it can be launched, as well as recognize the remaining partitions so that the OS can write data to them.
Partition tables are used to enter data about partitions. There are two Disk partition structures: MBR and GPT. MBR (Master Boot Record) and GPT (GUID Partition Table) are two different ways storing information about disk partitions. Briefly about these structures can be Find out in the “Reference information” section. After partitioning the disk we it is necessary to determine which partitions need to be encrypted, i.e. on what In the future, important information for us will be stored in sections.
The Linux operating system supports several cryptographic methods for protecting partitions, individual directories or the entire hard drive. All data in any of these methods is automatically encrypted and decrypted on the fly. This article will discussed disk encryption using LUKS technology, briefly which can be found in the “Reference Information” section, when installing OS UBUNTU22.04.
Please note that data from the disk with this method the settings will be formatted, so we recommend moving them to a more safe place.
INSTRUCTIONS FOR DISK ENCRYPTION ON UBUNTU 22.04
In order to start installing the OS on the device, we need an image this OS on a portable storage medium (USB drive, DVD and etc.). How to make a bootable USB drive with Ubuntu OS, see link in the "Sources" section.
As mentioned earlier, we need to logically partition the disk (we have it called /dev/sda) into partitions (volumes). In our case there will be two main volumes: the volume to boot the operating system and the partition we will encrypt.
To get started, we need to boot the UBUNTU22.04 installation from a USB drive. The installation is different on different devices, so see Additionally, how to do this on your device.
So, let's begin. We load our UBUNTU22.04 image from the USB drive. Will begin unpacking the files, after which a window will appear on the screen, as in the image below. We need to select “Try Ubuntu” or “Try Ubuntu”.
After this you need to go to the terminal (CTRL+ALT+T) and to open the editor partitions, enter the gparted command, confirm by pressing ENTER. After that The section editor should open. Here we need to create a new one table and sections in it. We create the table as follows: Device->Create Partition Table.
Next, we need to select the type of partition structure. In this example We choose GPT, because This uses a computer with UEFI firmware.
Based on the purpose of this article, we need to create two sections. First The partition should be several hundred megabytes in size (from 300 to 1000 MB) and formatted as an ext4 file system (information about file systems set out in the “Reference Information” section), it will be unencrypted and mounted in /boot (in the screenshot /dev/sda1 at the end of the current item). This there will be an OS boot section that contains configuration files GRUB bootloader, Linux kernel images, initrd files that are necessary for loading process.
The example below shows the creation of the first primary partition with a size of 1024 MB and ext4 file system.
The example below shows how to create a second primary partition with a size of 1024 MB and fat32 file system.
The third main partition (/dev/sda3 in the screenshot at the end of the current paragraph instructions) will be encrypted and have a fairly large size.
This example assigns all free space to the second primary partition without specifying the file system:
Next we need to confirm the creation of the main partitions:
The result should look something like this (we see three main sections /dev/sda1 /dev/sda2 /dev/sda3):
!!!Your sections may be named differently, an example is shown here. And The disk space size will differ from the given one above
CREATE A LUKS SECTION
At this point we will do from the second main section /dev/sda2 encrypted section, which, in turn, will be divided into subsections / - root directory and /home - home directory (hierarchy information Linux file system directory is located in the “Reference” section information”, this topic can be studied in more detail on the resource from section “Sources”).
To do this, go to the terminal again (I recommend running the command sudo su, to immediately work with root rights - superuser rights). Us you need to create a LUKS partition, i.e. encrypted partition /dev/sda2. The cryptsetup utility that we will use will make it easier Encrypting a Linux partition using the dm-crypt module. Using operations this utility luksFormat and luksOpen.
sudo cryptsetup luksFormat /dev/sda3 - creation encrypted partition/dev/sda3. After the question Are you sure? Enter in uppercase YES. You will be prompted for a key phrase: enter, confirm, remember.
sudo cryptsetup luksOpen /dev/sda3 box - connect virtual device (you will need the key created in the previous step) box to /dev/sda3. Where box - a name of your choice.
Inside the LUKS partition we create a physical volume, an LVM volume group and two logical volumes. The first logical volume will be mounted as /, and the second - /home. We break it down in such a way that during further OS reinstallations there was no need to erase all user information.
The / - root partition is the main one in our system. There will be all system files, and other partitions will be connected to it. Here too we will install all our programs and updates. If you take 50 A gigabyte for this section - you can't go wrong.
The /home section is for our files. This is where our user files will be, documentation. There shouldn't be enough space here, so we take everything that's left. IN In this case, 70 Gigabytes are allocated to /, everything else is /home.
sudo pvcreate /dev/mapper/box - create a physical volume on virtual device box, located on the third main partition /dev/sda3 for further creation of a vg group in it volumes.
sudo vgcreate vgbox /dev/mapper/box - create a group volumes named vgbox in /dev/mapper/box.
sudo lvcreate -n lvboxroot -L 70g vgbox - create in volume group vgbox logical volume lvboxroot, which will contain our root directory(/) with a size of 70GB.
sudo lvcreate -n lvboxhome -l 100%FREE vgbox - create in volume group vgbox logical volume lvboxhome, in which our user files(/home).
Before proceeding directly to installing the system, we need assign mount points to our boot primary partition and logical drives from the second main partition, and also indicate their format file system. Mount points are assigned so that In the next step we could mount these disks to our main system, i.e. roughly speaking, so that we can see them in the future system and use it.
To start installing the OS, we need to open the graphical installer (the shortcut is on the desktop). The next step is to select a language and keyboard layouts. Then we get to the installation selection and, in this example, select “Normal installation”, which will not install only the OS, but also a web browser, useful utilities, office software, games and media turntables.
Next, select “Somesing else” so that we can get into the markup again disks and select the corresponding points for our virtual volumes mounts and file systems.
We get to the disk layout. Next, change the sections by double clicking on them, select the file system and mount point. We need to assign:
- mount point / to /dev/mapper/vgbox-lvboxroot (our virtual disk with root directory) with ext4 format;
- mount point /hometo /dev/mapper/vgbox-lvboxhome (virtual disk with user data) with ext4 format;
- mount point /bootto /dev/sda1(boot partition) c ext4 format;
- mount point efi to /dev/sda2 with fat32 format.
Below is an example where the partition table shows our logical volumes and a download section.
Also an example of setting the mount point and file system format for /dev/mapper/vgbox-lvboxroot (root directory) is shown below.
In this example, the resulting table looks like this:
In the field with the disk name /dev/sda (the disk name may be different) - select our entire hard drive. To start the installation, click “Install now”. Next, you need to select a location, enter personal data and passwords and run the installation.
ATTENTION!!! After installation, do not reboot the equipment (the system will ask for this), and go back to the terminal for mounting partitions into the installed OS.
At this point we will mount partitions as well as system folders in root system. In order for us to be able to use our sections, created earlier, it is necessary to mount the corresponding devices in appropriate places /mnt.
sudo mount /dev/mapper/vgbox-lvboxroot /mnt - Mounting the root directory to /mnt.
sudo mount /dev/mapper/vgbox-lvboxhome /mnt/home - Mounting your home directory to /mnt/home.
sudo mount /dev/sda1 /mnt/boot - mount boot partition /dev/sda1 to /mnt/boot.
sudo mount --bind /dev /mnt/dev - remount /dev directory to /mnt/dev.
Then we perform the following steps:
- sudo chroot /mnt - run this program to changes the root directory, we do this to access such file systems like proc, sysfs, devpts (see section “Reference information"). These filesystems must be accessible from the chroot environment for the proper functioning of the main programs;
- mount -t proc proc /proc - mount the device file proc with proc filesystem in root partition /proc, which contains files with information about processes that is used by the kernel to represent information about the system status;
- mount -t sysfs sys /sys - mount the device file sys with the sysfs file system in root partition /sys, which contains data directly about the system. Here you can find out information about the kernel, drivers and devices. With the sysfs file system you you can set various kernel settings at runtime;
- mount -t devpts devpts /dev/pts - mount the file devpts devices with file system devpts to the root partition /dev/pts, which works with pseudo-terminals PTY/tty (more details can be found at the link in the section “Sources”).
At this point we must give information to the system boot about the encrypted section. To do this we need to find the UUID of our encrypted partition (/dev/sda2). UUID is a universally unique identifier for a partition hard drive. The UUID itself must be copied.
sudo blkid /dev/sda3 - with this command we will display the UUID on screen and copy it.
Next, you need to create a file named /etc/crypttab, in which we will place information about the encrypted volume.
box (the name of our LUKS container) UUID=<block ID device that contains encrypted data> none lux (possibility to enter a password),retry=1,lvm=vgbox (our group name LVM)
It should look something like the example below:
Run the following command:
update-initramfs -k all -c - with this command we we register new launch rules in the initrd file, which is located in /boot so that the system recognizes the encrypted partition and before starting work requested a passphrase.
Reboot the system. After reboot you will be asked for a passphrase. which was specified when creating the LUKS section.
In this article we looked at how to install the operating system Ubuntu22.04 to a fully encrypted volume and split this volume into logical subpartitions for the root and home directories.
MBR(Master Boot Record) More
Master Boot Record - MBR is located at the beginning of the disk space. Information about the placement of partitions on the hard disk is stored in the partition table that is part of the master boot record (MBR). A partition can be either primary or extended. In the first sector of each primary partition is the boot sector, responsible for loading the OS from this partition. Information about which the partition will be used to boot the operating system, too written in the master boot record. In MBR under partition table 64 bytes allocated. Each entry takes 16 bytes. Thus, in total A maximum of 4 partitions can be created on a hard drive. To get around limited maximum number of sections, an extended one was invented chapter. The extended partition is very different from other types sections. It describes not a section, but a certain space where logical drives. MBR uses 32-bit addressing, so this the outdated structure can only work with disks whose capacity is not exceeds 2 TB. Partition information is stored in only one place - in MBR. If the Master Boot Record is damaged, the disk will become unreadable. How the system boots when using a disk structure MBR: Self-test performed after power on -> Then BIOS detects video card -> The BIOS startup screen is displayed -> The RAM memory test begins -> Configuration in progress connected devices -> The boot device is detected. How only the BIOS detects the boot device, it reads the first one the sector in which the MBR is located. The MBR checks the partition table and Loads the boot sector into RAM. In the boot sector the boot loader is launched first, which already initiates the process OS loading.
GPT(GUID Partition Table) More
According to Wikipedia, GPT is a standard table layout format partitions on a physical hard drive. It is part of the extensible firmware interface (Unified Extensible Firmware Interface, UEFI) is a standard proposed by Intel to replace BIOS. Thus, GUID Partition Table is a new generation of disk partitions that came to replacement of the outdated MBR. GUID stands for Globally Unique identifier" (Globally Unique Identifier). A GPT disk consists of three parts:
- primary partition table. This contains the MBR security markup, in which still contains the master boot record for Legacy BIOS, GPT header and partition table that the system needs to loading information and accessing logical partitions;
- regular data sections. This is the physical location where your data is stored. and logical files;
- backup partition table. The area for a GPT disk that stores backup information for header and partition table GPT. Used in case of loss or corruption of the primary table.
LUKS (from Linux Unified Key Setup) More
According to Wikipedia, the disk encryption format specification was originally aimed at use in an OS based on the Linux kernel. First priority The purpose of the technology was to provide a user-friendly a standardized way to manage decryption keys. To Perform disk encryption on Linux using the dm-crypt kernel module. This The module allows you to create a virtual block in the /dev/mapper directory a device with encryption that is transparent to the file system and the user. In fact, all data is located on an encrypted physical partition. If the user tries to write data to a virtual device, they are are encrypted on the fly and written to disk when reading from the virtual device, the reverse operation is performed - the data is decrypted from physical disk and transmitted in clear text through the virtual disk to the user.
Struktura razdela LUKS:
- zagolovok LUKS;
- khranilishcha soderzhimogo klyuchey KM1 — KM8;
- zashifrovannyye dannyye.
Zagolovok LUKS vmeste s soderzhimym sektsii klyucha KM predstavlyayut soboy vsyu neobkhodimuyu informatsiyu dlya dostupa k zashifrovannomu razdelu. Pri utrate zagolovka ili sektsiy soderzhimogo klyuchey poluchit' dostup k zashifrovannym dannym stanovitsya nevozmozhno. Boleye detal'no s dannoy temoy mozhno oznakomitsya na resursakh losst.ru, wikipedia.org.
COMMANDS FOR WORKING WITH BLOCK DEVICES More
LUKS section structure:
- LUKS header;
- key content stores KM1 - KM8;
- encrypted data.
The LUKS header together with the contents of the KM key section represent all the necessary information to access the encrypted partition. At loss of the header or content sections of the keys to gain access to encrypted data becomes impossible. More details from this The topic can be found on the resources losst.ru, wikipedia.org.
COMMANDS FOR WORKING WITH BLOCK DEVICES More
- lsblk - Show information about the hard drive;
- df -h - Shows free space on mounted partitions;
- fdisk -l - Shows information about the disk, partitions and file system;
- du -sh - Displays unallocated space on mounted partitions in MB, GB, TB;
- findmnt - Displays all mount points;
- mount /dev/sdb1 /mnt - Mounts partition 1 of the sdb disk to /mnt;
- pvcreate /dev/sda1 - mark the disk that will be use for LVM;
- vgcreate [options] <group name> - create a group disks;
- lvcreate [options] <volume group name> - Creation logical volume.
TYPES OF FILE SYSTEMS FOR LINUX More
- Ext2, Ext3, Ext4or Extended Filesystem – standard file system. Contains the maximum number of functions and is the most stable due to rare changes in the code base. Since ext3 The system uses a logging function. Today version is ext4 present in all Linux distributions;
- JFS or The Journaled File System was developed by IBM as a alternatives for ext file systems. It is now used where high stability and minimal resource consumption are required (in primarily in multiprocessor computers). The log stores only metadata, which allows you to restore old versions of files after failures;
- ReiserFS is also designed as an alternative ext3, supports Linux only. Dynamic block size allows pack multiple small files into one block, which prevents fragmentation and improves work with small files. Disadvantage there is a risk of data loss during a power outage;
- XFS is designed for large files, Supports disks up to 2 terabytes. The advantage of the system is high speed of working with large files, delayed allocation space, increasing partitions on the fly, small overhead information. Disadvantages include the inability to reduce the size, the complexity of data recovery and the risk of losing files in the event of a disaster power outage;
- Btrfs or B-Tree File System easy is administered, has high fault tolerance and productivity. Used as the default file system in OpenSUSE and SUSE Linux.
FILE SYSTEM FOLDER HIERARCHY More
Image source: serverspace.by
SPECIAL FILE SYSTEMS More
The Linux kernel uses special file systems to provide access to the user and programs to their settings and information. Most often you will encounter these options:
- tmpfs allows you to place any custom files in the computer's RAM. It is enough to create a block device the right size, then connect it to the folder and you can write files to RAM;
- procfs(proc) - by default mounted in the proc folder and contains all the information about the processes running in the system, as well as the core itself;
- sysfs - with this file system you can set various kernel settings at runtime;
- devpts - provides access to pseudo terminals (PTY).
- https://losst.ru/kak-sdelat-zagruzochnuyu-fleshku-ubuntu - writing an Ubuntu OS image to a USB drive;
- https://ru.wikipedia.org/wiki/Master_Boot_Record - MBR;
- https://ru.wikipedia.org/wiki/Partition_Table_GUID - GPT;
- https://habr.com/ru/post/347002/ - MBR and GPT structures;
- https://habr.com/ru/post/327572/ - comparison of GPT and partition structures MBR;
- https://serverspace.by/support/help/struktura-fajlovoj-sistemy- linux/ - Linux folder hierarchy;
- https://losst.ru/tipy-fajlovyh-sistem-dlya-linux - types of file systems;
- https://ru.wikipedia.org/wiki/LUKS - LUKS encryption;
- https:/ /qastack.ru/ubuntu/293028/how-can-i-install-ubuntu-encrypted-with-luks-with-dual-boot#293029 - forum on the topic of LUKS encryption;
- https://losst.ru/shifrovanie-diskov-v-linux - LUKS encryption;
- https://losst.ru/montirovanie-diska-v-linux - mounting disks;
- https://ru.wikipedia.org/wiki/Chroot - about the chroot command;
- https://serverspace.by/support/help/struktura-fajlovoj-sistemy- linux/ - file system structure and Linux folder hierarchy;
- https://it.wikireading.ru/6638 - pseudo-terminals.