Thursday, 27 March 2008

Setting up encrypted RAID0 in Ubuntu 7.10 (Gutsy Gibbon)

Nowadays you never know when police will burst in into your home and confiscate your computer. And who knows that kinds of sensitive data you might have. No Unix password protection is going to help you in this case, what you need is hard drive encryption. Since hard drives are cheap and RAID really boost hard drive performance we are going to encrypt RAID device.

For this setup you'll need
  • 2 or more hard drives (preferably identical)
  • Gutsy Gibbon alternate CD
Start of like your normal install
Continue until you reach Disk Partitioning. Select manual partition method.

Create 3 RAID devices. One for boot, one for swap and ONE for all other stuff (root, home, etc...) Note we'll setup encrypted swap after installation because there's bug in Gutsy installation. For now just create RAID0 device for swap but don't use it just yet.
My setup looks like this


~ 100MB for boot (md0), 1GB for swap (md1) and 3.1 GB for everything else (md2) (in a real system you should use remaining disk space for the last RAID device)

Hit Enter on md2 and select use as "physical volume for encryption". Make sure you that "Erase data" is set to "no" because this will take hours to complete and is not really necessary unless you expect cryptographic attacks on your system in the near future. I chose AES encryption with 256 bit key.

The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either
the 192 or 256 key lengths

Back in partition manager you'll see a new choice "configure encrypted volume". This will create a new encrypted device (md2_crypt in my case). In this device create your root and home partitions.


You should end up with /boot on md0, md1 reserved for swap (not in use yet) and both root and /home on md2_crypt. Now proceed with install until reboot is requested. Do NOT reboot your system! Hit ALT + F2 and followed by Enter. You should now be in busybox shell. Now you need to edit /target/etc/crypttab.

nano /target/etc/crypttab
enter the following (change to your corresponding md device)
md2_crypt     /dev/md2    none luks
Then execute
chroot /target /bin/bash
mount /proc
update-initramfs -u
umount /proc
Now you can switch back to install screen ALT + F1 and reboot. During boot you'll be prompted for your passphrase. Congratulations you've booted into encrypted system. With no swap though I'll cover that in my next blog post.