Partitioning: /boot and dm-crypt/LUKS

This is a continuation to my first post on writing random data to the disk.

(Warning: This is setup supposes you already erased the data on the disk, or that you don’t care.)

Partitioning is easy. My partition table:

# fdisk -l /dev/sda

Disk /dev/sda: 250.1 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xa6c04c66

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1          17      136521   83  Linux
/dev/sda2              18       30401   244059480   83  Linux

/dev/sda1 is on /boot, ext2 and has 131MB (this is probably overkill)
the rest of the disk is on /dev/sda2 and has a luks encrypted partition on it. How to do that?

First, you need to boot from a live-cd or pen drive. Then, as root, type

fdisk /dev/sda

(Adjust accordingly. You can see all your disks with fdisk -l. Here I’m testing with /dev/red/test)

Then, create the partitions:

# fdisk /dev/red/test
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x49b873cc.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.

The number of cylinders for this disk is set to 13674.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
   (e.g., DOS FDISK, OS/2 FDISK)
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-13674, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-13674, default 13674): +128M

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 2
First cylinder (18-13674, default 18):
Using default value 18
Last cylinder, +cylinders or +size{K,M,G} (18-13674, default 13674):
Using default value 13674

Command (m for help): p

Disk /dev/red/test: 112.5 GB, 112474456064 bytes
255 heads, 63 sectors/track, 13674 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x49b873cc

        Device Boot      Start         End      Blocks   Id  System
/dev/red/test1               1          17      136521   83  Linux
/dev/red/test2              18       13674   109699852+  83  Linux

n is the command for creating new partitions; p is the command for showing the table. (More here or on the man page)

This will setup two partitions: one with ~ 128MB (the first one, for /boot; change the +128M bit if you want something else), and another with the rest of the disk. If you are ok with it, you then use w to write (If not, just type q)

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 22: Invalid argument.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.

If this message appears to you, you need to reboot; if not, then you have /dev/sda1 and /dev/sda2 (or whatever your disk is). Then do:

mke2fs /dev/sda1

This will make a simple ext2 filesystem on /dev/sda1. You don’t need more than that. Then, do:

Then the interesting part, luks:

cryptsetup luksFormat /dev/sda2

It will ask for YES, then for a password. (This will use the default cipher. Here is some discussion on choosing a cipher. You can set a cipher with --cipher. aes-cbc-essiv:sha256 is probably sufficient)

then, open it:

cryptsetup luksOpen /dev/sda2 vault

It will ask for your password and open the encrypted partition into /dev/mapper/vault. Anything you would do with /dev/sda2 if it were unencrypted, you will now do with /dev/mapper/vault. So let’s create an lvm volume:

pvcreate /dev/mapper/vault
vgcreate vg /dev/mapper/vault

It now created a volume group named vg (You can name it the way you prefer. Here it’s red). All your partitions inside it will be acessible as /dev/vg/something (or /dev/mapper/vg-something). Ok, partitions:

lvcreate -C y -n swap -L 2G vg
lvcreate -n root -L 16G vg
lvcreate -n home -l 100%FREE vg

Here I created /dev/vg/swap with 2GB (to hibernate safely, you should put there at least your amount of ram), /dev/root with 16GB and the /dev/vg/home with the rest. But you should have some free space less space if you plan to have snapshots.

Then, formatting!

mke2fs -t ext4 /dev/vg/root
mke2fs -t ext4 /dev/vg/home

It’s bare ext4. You can use ext3 or other filesystem if you prefer. And that’s it. But, how would be the /etc/fstab? It’s something like that:

/dev/sda1      /boot     ext2 defaults,sync,noatime 0 2

/dev/vg/root   /         ext4 defaults,noatime      0 1
/dev/vg/home   /home     ext4 defaults,noatime      0 2

/dev/vg/swap   none      swap defauls               0 0

devpts         /dev/pts  devpts  defaults           0 0
proc           /proc     proc    defaults           0 0

I use noatime for better performance (It may break a program called mutt, which I don’t use), tune it to your needs.

If you want to manually access the files, you need to do:

cryptsetup luksOpen /dev/sda vault
vgscan
vgchange -ay

This will make /dev/vg/root, etc. to appear. But you usually will want it mounted on the boot (specially if your root partition is inside it!), so you will need a compatible initramfs (some distros comes with one, otherwise you have to build your own).

I will post here how to install a debian system, from this point on. (Some links: a much more concise howto, a doc on lvm, also this subject on gentoo wiki, multiple times, and also on arch wiki).

Advertisements
Posted in Linux | Tagged , , , , , | Leave a comment

How to write random data to the hard drive with dd

Note: the script posted here is a bit buggy. There is an improved version on a newer post.

Since I bought my netbook (an Acer Aspire One 532h-2514), I’m considering encrypting all my data. After some searching, I found that a non-encrypted /boot in a small partition, plus a dm-crypt/luks encrypted partition is enough to me. Configuring this was a lot tricky ^^

I will document the steps here, but the first the most time-consuming: writing random data to the device.

All documentation I found states that it’s very useful to write random data on the whole disk before doing anything. This is because the disk usually comes filled with zeroes (you can see it with hexdump /dev/devicename), so it’s straightforward to check how much data the disk actually holds. (Some of them: DM-Crypt with LUKS (gentoo wiki), System Encryption.. (arch wiki), a howtoa stackoverflow thread, some other howto..)

They will suggest either badblocks with the option for “writing random data” or dd from /dev/urandom. Badblocks is a tool for searching for bad blocks on the HD; it can make a destructive write search that will overwrite the disc with a pattern, and if this pattern comes from a pseudorandom source it will write almost random data to the disc. Except that its pseudorandom number generator isn’t reseeded, and because of this the data written will be periodic.

dd from /dev/urandom is safer, but is also very slow. Here with my Atom N450 1.6GHz it writes at most at 1.6MB/s. On my 250GB hard drive, it’s more than 40 hours! The man page of urandom says:

The  kernel  random-number  generator  is  designed  to produce a small
amount of high-quality seed material to seed  a  cryptographic  pseudo-
random  number  generator  (CPRNG).   It  is designed for security, not
speed, and is poorly suited to generating large amounts of random data.

On this stack overflow thread, someone suggests that writing an encrypted stream using openssl could work. But openssl has a pseudo-random number generator.. so I think it might be enough to generate some chunks of data (say, 4MB) with openssl, and write them with dd. Between each block, the PRNG would be reseeded. Sounds ok. I’m sure how secure it is, though.. but it improved the performance to about 5MB/s. (That is, 15h..)

Here is a script to just do this:

#!/bin/bash

blocksize="$((4*1024*1024))" # 4 mb

if [[ -z "$1" ]]; then
  echo "uso: $0 "
else
  target="$1"
fi

if [[ -f step ]]; then
  initial="$(< step)"
else
  initial=0
fi

for ((i = "$initial"; 1; i++)); do
  openssl rand \
          -rand /dev/urandom \
          "$blocksize" | \

  dd of="$target" \
     bs="$blocksize" \
     seek="$i"
  echo "$i" > step.new
  mv step.new step
done

In order to use it, I create a directory and put the script there. I will then execute the script; a file named step is created in the same directory to record the progress. If you stop it before it finishes and run again from the same directory, it will resume a little before the last write (unless there is a bug..)

Unfortunately this script is poorly written, and dd will just fail to write when the disk was completely randomized. I suppose the right thing would be to stop the loop after dd fails the first time. Also, I’m checking the progress with hexdump. hexdump -s 20000m /dev/sdb prints

4e2000000 0000 0000 0000 0000 0000 0000 0000 0000
*

(The * means the next blocks are identical)

but hexdump -s 19000m /dev/sdb prints some random data, and this means dd is between 19000MB and 2000MB (where exactly you can see by doing something like echo $(($(< step) * 4)), in megabytes).

I will maybe document the exact steps on how to create a luks partition, then a lvm volume inside it, then a debian installed on a logical volume (That’s what I did). But if you are looking for it, you can follow the links I gave above (most of them are tutorials that describe just that), or return to google 🙂

But I will give additional links: there is an incredible straightforward migration to this setup that is identical than installing from bare metal, except that instead to doing rsync one would do an installation (but I didn’t used yaird to install the initrd, I used update-initramfs and tweaked it a bit – debian has some options), this helped too and this ubuntu tutorial is also nice. I installed debian via debootstrap from another debian system. It’s just debootstrap /directory, then mount –bind some things (like /dev, etc), then chrooting to it..

The trick here was that update-initramfs has a bug (strangely marked as fixed at debian bug tracker) that prevented the correct interpretation of /etc/crypttab, but I followed the workaround of the poster there and it’s working like a charm 🙂

There is a continuation to this post, explaining how to partition the disk the way I did.

Posted in Linux | Tagged , , , , , , , | 5 Comments

Hello world!

Hello! This is a blog about computers and maybe other things.

I will be posting mostly things to remember myself, such as tricky configurations and fun snippets of code. Or some TODOs. I may also post something about Ruby (that I’m learning). But don’t hold your breath ^_^

Posted in Uncategorized | Leave a comment