Quick migration notes for a fully encrypted Debian system. Data encryption is usually implemented at one of 4 levels: 1) on a per file basis, e.g. with programs like: mcrypt(1), gpg(1); 2) at the file system level; 3) at the block device level; 4) by the hardware. For professional uses, if (4) is too expensive or not supplied by existing hardware, (3) is usually the best choice. That is because encryption at the block device level can provide comprehensive encryption if applied to all relevant file systems and all swap devices. Since linux-2.6.4, the kernel provides a new device mapper and crypto infrastructure which makes block device encryption reasonably easy and secure. According to a German c't article (German computer magazine link: "Unter Verschluss" - http://www.heise.de/kiosk/archiv/ct/06/11/202/ ), as of this writing (mid 2006) support for the new kernel interfaces is being added to the various Linux distributions, and so far Debian apparently has the most complete support. Here are the steps to migrate an unencrypted Debian sarge (stable) system with one root partition into a fully encrypted system. This assumes a harddisk layout similar to: Device Boot Start End Blocks Id System /dev/hda1 1 140 1058368+ 82 Linux swap # 1G swap, unencrypted /dev/hda2 141 7752 57546720 83 Linux # /, unencrypted ext3 a) Clean up your existing harddisk data as good as possible. Thorough cleaning early on will pay off in huge time savings during the following process. Don't forget to clean up: - cached files/directories - mirror trees - clean /var/tmp/ and /var/backup - run apt-get clean To find out about the largest space consumption on your partition, do (as root): du -xcbS / > /all.du-xcbS sort -nr < /all.du-xcbS | less b) Make sure your system has the required package set: apt-get install dmsetup cryptsetup libpam-mount initrd-tools and some kernel image: apt-get install kernel-image-2.6.8-1-386 It's important to use Debian kernels here, they come with bootup ramdisks which are required to get root filesystem encryption going. If you need a special patched or configured kernel, there are ways to build your own kernel packages under Debian. If your kernel is new enough to not support devfs, mkinitrd needs to be patched, because initrd-tools currently has no support for booting systems without devfs. There's no official fix out there just yet, however the following hack provided the necessary devices for me: wget -c http://www.gtk.org/~timj/patches/mkinitrd1201.diff c) Backup your entire root partition, e.g. to a USB disk: mount /dev/uba1 /mnt cp -axv / /mnt/backup d) Turn the swap partition into a new (temporary) root partition. To achieve this, enter single user mode (init 1), unmount all volumes not required, turn off swap. Flag the former swap partition (/dev/hda1) as Linux (83), remove the swap entry from /etc/fstab, reboot, and make a new ext2 file system. Then either install a fresh Debian on the partition via an installation CD, or via debootstrap(8): mount /dev/hda1 /mnt debootstrap sarge /mnt Make sure the new system also has the package set outlined in (b). e) Repartition your harddisk to make room for a /boot partition, and boot into the new system, e.g.: Device Boot Start End Blocks Id System /dev/hda1 1 140 1058368+ 82 Linux # 1G temp Linux /dev/hda2 141 7740 57456000 83 Linux # empty (90MB shortened) /dev/hda3 7741 7752 90720 83 Linux # /boot, unencrypted ext2 Make a rescue disk to boot from /dev/hda1 since it'll be easy to mess up your MBR with grub later on. f) Prepare the now empty partition (your old root) to be used as an encrypted device. To avoid easy identification of encrypted sectors vs. non-encrypted sectors, the partition should be prefilled with random data. However dd if=/dev/urandom of=/dev/hdaCRYPT would take very long because /dev/urandom only generates a few megabytes per second. So instead, we just prewrite the initial device header (which should be only a few unencrypted megabytes) with random data: dd if=/dev/urandom of=/dev/hdaCRYPT count=1 bs=8388608 Then, setup the encrypted device: echo "root /dev/hdaCRYPT" >> /etc/crypttab /etc/init.d/cryptdisks start And then prewrite the encrypted device from /dev/zero, which is much faster and will fill all of the physical partition /dev/hdaCRYPT with pseudo-random data (encrypted zeros): dd if=/dev/zero of=/dev/mapper/root After this has completed (may still take 1 or 2 hours depending on your harddisk), the new encrypted device can be formatted: mkfs.ext3 -m 1 /dev/mapper/root g) From here on, you simply need to follow the remaining steps outlined in /usr/share/doc/cryptsetup/CryptoRoot.HowTo, i.e.: # copy your root filesystem backup to the new encrypted root mount /dev/mapper/root /mnt cp -aivx /path-to-old-root/. /mnt/. cp -avx /dev/. /mnt/dev/. # preserve /dev/mapper/* cp -aivx /etc/crypttab /mnt/etc/ # cleanup mount state rm -f /mnt/etc/mtab && touch /mnt/etc/mtab # shell into encrypted root chroot /mnt /bin/bash # mount file systems mount -o remount / mount proc /proc -t proc mount sysfs /sys -t sysfs mount /dev/??? /boot # Edit the new root's /mnt/etc/fstab to add /dev/mapper/root, # and remove whatever the old root filesystem line was vi fstab #+ /dev/mapper/root / ext3 defaults 0 1 # Setup the initrd (change 386 to the correct value) mkinitrd -o /boot/initrd.img-2.6.8-1-386 # needs absolute path # # make sure /boot/grub/menu.lst:(hd0,?) points to the boot device, # e.g. make sure /boot/grub/menu.lst contains: # # kopt=root=/dev/mapper/root ro ... # # groot=(hd0,3) # Also, it's usually a good idea to preserve the former /dev/hda1 boot # entries in menu.lst out of the "DEBIAN AUTOMAGIC KERNELS" section, so # they will be preserved by update-grub (especially without a rescue disk) # # update grub update-grub # install MBR grub-install /dev/hda Then test reboot the new system. h) Once the system boots from the new boot partition (/dev/hda3) into the encrypted root file system (/dev/mapper/root) hosted on the old Linux partition (/dev/hda2), the temporary setup Linux system (/dev/hda1) can be turned back into a swap partition. For that, edit its partition type (82) with fdisk, remove any boot entries for that partition from /boot/grub/menu.lst, and setup the swap partition according to /usr/share/doc/cryptsetup/CryptoSwap.HowTo. In the hope that this text will be useful to someone, dedicated to peace in the world. - Tim Janik 2006-06-21