Encrypted USB openSUSE 11.2 Boot Disk

After using Suse Studio for quite a while at work I decided it was time to give the USB image a try. I must admit I was very happy with the ease of install and performance. The one thing I felt was missing was the ability to encrypt the USB drive.

For obvious reasons, if you are going to be carrying around a USB stick that potentially has loads of information on it that should not be acquired if the USB stick is lost you really need to encrypte it. At first I thought about just resising the disk and creating a new encrypted partition to store all my date. The problem with that is that it is quite easy for you to accidentally store files into insecure partitions. Ideally, the entire drive should be encrypted for complete security and peace of mind.

Once I reached that conclusion I began investigating how to convert an existing image into an encrypted image. Unfortunately, this is quite a complicated procedure that involves copying data, reformatting/ecnrypting, and moving back. Since I am at the early stages I decided to just reinstall. There is quite a helpful guide you can follow here:

http://lizards.opensuse.org/2009/03/18/encrypted-root-file-system-on-lvm/

While the guide listed above uses the Installation DVD as an option I really wanted to use my Suse Studio images as the base. In order to accomplish this I built a Live DVD option with the yast2-live-installer package to suit my needs.

In my specific case I was installing to my laptop so I first removed the HDD. Why? I have made enough accidental mistakes to know that the 30 seconds it takes to remove the drive is well worth the investment of time. The last thing I wanted to do was accidentally format the wrong drive! After that I plugged in my USB stick and loaded the Live DVD. Once booted, and before starting the installer, I ran fdisk on my USB stick to remove the existing partitions and created two new ones as described in the link above. My two partitions were:

Partition 1: 100MB for /boot
Partition 2: Rest of the disk for /

This guide will assume that the USB drive is /dev/sdg. If you disconnected all of your other drives than this will likely be /dev/sda but I am using /dev/sdg for "safety" reasons.

To remove existing partions run:

# fdisk /dev/sdg

Follow the instructions to remove the partition and write settings to the disk.

To create the new partitions runn the following

# fdisk /dev/sdg
: n
: p
: 1
:
: 100M
: n
: p
:
:
: w

I then continued to follow the guide and created the encrypted volume as described:


cryptsetup luksFormat /dev/sdg2
cryptsetup luksOpen /dev/sdg2 root

Next it was time to use LVM to carve up the second partition. Instead of making seperate /usr and /root volumes as described in the guide I just made one big root volume and swap. I also renamed to the volume group name from system to secure.


pvcreate /dev/mapper/root
vgcreate secure /dev/mapper/root
lvcreate -L 2000M -n swap secure
lvcreate -l 100%FREE -n root secure

I then started the Live Installer and when I arrived at the partition screen I entered into expert mode so I could format the existing partitions and lvm drives without destroying them. FIrst click on "Create Partition Setup" and then select "Custom Paritioning (for experts)". Browse to Hard Disks and select the 100MB partition you prepped for /boot. Select Edit->Format Partition = Ext4->Mount paritition = /boot. Next browse to Device Mapper and select the secure-swap drive. Select Edit->Format Partition = Swap->Mount Partition = swap. Finally browse to Device Mapper and select secure-root drive. Select Edit->Format Partition = Ext4->Mount Partition = /

Once you are happy with your changes simply accept the changes.

NOTE: If you did not remove the drive make sure that you modify grub to boot from a Custom Boot Partition and select your USB drive /boot partition. You might also want to remove any custom entries in the boot menu as well as remove extra drive from boot order

After the initial installation was completed I choose to "reboot later" so I could continue to follow the guide and build the custom initrd and modify grub.

# mount /dev/mapper/secure-root /mnt
# mount /dev/sdg1 /mnt/boot
# for i in dev sys proc; do mount --bind /$i /mnt/$i; done
# chroot /mnt

Now create the /etc/sysconfig/initrd file:

# vi /etc/sysconfig/initrd
root_luks=1
luks=root

Next we will modify the /boot/grub/menu.lst file but instead of using the dev name (as described in the guide) I will use the device LABEL. To identify the device LABEL you can run:

# blkid -o value -s LABEL /dev/sdg1
# blkid -o value -s LABEL /dev/sdg2

If you prefer to use the UUID you can run:

# blkid -o value -s UUID /dev/sdg1
# blkid -o value -s UUID /dev/sdg2

Reference: http://en.opensuse.org/Live_Hard_Disk_Install

Proceed with changing the /boot/grub/menu.lst file and append the following to the kernel command line in both the standard and failsafe boot sections

# vi /boot/grub/menu.lst

Append the following line to the end of the kernel command line for both the standard and failsafe boot sections.

luks_root=/dev/disk/by-id/label

You should also add the same line to /etc/sysconfig/bootloader DEFAULT_APPEND and FAILSAFE_APPEND so on the next kernel update your grub doesn't break.

Now run mkinitrd which should print out the luks and lvm2 in the features line

mkinitrd

Remove the live installer disk and reboot your machine. On reboot you should be prompted for a password and the installation should complete successfully. If you have any issues please refer back to the original document in case I missed something.

http://lizards.opensuse.org/2009/03/18/encrypted-root-file-system-on-lvm/

One thought on “Encrypted USB openSUSE 11.2 Boot Disk

  1. Pingback: Novell News Summary – Part I: Matt Berringer at UKUUG, OpenSUSE Beego, and FAIL Page | Techrights

Leave a Reply