Welcome
Welcome to refracta

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

encrypted install

Tips and Instructional topics. Not for support questions.

encrypted install

Postby nadir » Fri Mar 11, 2011 5:47 am

work in progress:

If you are somehow like me (you hate reading), scroll down to the bottom and read the last two lines.
Do it once or twice in Vbox or qemu and it should work.

What you need:
refracta-live-CD
http://www.ibiblio.org/refracta/

zinstaller by fsmithred:
https://github.com/fsmithred/refracta

a) boot the refracta CD

b) download the zinstaller-script

c)
apt-get install cryptsetup
modrobe dm-mod

d) run the script by:
bash zinstaller.02

e) it asks you to use gparted: say yes.
create a boot partition and a partition for root.
i also created a partition for /home and for swap.
My size for VBox (i want to use grml-iso in boot!):
/boot -> 1GB -> ext2
/ -> 3.5 GB -> ext4
/home -> 3.5GB -> ext4
swap -> 1GB
close gparted

f) questions by zenity:
pick the mbr-partition for grub, in case you want to install it. For me /dev/sda
pick the /boot partition. For me /dev/sda1. make it ext2
pick a partition for /. For me /dev/sda2. make it ext3 or ext4
It asks you if you want to encrypt it. Chose yes.
pick a partition for /home in case you want that. For me /dev/sda3. make it ext3 or ext4.
It asks you if you want to encrypt it. Chose yes.
Last question: You will be asked if all is ok. Have a sharp look and say yes, in case all your choice are correct.
Zenity will close

g)
to encrypt the / partiton you will be asked and warned:
Are you sure? (type uppercase yes):
Type "YES"
enter a passphrase and confirm it.
To mount it you will have to enter the set passphrase immediatly.
Do the same for /home

h) wait.

Done.
Nice and easy.

The short version:
download refracta, download zinstaller.sh, run bash zinstaller and make use of common sense.
you will need a /boot partition, all the rest if self-explanatory. I think.
So i herd u liek mudkip?
User avatar
nadir
 
Posts: 1159
Joined: Wed Mar 09, 2011 4:18 am
Location: here

Re: encrypted install

Postby fsmithred » Fri Mar 11, 2011 12:17 pm

Good explanation. I was going to complain about your /boot size, but then I saw your reason for it. I've been going with 50MB on the tests, and only 18MB of that are used. No grml here, but maybe I'll have better luck with grml in a vm. (Wouldn't display correctly on my hardware.)

There is a major deficiency in the encrypted install that should be mentioned. The installer does not write random data to the partition before doing its thing. Everything works correctly, and you end up with an encrypted partition, but if you're really concerned about security, you're giving your attacker a lot less work to do by not burying your encrypted data in random data.

I think I found the solution to why I couldn't get it to work, but it hasn't been implemented yet. (Need to turn off error logging for the dd command, so you can see when it's finished.) In the meantime, if you want higher security, do the following before you run the installer.

Partition the drive, and then for each partition you intend to encrypt, run the following.
Code: Select all
dd if=/dev/urandom of=/dev/sdXn
Where X is the drive letter and n is the partition number. If you're doing this on a large hard drive (hundreds of gigabytes or more) plan on it taking a day or longer.

When that's done, run the installer and skip past the partitioner, since you already did it.
User avatar
fsmithred
 
Posts: 1987
Joined: Wed Mar 09, 2011 9:13 pm


Return to How-to

Who is online

Users browsing this forum: No registered users and 0 guests

suspicion-preferred