Migrating a running Ubuntu system to encrypted drives
It's about how to encrypt a Linux operating system that is already running. Suppose that you have a server on which your website is already running or on which a lot of personal information is stored. Of course, you do not want this all to fall into the wrong hands. Also, if you use the server as storage, it is clearly not to have this data used by someone when removing hard drives. There may be many situations ... Therefore, we need to protect our contents from the eyes of others.
I installed fresh Ubuntu 12.04 on a virtual machine and added another 1 GB disk (/ dev / sdb) to it, to which the boot partition with the / boot folder will be transferred. As I wrote in the previous article, the only unencrypted element should be the boot information (that is, the kernel image, initramfs and grub), which is needed to decrypt the disk before mounting the root file system.
First you need to mount the disk, which will be in the role of the new boot-a and transfer everything from the / boot folder to it.
')
At this stage, we moved the boot folder to a new disk. Now you need to register the necessary settings in fstab for proper mounting.
Now you can update your grub settings and boldly reboot the system.
After the reboot, we connect and see what happens in the file system.
As you can see, we now have a boot loader, a kernel image and initramfs are on a separate disk.
Next, we need to transfer the entire file system to an encrypted disk, which will be mounted in /. For this, I added another disk (/ dev / sdc) which will be in the role of the new root (system) disk instead of / dev / sda1.
Encrypt sdc drive and mount to transfer all files.
Now we modify fstab, crypttab, we also update the initramfs and transfer everything from the old root disk / dev / sda1 to the encrypted sdc disk.
If after a reboot, you gave the following window - then everything turned out. If you got a kernel-panic - write in the comments, tell you what could be the problem and at what step failt came out.
After logging in, let's see what happened.
As you can see, an encrypted disk is mounted in the root file system. And there is also an old / dev / sda disk that can be removed.
If you are interested in the full encryption of the system from A to Z, starting with encryption during installation and ending with the remote unlocking of luks volumes - here I described everything in detail .
I installed fresh Ubuntu 12.04 on a virtual machine and added another 1 GB disk (/ dev / sdb) to it, to which the boot partition with the / boot folder will be transferred. As I wrote in the previous article, the only unencrypted element should be the boot information (that is, the kernel image, initramfs and grub), which is needed to decrypt the disk before mounting the root file system.
root@test-winxp-ie7d:~# cat /etc/issue Ubuntu 12.04.1 LTS \n \l root@test-winxp-ie7d:~# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda1 9.0G 1.2G 7.4G 14% / udev 486M 4.0K 486M 1% /dev tmpfs 198M 304K 198M 1% /run none 5.0M 0 5.0M 0% /run/lock none 495M 0 495M 0% /run/shm root@test-winxp-ie7d:~# fdisk -l Disk /dev/sda: 10.7 GB, 10737418240 bytes 255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x000649ec Device Boot Start End Blocks Id System /dev/sda1 * 2048 18874367 9436160 83 Linux /dev/sda2 18876414 20969471 1046529 5 Extended /dev/sda5 18876416 20969471 1046528 82 Linux swap / Solaris Disk /dev/sdb: 1073 MB, 1073741824 bytes 255 heads, 63 sectors/track, 130 cylinders, total 2097152 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Disk /dev/sdb doesn't contain a valid partition table root@test-winxp-ie7d:~# First you need to mount the disk, which will be in the role of the new boot-a and transfer everything from the / boot folder to it.
')
root@test-winxp-ie7d:~# mkfs.ext4 /dev/sdb mke2fs 1.42 (29-Nov-2011) /dev/sdb is entire device, not just one partition! Proceed anyway? (y,n) y Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 65536 inodes, 262144 blocks 13107 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=268435456 8 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376 Allocating group tables: done Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done root@test-winxp-ie7d:~# mkdir /mnt/newboot root@test-winxp-ie7d:~# mount /dev/sdb /mnt/newboot/ root@test-winxp-ie7d:~# cp -R /boot/* /mnt/newboot/ root@test-winxp-ie7d:~# mv /boot /boot_old root@test-winxp-ie7d:~# mkdir /boot At this stage, we moved the boot folder to a new disk. Now you need to register the necessary settings in fstab for proper mounting.
root@test-winxp-ie7d:~# echo "/dev/sdb /boot ext4 defaults 0 0" >> /etc/fstab Now you can update your grub settings and boldly reboot the system.
root@test-winxp-ie7d:~# update-grub Generating grub.cfg ... Found linux image: /boot/vmlinuz-3.2.0-29-generic Found initrd image: /boot/initrd.img-3.2.0-29-generic Found memtest86+ image: /memtest86+.bin done root@test-winxp-ie7d:~# grub-install /dev/sda Installation finished. No error reported. root@test-winxp-ie7d:~# reboot root@test-winxp-ie7d:~# Broadcast message from alex@test-winxp-ie7d (/dev/pts/0) at 6:06 ... The system is going down for reboot NOW! After the reboot, we connect and see what happens in the file system.
root@test-winxp-ie7d:~# df -hT Filesystem Type Size Used Avail Use% Mounted on /dev/sda1 ext4 9.0G 1.2G 7.4G 14% / udev devtmpfs 486M 4.0K 486M 1% /dev tmpfs tmpfs 198M 304K 198M 1% /run none tmpfs 5.0M 0 5.0M 0% /run/lock none tmpfs 495M 0 495M 0% /run/shm /dev/sdb ext4 1021M 71M 900M 8% /boot root@test-winxp-ie7d:~# ls /boot/ abi-3.2.0-29-generic grub lost+found memtest86+_multiboot.bin vmlinuz-3.2.0-29-generic config-3.2.0-29-generic initrd.img-3.2.0-29-generic memtest86+.bin System.map-3.2.0-29-generic As you can see, we now have a boot loader, a kernel image and initramfs are on a separate disk.
Next, we need to transfer the entire file system to an encrypted disk, which will be mounted in /. For this, I added another disk (/ dev / sdc) which will be in the role of the new root (system) disk instead of / dev / sda1.
Encrypt sdc drive and mount to transfer all files.
root@test-winxp-ie7d:~# mkdir /mnt/newroot root@test-winxp-ie7d:~# cryptsetup luksFormat /dev/sdc WARNING! ======== This will overwrite data on /dev/sdc irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: root@test-winxp-ie7d:~# cryptsetup luksOpen /dev/sdc encryptroot Enter passphrase for /dev/sdc: root@test-winxp-ie7d:~# mkfs -t ext4 /dev/mapper/encryptroot mke2fs 1.42 (29-Nov-2011) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 196608 inodes, 785920 blocks 39296 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=805306368 24 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912 Allocating group tables: done Writing inode tables: done Creating journal (16384 blocks): done Writing superblocks and filesystem accounting information: done root@test-winxp-ie7d:~# mount -t ext4 /dev/mapper/encryptroot /mnt/newroot/ Now we modify fstab, crypttab, we also update the initramfs and transfer everything from the old root disk / dev / sda1 to the encrypted sdc disk.
root@test-winxp-ie7d:~# ls -l /dev/disk/by-uuid/ total 0 … lrwxrwxrwx 1 root root 10 Sep 16 06:46 5e5fac1c-080b-437a-96ff-d9e4e3b04759 -> ../../sda1 lrwxrwxrwx 1 root root 9 Sep 16 06:47 d08aab55-a935-4155-aea0-b6fd5da8bed3 -> ../../sdc … root@test-winxp-ie7d:~# cat /etc/fstab # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # proc /proc proc nodev,noexec,nosuid 0 0 # / was on /dev/sda1 during installation #UUID=5e5fac1c-080b-437a-96ff-d9e4e3b04759 / ext4 errors=remount-ro 0 1 /dev/mapper/encryptroot / ext4 errors=remount-ro 0 1 # swap was on /dev/sda5 during installation UUID=eae26cf5-303a-4c17-ac63-d7dd82891c09 none swap sw 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0 /dev/sdb /boot ext4 defaults 0 0 root@test-winxp-ie7d:~# cat /etc/crypttab # encryptroot UUID=d08aab55-a935-4155-aea0-b6fd5da8bed3 none luks root@test-winxp-ie7d:~# sed -i -e "s|root=UUID=5e5fac1c-080b-437a-96ff-d9e4e3b04759|root=/dev/mapper/encryptroot|" /boot/grub/grub.cfg root@test-winxp-ie7d:~# ln -s /boot/vmlinuz-3.2.0-29-generic /mnt/newroot/vmlinuz root@test-winxp-ie7d:~# update-initramfs -u update-initramfs: Generating /boot/initrd.img-3.2.0-29-generic root@test-winxp-ie7d:~# rsync -aHx / /mnt/newroot root@test-winxp-ie7d:~# rsync -aHx /dev /mnt/newroot/ root@test-winxp-ie7d:~# reboot If after a reboot, you gave the following window - then everything turned out. If you got a kernel-panic - write in the comments, tell you what could be the problem and at what step failt came out.
After logging in, let's see what happened.
root@test-winxp-ie7d:~# df -hT Filesystem Type Size Used Avail Use% Mounted on /dev/mapper/encryptroot ext4 3.0G 1.1G 1.8G 38% / udev devtmpfs 485M 4.0K 485M 1% /dev tmpfs tmpfs 198M 312K 198M 1% /run none tmpfs 5.0M 0 5.0M 0% /run/lock none tmpfs 495M 0 495M 0% /run/shm /dev/sdb ext4 1021M 74M 897M 8% /boot root@test-winxp-ie7d:~# fdisk -l Disk /dev/sda: 10.7 GB, 10737418240 bytes 255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x000649ec Device Boot Start End Blocks Id System /dev/sda1 * 2048 18874367 9436160 83 Linux /dev/sda2 18876414 20969471 1046529 5 Extended /dev/sda5 18876416 20969471 1046528 82 Linux swap / Solaris Disk /dev/sdb: 1073 MB, 1073741824 bytes 255 heads, 63 sectors/track, 130 cylinders, total 2097152 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Disk /dev/sdb doesn't contain a valid partition table Disk /dev/sdc: 3221 MB, 3221225472 bytes 255 heads, 63 sectors/track, 391 cylinders, total 6291456 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x08040000 Disk /dev/sdc doesn't contain a valid partition table Disk /dev/mapper/encryptroot: 3219 MB, 3219128320 bytes 255 heads, 63 sectors/track, 391 cylinders, total 6287360 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Disk /dev/mapper/encryptroot doesn't contain a valid partition table root@test-winxp-ie7d:~# As you can see, an encrypted disk is mounted in the root file system. And there is also an old / dev / sda disk that can be removed.
If you are interested in the full encryption of the system from A to Z, starting with encryption during installation and ending with the remote unlocking of luks volumes - here I described everything in detail .
Source: https://habr.com/ru/post/194906/
All Articles