Full Disk Encryption
Deprecated
This guide has been deprecated and is no longer being maintained.
Full disk encryption protects the information stored on your Linode’s disks by converting it into unreadable code that can only be deciphered by authorized individuals. Nearly everything on the disk is encrypted, including the swap space and temporary files. This guide will help you implement full disk encryption on a Linode running Debian 7 (Wheezy). You’ll learn how to:
- Format and encrypt your disks
- Install a base Debian 7 (Wheezy) system with
debootstrap
- Configure services and networking
- Boot from the encrypted images
Potential Drawbacks
Full disk encryption does a great job of keeping your data secure, but there are a few caveats. To decrypt and mount the disk, you’ll need to enter the encryption passphrase in the console every time your Linode boots. And some Linode Manager tools may not work as expected if your disks are encrypted. You’ll need to manually resize your filesystem if you want to resize your disk. You’ll also need to implement your own backup solution since the Linode Backup Service can’t mount encrypted disks.
Getting Started
Ready to encrypt your Linode’s disks? Here’s how to prepare a Linode for full disk encryption:
- Create a new Linode in the data center of your choice.
-
Make at least three unformatted / raw disks for your Linode. You’ll probably want to use the rest of your disk quota for your main disk.
- A
/boot
image, which will be unencrypted. In most cases, 128-256MB will be suitable for /boot. - A swap image. You’ll need to choose an appropriate swap size based your particular needs.
- A
root
image to store the files in the root of your filesystem.
- A
-
After you have created these disks, you’ll want to boot into Finnix from the Rescue tab. Ensure that your disks are attached as follows:
- /boot xvda
- swap xvdb
- / xvdc
You’ve successfully created the disks for your Linode.
Creating a Configuration Profile
Next, you’ll need to create a configuration profile for the new Linode. Here’s how to do it:
- Create a new configuration profile in the Linode Manager.
- Select the
pv-grub-x86_64
kernel from the Kernel menu. - In the Block Device Assignment section, select the disks you created in the previous section of this guide.
- Disable the Automount devtmpfs and Distro Helper settings.
- Save the configuration profile.
Congratulations! You’re now ready to set up full disk encryption on your Linode.
Enabling Full Disk Encryption
Now you’re ready to enable full disk encryption on your Linode running Debian 7 (Wheezy). Here’s how to do it:
- Reboot into Finnix from the Rescue tab in the Linode Manager.
- Connect to LISH, which will allow you to access the Linode’s virtual console.
-
Enter the following command to create an encrypted volume. You’ll be prompted for a passphrase. Make sure that you enter a very strong passphrase, and that you store the passphrase in a physically secure location. Or better yet, memorize the passphrase and don’t store it anywhere! :
cryptsetup luksFormat /dev/xvdc
Caution
If you lose this passphrase your data will be irretrievable!Note
You may receive a FATAL notice about loading a kernel module used for hardware crypto acceleration. This message can be safely ignored. -
Open this encrypted device for access by entering the following command. Enter your passphrase when prompted.
cryptsetup luksOpen /dev/xvdc crypt-xvdc
-
Create the file systems by entering the following commands, one by one. Use
ext2
for/boot
, andext4
for/
. :mke2fs /dev/xvda mke2fs -j /dev/mapper/crypt-xvdc
-
Create and activate your swap partition by entering the following commands, one by one:
cryptsetup -d /dev/urandom create crypt-swap /dev/xvdb mkswap /dev/mapper/crypt-swap swapon /dev/mapper/crypt-swap
Note
Swap will not persist through reboots, so a random key will be used to encrypt swap data. -
Mount the encrypted volume to make it writable by entering the following commands, one by one:
mkdir mnt mount /dev/mapper/crypt-xvdc mnt/
You have successfully enabled full disk encryption, created the file systems, and mounted the encrypted volume.
Installing Debian and Mounting the Disks
Now it’s time to install Debian 7 (Wheezy) and mount the disks. Here’s how to do it:
-
Use
debootstrap
to install a minimal Debian installation by entering the following command:debootstrap --arch=amd64 --include=openssh-server,vim,nano,cryptsetup wheezy mnt/
-
Mount
/dev/xvda
and a few other things in preparation for changing root into the newly created Debian system, then changing root into the new install. Enter the following commands, one by one:mount /dev/xvda mnt/boot/ mount -o bind /dev mnt/dev/ mount -o bind /dev/pts/ mnt/dev/pts mount -t proc /proc/ mnt/proc/ mount -t sysfs /sys/ mnt/sys/ chroot mnt/ /bin/bash
You have successfully installed Debian and mounted the disks on your Linode.
Configuring Debian
Now that you’re “inside” the newly installed Debian system, you’ll need to make the following changes to create a system that boots and works correctly. Please follow these steps with care. Any error will mean your system will not boot! Here’s how to configure Debian:
-
Edit
/etc/crypttab
to match the following:crypt-xvdc /dev/xvdc none luks crypt-swap /dev/xvdb /dev/urandom swap
-
Edit
/etc/fstab
to match the following:/dev/xvda /boot ext2 defaults /dev/mapper/crypt-xvdc / ext4 noatime,errors=remount-ro /dev/mapper/crypt-swap none swap sw proc /proc proc defaults
-
Modify
/etc/mtab
by entering the following command:cat /proc/mounts > /etc/mtab
-
Configure console access. Note that your console must be configured correctly to boot. Edit
/etc/inittab
and find the following line:0:2345:respawn:/sbin/getty 38400 tty1
-
Change the line in
/etc/inittab
to match the following:0:2345:respawn:/sbin/getty 38400 hvc0
-
Install a kernel and a bootloader, and then configure the bootloader to boot your kernel by entering the following commands, one by one:
mkdir /boot/grub apt-get install grub-legacy apt-get install linux-image-amd64
-
Locate the following line in
/boot/grub/menu.lst
:# kopt=root=/dev/mapper/crypt-xvdc ro
-
Change the line in
/boot/grub/menu.lst
to match the following. This will allow update-grub to properly generate a new menu.lst when you update your kernel.# kopt=root=/dev/mapper/crypt-xvdc console=hvc0 ro
-
Run
update-grub
and generate a newinitramfs
by entering the following commands, one by one:update-grub update-initramfs -u
You have successfully configured Debian for full disk encryption.
Tidying Up
You’re almost finished! Just a couple more steps and you’ll have a Linode with encrypted disks:
-
You’ll need to make some changes to the structure in
/boot
due to the way pvgrub expects to see your boot disk. Enter the following commands, one by one:cd /boot mkdir boot/ mv grub boot/ ln -nfs boot/grub grub
-
Set the password for the root user by entering the following command:
passwd
-
Configure networking by editing
/etc/network/interfaces
to match the following:auto lo eth0 iface lo inet loopback iface eth0 inet dhcp
-
Now exit
chroot
, unmount your disks, and reboot. You can do this by detaching the screen session and entering the “reboot” command in LISH:exit umount -l mnt/ ^a^d reboot 1
If everything is configured properly your Linode will boot and prompt you for the encryption passphrase. Enter the passphrase on your console to mount your encrypted disk and boot your Linode. Now you’ll want to follow the steps in our Getting Started guide.
Join our Community
Find answers, ask questions, and help others.
This guide is published under a CC BY-ND 4.0 license.