Context Navigation

← Previous Change
Wiki History
Next Change →

HardyRAID5EncryptedLVM

Timestamp:: 09/02/09 03:27:04 (19 months ago)
Author:: tj
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

Linux/Ubuntu/HardyRAID5EncryptedLVM

-                      v17
+                      v18
 [[PageOutline]]
 = RAID-5 Encrypted with Logical Volume Management =
+ These instructions in this tutorial should apply to Intrepid (and possibly Jaunty) as well as Hardy. Some slight adjustments might be necessary due to changes in various system libraries and tools. The key-script has been updated to work with Intrepid.
+  These instructions in this tutorial should apply to Intrepid (and possibly Jaunty) as well as Hardy. Some slight adjustments might be necessary due to changes in various system libraries and tools. The key-script has been updated to work with Intrepid.
 These instructions show how to use the Ubuntu Hardy Desktop Live CD to build and install to a secure encrypted multi-disk RAID system that requires a key-file on an external USB memory stick in order to start. It works around several ''bugs'' in the Ubiquity installer in order to work with ''md'' software RAID arrays (thus avoiding the need to use the alternate text-based installer CD image). In [wiki:Linux/Ubuntu/HardyEncryptedLVM another article there are similar instructions for encrypted non-RAID systems] such as notebooks and laptops that have a single disk drive.
 …
 Access to the Internet is required to install packages not on the LiveCD. Alternatively, download the .deb packages for [http://packages.ubuntu.com/hardy/mdadm mdadm], [http://packages.ubuntu.com/hardy/cryptsetup cryptsetup] and [http://packages.ubuntu.com/hardy/lvm2 lvm2] and make them available locally on a USB memory stick, CD, or floppy disk (they require about 1MB) and install them using:
 {{{
 dpkg -i <package>.deb
 }}}
 == Organisation ==
+The physical system looks like this:[[BR]]
+[[Image(RAIDencryptedLVM-physical.png)]]
+The boot files and swap are in RAID-1 (mirrored) arrays that are accessible to GRUB and BIOS:[[BR]]
+[[Image(RAIDencryptedLVM-logical-RAID1.png)]]
+The operating system and user data are in an encrypted RAID-5 (striped plus parity) array:[[BR]]
+[[Image(RAIDencryptedLVM-logical-RAID5.png)]]
+The physical system looks like this:[[BR]] [[Image(RAIDencryptedLVM-physical.png)]]
+The boot files and swap are in RAID-1 (mirrored) arrays that are accessible to GRUB and BIOS:[[BR]] [[Image(RAIDencryptedLVM-logical-RAID1.png)]]
+The operating system and user data are in an encrypted RAID-5 (striped plus parity) array:[[BR]] [[Image(RAIDencryptedLVM-logical-RAID5.png)]]
 == Boot from the Desktop Live CD ==
 There is no operating system or other data on the disks so the Live CD environment is used to prepare the disks prior to installing Hardy.
 …
 sudo su
 }}}
 == Randomise the disk surface ==
 By ensuring every sector of the disks is written with random data, a potential attacker will have great difficulty locating encrypted data that they might want to try to decrypt. If the surface of the disk was written with zeros (using if=/dev/zero) or some other predictable values encrypted data would be easy to identify if the disk were to fall into hostile hands.
 This is likely to take a long time - '''possibly 24 hours or more''' - even with running one background process for each disk:
 {{{
 for dr in a b c d; do DEV="/dev/sd${dr}"; sh -c "dd if=/dev/urandom of=$DEV bs=512"& done
 }}}
 Check the progress by sending the '''USR1''' signal to the `dd` processes:
 {{{
 ps -ef | sed -n 's/[a-z ]*\([0-9]*\).* dd.*/\1/p' | while read PID; do kill -USR1 $PID; done
 }}}
 == Partition the disks ==
 Each disk is identically partitioned. The RAID-5 array will use the majority of the space. GRUB and BIOS require a ''regular'' disk layout in order to boot the system, so a small partition for /boot is first on the disks.
 …
 We repeat the same partitioning procedure for each disk, creating a 3GB boot/swap partition and put the remainder of the disk in the second partition:
 {{{
 for dr in a b c d; do DEV="/dev/sd${dr}"; echo -e "o\nn\np\n1\n\n+3G\nn\np\n2\n\n\nt\n1\nfd\nt\n2\nfd\np\nw\n" | fdisk $DEV; done
 }}}
 '''Note:''' At this point, if fdisk reports the kernel can't re-read the partition tables:
 {{{
 WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
 …
 }}}
 you will need to restart the system:
 {{{
 shutdown -r now
 …
 == Create the RAID arrays ==
 The RAID arrays will be made up of groups of partitions.
 Install the Linux RAID package:
 {{{
 apt-get install mdadm
 }}}
 First the mirror array for /boot, which will use the first partition on two disks on different IDE channels (to avoid master/slave bootlenecks):
 {{{
 mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sda1 /dev/sdc1
 mdadm: array /dev/md0 started.
 }}}
 Now create a mirror array for swap & hibernate:
 {{{
 mdadm --create /dev/md1 --level=1 --raid-devices=2 /dev/sdb1 /dev/sdd1
 mdadm: array /dev/md1 started.
 }}}
 All remaining space (in the second partition) is allocated to the RAID-5 array. Its capacity will be the number of disks in the array minus one, multiplied by the size of the partition: (N - 1) x C : (4 - 1) x 58GB = 174GB.
 {{{
 mdadm --create /dev/md2 --level=5 --raid-devices=4 /dev/sda2 /dev/sdb2 /dev/sdc2 /dev/sdd2
 mdadm: array /dev/md2 started.
 }}}
 Check the array build status:
 {{{
 cat /proc/mdstat
 …
 unused devices: <none>
 }}}
 Wait until the arrays are finished building. Press Ctrl+C to interrupt `watch` when all the arrays have finished building:
 {{{
 watch -n 30 cat /proc/mdstat
 …
 unused devices: <none>
 }}}
 == Encryption ==
 First, install the cryptography package:
 {{{
 apt-get install cryptsetup
 }}}
 === Choosing a key-file ===
 The key-file is kept on an external USB memory stick. There are various ways to create and store the key-file. Many guides recommend generating a random key from `/dev/random` but in my opinion anyone that managed to get access to the memory stick could easily locate the key-file because of its totally random contents, unless many 'fake' keys were also on the memory stick.
 …
 Load the kernel module:
 {{{
 modprobe dm-crypt
 }}}
 === Encrypt the arrays ===
 Now encrypt the RAID-5 array:
 {{{
 cryptsetup --hash sha512 --key-size 256 --cipher aes-cbc-essiv:sha256 \
 …
 Command successful
 }}}
 Open the encrypted device, giving it the name ''md2encrypted'':
 {{{
 cryptsetup --key-file /media/casper-rw/home/tj/Media/theme-song.mp3 luksOpen /dev/md2 md2encrypted
 …
 }}}
 There will now be a new device:
 {{{
 ls -1 /dev/mapper
 …
 md2encrypted
 }}}
 == Configure Logical Volume Management (LVM) ==
 First install the LVM package:
 {{{
 apt-get install lvm2
 }}}
 ==== LVM Tools Confuse Megabytes with Mebibytes ====
 The LVM tool reports can be confusing because they use the wrong size suffixes (such as MB and GB). The problem is, a gigabyte (GB) is 1,000MB, a megabyte (MB) is 1,000 kilobytes, and a kilobyte (KB) is 1,000 bytes. However, LVM uses binary-based calculations, not the decimal, with KB = 1,024, MB = 1,024KB, and GB = 1,024MB. LVM ''should'' use [http://en.wikipedia.org/wiki/Mebibytes MiB] and [http://en.wikipedia.org/wiki/Gibibyte GiB] suffixes to indicate binary-based measurements.
 …
 ==== Determine the Number and Size of Logical Extents in Logical Volumes ====
 Logical volume size is defined as the number of ''logical extents'' (LE), the size of which is the same for all logical volumes in a volume group and is the same as the ''physical extent'' (PE) size. Use `vgdisplay` to find out:
 {{{
 vgdisplay VGraid5
 …
   VG UUID               V0kRhd-oFLa-hq21-9eCs-kAnm-e1BW-xK7GPT
 }}}
 The '''PE Size''' (physical extent size) for this volume group is 4.00''MB''. The '''Total PE''' (number of extents) is 43,794.
+The '''PE Size''' (physical extent size) for this volume group is 4.00''MB''. The '''Total PE''' (number of extents) is 43,794.
 So, in fact, the PE Size is 4.00''MiB'' (4.00 x 1024 x 1024 = 4,194,304 bytes), or 4.194304''MB'' (4.194304 x 1000 x 1000 = 4,194,304 bytes).
 To make later calculations easier set up some definitions:
 {{{
 export GB=1000000000
 …
 export MiB=1048576
 }}}
 === Encrypted Volume ===
 Create the physical volume and volume group:
 {{{
 pvcreate /dev/mapper/md2encrypted
 …
   Volume group "VGraid5" successfully created
 }}}
 Create the logical volume 'root' using 18GB in the volume group 'VGraid5':
 {{{
 export PES_BYTES=$(echo "$(vgdisplay VGraid5 | sed -n 's/.*PE Size *\([0-9\.]*\) .*/\1/p') * $MiB" | bc)
 …
   Logical volume "root" created
 }}}
 Repeat for `/var/` (10GB) and `/home/` (75% of remaining free space):
 {{{
 EXTENTS=$(echo "10 * $GB / $PES_BYTES" | bc); echo $EXTENTS
 …
   Logical volume "home" created
 }}}
 Using `vgdisplay` you can see this will leave ~34GB of free space. If or when one of the existing logical volumes reaches capacity simply use `lvextend` to allocate more extents from the volume group - no need to shuffle data or partitions around.
 {{{
 vgdisplay VGraid5 | grep 'Free  PE'
   Free  PE / Size       8789 / 34.33 GB
 }}}
 Check the devices are available:
 {{{
 ls -1 /dev/mapper
 …
 VGraid5-var
 }}}
 Now the system has all the devices ready for formatting with file-systems, so installation of the operating system can begin.
 == Install Ubuntu ==
 === Fix a bug in the partition manager scripts ===
 Ubiquity (the Ubunutu Live CD installer) depends on a set of scripts to partition the system disks. These are extremely complicated due to the vast number of permutations of storage device types the user might want to install to. As a result of ancient bugs it doesn't support installing to ''plain'' multiple-disk (md) arrays (/dev/md*), although it ''does'' support LVM devices (/dev/mapper/*) on md arrays.
 …
 There is a quick-and-dirty workaround to allow Ubiquity to see the md arrays. It is a patch that simply comments out a line that ''ignores'' md devices. It is possible it could cause other issues so beware, but from my experience in the scenario described in this article, it was successful. Run this command before starting the installer:
 {{{
 sed -i 's,^\([\t ]*grep -v .^/dev/md. |\),#\1,' /lib/partman/init.d/30parted
 }}}
 Check the line has had a # prefixed to comment it out:
 {{{
 grep '/dev/md' /lib/partman/init.d/30parted
 #           grep -v '^/dev/md' |
 }}}
 The md devices also need to be manually formatted (''not'' partitioned though) because Ubiquity can't handle that:
 {{{
 mkfs.ext3 -L boot /dev/md0
 …
 === Configuring ===
 Run the Ubuntu installer by double-clicking the '''Install''' icon on the Live CD desktop. Select the language, time-zone and keyboard layout.
 …
 The ''device'' list will show amongst others:
 {{{
 /dev/md0
 …
   '''Note:''' Because of a [https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/245855 bug in the Desktop Live CD installer] it is not possible to create the swap partition during installation. Therefore the installer will show a dialog with the message:
+  You have not selected any partitions for use as swap space. Enabling swap space is recommended so that the system can make better use of available physical memory, and so that it behaves better when physical memory is scarce. You may experience installation problems if you do not have enough physical memory.
+  If you do not go back to the partitioning menu and assign a swap partition, the installation will continue without swap space.
+  You have not selected any partitions for use as swap space. Enabling swap space is recommended so that the system can make better use of available physical memory, and so that it behaves better when physical memory is scarce. You may experience installation problems if you do not have enough physical memory. If you do not go back to the partitioning menu and assign a swap partition, the installation will continue without swap space.
   Press the '''Continue''' button.
 …
 Press the '''Advanced...''' button and '''disable''' (un-tick) "Install boot loader". This must be done  manually after the installer has finished.
 Finally, when you're happy with all the choices, press the '''Install''' button and wait whilst the installer runs.
+Finally, when you're happy with all the choices, press the '''Install''' button and wait whilst the installer runs.
 When it finishes '''DO NOT''' restart the system - some additional configuration is required before the system is restarted so it will boot successfully.
 === Post-Installation configuration ===
 Now a series of additional steps is required to ensure the new system can successfully boot.
 ==== Mount the Target System ====
 Prepare the installation for access using chroot:
 {{{
 mkdir /mnt/target
 …
 mount -o bind /dev /mnt/target/dev
 }}}
 ==== Swap ====
 Format the swap partition and add it to the file-system table so it is started automatically:
 {{{
 mkswap /dev/md1
 echo "UUID=$(vol_id --uuid /dev/md1) none swap sw 0 0" >> /mnt/target/etc/fstab
 }}}
 ==== GRUB (boot loader) ====
 GRUB needs to be installed to both physical disks that make up the /dev/md0 mirror.
 Install GRUB:
 {{{
 chroot /mnt/target /bin/bash -c "apt-get install grub"
 …
 chroot /mnt/target /bin/bash -c "cp /usr/lib/grub/*/{,e2fs_}stage* /boot/grub"
 }}}
 Write the master boot record (MBR) to sector #0 of both disks. Start GRUB then issue a series of commands to locate and then install the boot loader files:
 {{{
 grub
 …
 grub> quit
 }}}
 Write GRUB configuration:
 {{{
 chroot /mnt/target /bin/bash -c "update-grub"
 …
 Updating /boot/grub/menu.lst ... done
 }}}
 ==== Install mdadm, cryptsetup, and lvm2 ====
 The installer didn't install the packages needed for the system to understand the disk configuration, so install them manually:
 {{{
 chroot /mnt/target /bin/bash -c "apt-get install mdadm cryptsetup lvm2"
 }}}
 ==== Multiple Disk Configuration ====
 The `mdadm.conf` should have been written automatically when the mdadm package was installed into the chroot environment. Check if the existing file has entries for the three RAID devices:
 {{{
 grep md /mnt/target/etc/mdadm/mdadm.conf
 …
 Otherwise the file can be copied from the Live CD environment:
 {{{
 cp /etc/mdadm/mdadm.conf /mnt/target/etc/mdadm/mdadm.conf
 }}}
 Alternatively, it can be written by `mdadm` itself.
 {{{
 mdadm --detail --brief /dev/md* >> /mnt/target/etc/mdadm/mdadm.conf
 }}}
 ==== Encrypted Disk Configuration ====
 Write the configuration of /dev/mapper/md2encrypted so the system knows how to open it. It will use a shell script that is executed early in the boot process from the initrd image:
 {{{
 echo "md2encrypted /dev/disk/by-uuid/$(vol_id --uuid /dev/md2) /home/tj/Media/theme-song.mp3 luks,keyscript=/usr/local/sbin/crypto-usb-key.sh" >> /mnt/target/etc/crypttab
 }}}
 There are several suitable shell scripts already existing. I chose to modify one written by Wejn and Rodolfo Garcia published at [http://wejn.org/how-to-make-passwordless-cryptsetup.html How to setup passwordless disk encryption in Debian Etch]. It is [http://tjworld.net/raw-attachment/wiki/Linux/Ubuntu/HardyRAID5EncryptedLVM/crypto-usb-key.sh attached to this article] ready for downloading.
 …
  * Added comments
  '''Note:''' Thanks to feedback from Dave at my-iop I've since fixed a password-reading bug and added more functionality to the script. It should now deal with opening key-files from mounted disks (great if you store key-files for some volumes inside the initial encrypted volume). It simply checks for the existence of the key-file and if it finds it bypasses all the USB functionality and passes the contents of the key-file back to the crypto manager.
+  '''Note:''' Thanks to feedback from Dave at my-iop I've since fixed a password-reading bug and added more functionality to the script. It should now deal with opening key-files from mounted disks (great if you store key-files for some volumes inside the initial encrypted volume). It simply checks for the existence of the key-file and if it finds it bypasses all the USB functionality and passes the contents of the key-file back to the crypto manager.
 Copy it into the new system (ensure the path and name match that specified in /mnt/target/etc/crypttab):
 {{{
 wget http://tjworld.net/raw-attachment/wiki/Linux/Ubuntu/HardyRAID5EncryptedLVM/crypto-usb-key.sh \
  -O /mnt/target/usr/local/sbin/crypto-usb-key.sh
 chroot /mnt/target /bin/bash -c "chmod a+x /usr/local/sbin/crypto-usb-key.sh"
+}}}
+}}}
 ==== Update Initial RAM Disk (initrd) ====
 {{{
 chroot /mnt/target /bin/bash -c "update-initramfs -u all"
 update-initramfs: Generating /boot/initrd.img-2.6.24-19-generic
 }}}
 == Restart System and Test ==
 With everything written to the disks it is time to restart:
 {{{
 shutdown -r now
 …
 === Debugging crypto-usb-key.sh ===
 If that fails you'll need to enable debugging within the script by changing:
 {{{
 DEBUG=$FALSE
 }}}
 to
 {{{
 DEBUG=$TRUE
 }}}
 To do this the initial RAM disk image needs updating. That means the encrypted volume must be opened and mounted and the chroot environment recreated from the Live CD.
 …
 Restart the system using the Live CD and open a terminal, then:
 {{{
 sudo su
 …
 }}}
 The script requires the key-file name be assigned to the environmental variable KEYFILE:
 {{{
 KEYFILE="/home/tj/Media/theme-song.mp3"
 …
 }}}
 Now make the changes and update the initial RAM disk image:
 {{{
 sed -i 's/^\(DEBUG=\)$FALSE/\1$TRUE/' /mnt/target/usr/local/sbin/update-usb-key.sh
 update-initramfs -u all
 }}}
 You might also want to remove the "splash" option from the kernel command-line in the GRUB configuration (either in the file /boot/grub/menu.lst or by pressing Escape when GRUB is starting after a reboot to edit the menu directly). This will ensure that the large number of debug messages from the script are easily readable on the console, rather than scrolling up too fast in usplash.
 …
 == References ==
+[https://wiki.ubuntu.com/LiveUsbPendrivePersistent Installing Ubuntu on USB pendrive using Linux][[BR]]
+[http://mazeoflies.com/articles/2008/06/09/ubuntu-hard-drive-encryption-with-external-key Ubuntu hard drive encryption with external key][[BR]]
+[https://help.ubuntu.com/community/EncryptedFilesystemLVMHowto Installing Ubuntu 7.04 on an Encrypted LVM Partition For Root, Swap, and Home][[BR]]
+[http://wejn.org/how-to-make-passwordless-cryptsetup.html How to setup passwordless disk encryption in Debian Etch][[BR]]
+[http://linuxgazette.net/140/pfeiffer.html Encrypted Storage with LUKS, RAID and LVM2][[BR]]
+[http://www.gagme.com/greg/linux/raid-lvm.php Managing RAID and LVM with Linux (v0.5)][[BR]]
+[http://www.howtoforge.com/linux_lvm_p6 A Beginner's Guide To LVM - LVM On RAID1][[BR]]
+[http://www.mythtv.org/wiki/index.php/RAID#RAID_0.2B1_.28or_1.2B0.2C_01.2C_10.29 RAID][[BR]]
+[https://wiki.ubuntu.com/LiveUsbPendrivePersistent Installing Ubuntu on USB pendrive using Linux][[BR]] [http://mazeoflies.com/articles/2008/06/09/ubuntu-hard-drive-encryption-with-external-key Ubuntu hard drive encryption with external key][[BR]] [https://help.ubuntu.com/community/EncryptedFilesystemLVMHowto Installing Ubuntu 7.04 on an Encrypted LVM Partition For Root, Swap, and Home][[BR]] [http://wejn.org/how-to-make-passwordless-cryptsetup.html How to setup passwordless disk encryption in Debian Etch][[BR]] [http://linuxgazette.net/140/pfeiffer.html Encrypted Storage with LUKS, RAID and LVM2][[BR]] [http://www.gagme.com/greg/linux/raid-lvm.php Managing RAID and LVM with Linux (v0.5)][[BR]] [http://www.howtoforge.com/linux_lvm_p6 A Beginner's Guide To LVM - LVM On RAID1][[BR]] [http://www.mythtv.org/wiki/index.php/RAID#RAID_0.2B1_.28or_1.2B0.2C_01.2C_10.29 RAID]
 == Updates ==
 December 2008 '''crypto-usb-key.sh''': Dropped detection of specific USB devices because Intrepid and kernel 2.6.27 no longer include "usb" in the /sys/block/.../device path. Now the script relies purely on the 'removable' flag in determining which devices to look on for the keyfile. Fixed msg() not printing to console when using Intrepid. Simplified detection of running usplash.
+February 2009 '''crypto-usb-key.sh''': Added support for Jaunty, made script work in initrd and after root is mounted, use vol_id for FSTYPE and LABEL if possible, remove reliance on basename.
+February 2009 '''crypto-usb-key.sh''': Added support for Jaunty, made script work in initrd and after root is mounted, use vol_id for FSTYPE and LABEL if possible, remove reliance on basename, minimise wait for USB device to settle by monitoring dmesg for attache event.