Hans Fernhout's Blog

Sometimes I get struck by a sense of security consiousness. This time I realized I have all my content on simple btrfs formatted disks, without any encryption. That's not very secure is it?

I have had this urge before and have encypted disks before using LUKS, but for some reason I did not do this with my current set of computers.

I would like to continue with btrfs, but when using LUKS, it would require me to move LUKS under btrfs. That seems hard to do, so I have looked also at solutions where encryption is done on top of an existing file system:

• ECryptfs is interesting. It is a Linux kernel supported encryption method. I researched it quite a bit. I even did quite some editing on the Gentoo wiki page for this.
• EncFS is similar, but it is a userspace solution, leveraging the FUSE library.

Both ECryptfs and EncFS work similar in that they mount an encrypted directory, providing unencrypted access. This may work fine for user directories, even for a '/home' partition, but in my opnion not ideal for encrypting a root disk. For instance mail, or logging files could be located in '/var'.

So, back to 'shoving LUKS under btrfs'....

Kernel configuration

The first thing that needs to be done is to make sure that the Gentoo kernel supports LUKS. This requires enabling:

• device mapper
• crypt target
• intiramfs
• and a set of cryptographic API functions.

This is all well described in the Gentoo wiki.

Software installation

• sys-fs/cryptsetup: for the userland tools of LUKS.
• sys-kernel/genkernel, to generate the initramfs.

Emerge the software before configuring it.

Encypting the disk

Theoretially this could be done on-line, but in this case I just boot from a USB disk.

These are the steps:

1. Boot from USB: this device shows up as /dev/sdb.
2. Add an external hard disk: this device shows up as /dev/sdc.
3. Mount the root partition /dev/sda3 on /mnt/sda3.
4. Add an external hard disk to /mnt/sda3: btrfs add /dev/sdc1 /mnt/sda3. We now have a JBOD setup with the internal disk and the external disk.
5. Remove the internal disk /dev/sda3 from the JBOD: btrfs remove /dev/sda3 /mnt/sda3. This will migrate all data from the internal disk to the external disk. It can take a while, especially on this old netbook with a USB2 interface.
6. Format /dev/sda3 with LUKS: cryptsetup luksFormat /dev/sda3. It will ask for a password (twice), which should be locked for subsequent unlocking (opening) the device.
7. Open the encrypted device: cryptsetup luksOpen /dev/sda3 root. This yields a device /dev/mapper/root. Do not use a different name than 'root'.
8. Add the device to back in: btrfs device add /dev/mapper/root /mnt/sda3. We now have another JBOD, this time with the external disk and the encrypted internal disk.
9. Remove the external disk: btrfs device remove /dev/sdc1 /mnt/sda3. This will migrate all data back to the internal, now encrypted disk.
10. The external device can now be unplugged.
11. The gentoo subvolume can be mounted, in this case: mount -o subvol=gentoo-test /dev/mapper/root /mnt/gentoo.
12. Enter the new envronment:
    • mount --types proc /proc /mnt/gentoo/proc
    • mount --rbind /sys /mnt/gentoo/sys
    • mount --rbind /dev /mnt/gentoo/dev
    • mount --bind /run /mnt/gentoo/run
    • chroot /mnt/gentoo /bin/bash
    • source /etc/profile
    • export PS1="(chroot) ${PS1}"
13. Make sure to configure all crypto kernel modules as built-in, not modules. recompile the kernel if needed.
14. Configure /etc/genkernel.conf: LUKS="yes" and BTRFS="yes"
15. Generate an initramfs: genkernel initramfs
16. Update /etc/defaults/grub with: GRUB_CMDLINE_LINUX="dobtrfs crypt_root=/dev/sda3"
17. Update /etc/fstab, and replace all references to '/dev/sda3' with '/dev/mapper/root'.
18. Reboot. When booting again, the password to unlock the root device is asked.

Encrypting swap

It is completly useless to have encrypted filesystems and not to encrypt swap. These are the steps to encrypt swap:

1. unmount the swap partition: swapoff -a. In our case the swap device is /dev/sda2'.
2. Clear out any leftover data: dd if=/dev/zero of=/dev/sda2 bs=4M
3. Add a swap target to /etc/conf.d/dmcrypt:
   • swap=cryptswap
   • source='/dev/sda2'
4. Start dmcrypt: /etc/init.d/dmcrypt start. Each time dmcrypt is started it will create a swap device at /dev/mapper/cryptswap and make it active.
5. Make it start on boot: rc-config add dmcrypt boot
6. Update /etc/fstab: /dev/mapper/cryptswap none swap sw 0 0

Reboot. Tada...