Encrypted Linux/Ubuntu on removable USB media

Introduction

During the last years we have seen a concerted attack by the so-called western democratic states on their citizens civil liberties and privacy. Simultaneously but with even less public attention, the same states are pushing to stifle any dissent, all forms of social struggles, protest and resistance that aim to bring about social liberation, self-determination and equality. To achieve this have been increased surveillance, databases and automated utilization, secret service activity, repression and criminalisation of protests – all justified with the pretext of anti-terrorism. In this context, privacy and security of electronic communication are of growing concern for anyone involving themselves in the struggle for an alternative, bottom-up social order.

We have been working for some time on improving security and privacy within our structures, sharing knowlege and providing assistance for groups and individuals. In this time we have found that many activists feel uneasy to completely remove their existing Windows operating system which they have become accustomed to and feel relatively confident using although knowing about its security drawbacks. Or they are reluctant to use software that will greatly improve their privacy and security such as PGP/GPG for email encryptivon because they find it difficult to learn and obstructive when working with several computers or travelling. To solve these problems, we have been testing a Ubuntu based encrypted Linux system for removable media such as USB memory drives, SSD drives or external hard disk drives. This can be used both for becoming aquainted to Linux and having a secure communication system to easily carry around and use on most PCs. Recently, we have begun carrying out workshops and helping people to install this system. This tutorial is meant to explain how it is done.

Please contact us for feedback, critique or suggestions. If you are seeking help to organise workshops on installing and using the portable encrypted system, please also get in touch (currently, we are based in Germany and France but may be able to provide contacts in other regions as well).

ping [at] gipfelsoli.org
INCLUDE EMAIL ADRESS FOR DISSENT.FR

Who is this for

Installing an encrypted Ubuntu (or Debian) system has become successively easier and you do not need magic nerd powers to be able to do it. This explanation is intended as a step-by-step guide for beginners. However, to quickly succeed in case something unexpected happens, some knowledge of Linux is advisable (such as an understanding of the Linux device naming scheme, being able to carry out basic console operations and knowing the main system configuration files). If you are new to Linux we advise you to find someone to help you carry out the installation and explain the system operation to you. If you are willing to invest some time and energy you can also teach yourself by using online documentation and communities – a good place to start would be the documentation at help.ubuntu.com and the ubuntu community at www.ubuntu.com/support/communitysupport

What this is . . .

This tutorial describes a method for installing an encrypted Ubuntu system on portable media such as a USB flash drive, SSD disk or external hard disk drive. It also suggests some configuration changes and additional software to enhance communication security and system performance and gives some advice on using the base system.

If you follow the instructions in this text, you should end up with

  • a system that fully encrypts all your personal data and most system files, so that it is well protected from direct access in case of loss, theft, seizure etc.
  • a choice of programs to help you communicate safely and anonymously, using tried and tested open source software such as GnuPG for email encryption, TOR for anonimising your internet connections and a set of firefox plugins for safe browsing.

. . . and what it isn’t (remaining risks)

While the tutorial describes how to set up the encrypted system and install additional software, an indepth explanation of how to use the various additional software packages involved is beyond the scope of this text. Where possible, we will give some general information and link to other documents that provide more indepth explanations.

It is important to understand that safe communication is not just a matter of software but also of its configuration and usage so please don’t be fooled into thinking that just by installing the packages mentioned here you will be safe. Please read the external links included in this document or visit security workshops to learn how to use the recommended software safely.

Most importantly, it is necessary to understand that even with an encrypted system such as this, it is still possible for commited attackers to compromise you security and usurp your data. These are the main attack vectors known to us and some possible remedies:

  • While the system is connected to a network it can be attacked to install malicious software and thus access personal data while the system is running. If you disallow active contents such as scripts on all but trusted internet sites as described below, do not run unnecessary services or install unknown programs and always keep your system updated then this is arguably the least likely of all possible attacks in the context of state surveillance.
  • A person with physical access to the removable medium that your encrypted system is installed on can manipulate the small unencrypted partition needed to start the main system. Thus, a software keylogger can be installed to retrieve the passphrase to your encrypted system. Don’t leave your portable medium lying around.
  • A person with physical access to a computer you want to use can attach a hardware keylogger – a small chip that records keyboard inputs – to retrieve the passphrase to your encrypted system. As hardware keyloggers come in all forms and sizes they can be difficult to spot. Make sure that the computers you want to work with are sufficiently protected from malicious access and change your passphrase regularly.
  • A person with physical access to a computer you are currently using can retrieve your encryption key from the frozen memory bar by carrying out a cold boot attack. Although some strategies for partially mitigating this risk exist, there is currently no simple remedy that would eliminate it. The most effective way to protect yourself is to power off the machine completely when it is not in use (a password protected screensaver or sleep/standby mode do NOT secure your computer from this attack). Memory contents may be retained for a short period, so you should guard the machine for a minute or so after removing power.

As you can see, the one central truth of security is that there is no such thing as “absolute security”. It is for this reason that sensitive data that could endanger you or others should not be stored on electronic systems. The methods described here are still useful for protection against the everyday surveillance, data collection and evaluation, creation of personality profiles, mappings of structures and social networks that is today deployed by so-called “security agencies” of states against all emancipatory movements on a large scale.

Legal Note

Depending on the laws in your country, you may face charges up to a perennial prison sentence if you deny to hand over passwords for encrypted data to law enforcement agencies during certain investigations. Please find out about the applicable laws in your country before using encryption software to secure sensitive data. If you are travelling and crossing national borders, border police may be authorised to search any data you are carrying on electronic media and/or confiscate your hardware. If there is any chance of this happening, you may prefer to take only formated or freshly installed hardware and store any personal data which you can not do without on an encrypted volume which you can upload to a secure server prior to your travels and retrieve later once you have crossed the border.

Preparation

Software considerations

Before continuing it should be said that from a security point of view Debian is the better Linux distribution to use for this task (three reasons being a cautious package choice for a security hardened system, an insistence on open source software and faster updates). If you have some experience with Linux and feel comfortable with a system that will not provide you with some proprietary hardware drivers or all the newest software packages out of a box then we strongly suggest using Debian rather than Ubuntu. The installation process is almost identical to the one described here. Furthermore, an automated system for easily installing an encrypted debian 5.0 (lenny) system with additional safety adjustments to portable media already exists. It is open source and well documented (although only in german at the time of writing) and can be downloaded from mandalka.name/privatix .

However, since many activists come from a Windows background, are not well-versed in computer technology and easily put off by problems arising from a transition to Linux, we see that from a usability point of view Ubuntu is still the better choice for inexperienced users. From a security point of view, Ubuntu still performs drastically better than Windows.

Hardware considerations

Minimal hardware requirements to install and rund the system described here:

  • an i386-compatible PC that is able to boot from USB or CD
  • at least 256 MB of RAM
  • a USB flash drive or external SSD- or hard disk drive. the absolute minimal size is 4 gigabytes, but this will hardly leave room for data. we recommend at least 8 gigabytes.

making a conscious choice of the portable medium to use for installing the encrypted system can considerably increase the perfomance of your system. If you buy a USB flash drive pay attention to its read and write speed. Where some memory drives only manage 3 mb/s others are able to do 15 mb/s or more. Installing the system on an external hard disk drive will provide you with optimal performance. But if you will be travelling or doing other things where your storage medium could be thrown about a lot, keep in mind that a device with mechanical components such as a hard disk drive is much more sensitive and prone to damage than a pure electronic medium such as a USB flash drive. If you want to use an SSD drive, you should be aware that quality of this relatively new technology varies greatly; some SSD drives are noticeably slower in writes than hard drives. Also, as a result of wear leveling technology, the performance of SSDs degrades with use.

Installation

  • download the “alternate installer cd” iso from ubuntu.com and burn the iso to a cd
  • boot the computer from the cd. To do so, you may have to change the boot order in the computers BIOS-Setup (which you can reach after powering on the machine with one of the keys F1, F2, Del or F12) so that the CD/DVD-ROM will be the first boot device.
  • from the Ubuntu boot menu set the correct language (F2) and keymap (F3), then choose “Install Ubuntu”
  • follow the installer instructions until you get to the “Partition disks” choose “manual” as partitioning method
  • on the usb device, delete any existing partitions, then create the following new partition table (assuming that your usb device is sdb – depending on your configuration it may also be sda, sdc, sdd etc.):
partition type size use as (mount options) mount point encryption key
/dev/sdb1 primary 128 MB ext2 file system noatime /boot
/dev/sdb2 primary 512 MB physical volume for encryption inactive random key
/dev/sdb3 primary maximum physical volume for encryption inactive passphrase
  • when you’ve set up this partition table, choose “configure encrypted volumes” from the top of the partitioning menu
  • write changes to volumes. when you are asked to enter a passphrase, make sure to choose a safe phrase with at least 20 characters consisting of alphanumerical and special characters
  • when you’re back at the partitioning menu, choose the following partitioning scheme for the new encrypted volumes:
partition use as (mount options) mount point
sdb2_crypt swap area
sdb3_crypt ext2 file system noatime /
  • finally you can choose “finish partitioning and write changes to disk” from the partitioning menu
  • the installer will now start copying the base system to the usb stick – time to make some tea …
  • when the system is installed, enter the “full name for the new user”
  • enter the “password”
  • as long as you will be the only person using the usb stick, there is no need to “encrypt your home directory”, because the whole stick is already encrypted
  • the installer will now start copying further packets – time for some more tea …
  • in the end, you will be asked whether you want to install the bootloader grub in the bootsector of the first hard disk – you should answer “no” and enter your usb device in the next screen (if your usb device is /dev/sdb then you have to enter (hd1), if it is /dev/sdc you have to enter (hd2), if it is /dev/sdd you have to enter (hd3), etc.)

System Configuration

  • after installation is finished, restart the computer and change the boot device order in the BIOS-Setup so that the computer will boot from your USB medium (if your computers BIOS does not provide this option, you can boot from a CD and start your USB medium from there. Find out how in the troubleshooting section of this text)
  • log into your new system and start updates (System → Administration → Update Manager)
  • set the screensaver password by clicking on System → Preferences → Screensaver, then activate “Lock screen when screensaver is active”
  • finally, you should check if encrypted volumes are adressed via their UUID and correct if necessary. If that sounds incomprehensible to you, let us explain: A UUID is a uniqe number to adress a volume. Since the device name of your removable medium can change depending on the hardware of the computer you are using (on a machine with a single built-in hard disk it may be the second device, on a system with two built-in hard disks the third and on a system using older IDE hardware to attach the built-in hard disks it may even be the first), it is important for the system to address the volumes on the removable medium by their UUID rather than their device name. Usually, the installation routine decribed above automatically assigns UUIDs to the encrypted volumes and mounts them using this UUID rather than their device name. However, we have experienced some situations where this did not work for the encrypted swap partition. Therefore, you should check whether your encrypted volume for swap is being adressed via its UUID and correct this if not:
     
    To check the current settings, start a terminal and enter
     
    $ cat /etc/crypttab
    

    if everything is well, the output should looks something like this:
     
    sdb2_crypt /dev/disk/by-uuid/74f78cc3-a902-4074-8691-08a4e596fbf4 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,swap
    sdb3_crypt /dev/disk/by-uuid/74e20c84-069b-4e82-9f30-6be1f706b323 none luks
    

    if however the swap partition in the first line of the above file is not adressed via its UUID (/dev/disk/by-uuid/...) but via its devcie name (i.e. /dev/sdb2) it will look like this
     
    sdb2_crypt /dev/sdb2 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,swap
    sdb3_crypt /dev/disk/by-uuid/74e20c84-069b-4e82-9f30-6be1f706b323 none luks
    

    in this case you should create a new encryptd volume for swap that has a UUID and change the /etc/crypttab configuration file as described in the troubleshooting section of this text.

Recommended software & software configuration

Email client and mail encryption

  • By default, ubuntu comes with Evolution as the standard email client. However, many activists are familiar with thunderbird and may prefer to use this. To install it, got to System → Administration → Synaptic Package Manager, type “thunderbird” in the Quick search and install the program by clicking on the software, choosing “Mark for Installation” from the context menu and then clicking on the Apply button. You can find a great tutorial on how to configure thunderbird on riseup.net
  • You should install “enigmail” and your respective enigmail locale (language pack) by the same method in order to have PGP/GPG support. A good tutorial on how to configure and use enigmail is on the enigmal website

Safe browsing

  • Start Firefox and install the Firefox plugin NoScript to deactivate all active contents and scripts and only allow them on trusted pages. A useful introduction to using NoScript is on the features page of the product website. You should make one configuration change: Right-cklick on the NoScript icon in the bottom right corner of your Firefox window and click on Settings. Go to the Advanced tab and within it to the Untrusted tab and click on “Forbid ‘Web Bugs’”
  • Install the Firefox plugin CookieSafe to deactivate all cookies and only allow them on trusted pages. We haven’t found a good introduction to using CookieSafe but its very similar to NoScript so if you read the above introduction you should be able to use CookieSafe in a similar way. If you find the number of options confusing you may prefer to try CookieSafe Lite – a scaled down version of CookieSafe – instead. To block all Cookies and only accept Cookies from trusted pages you have to change the Firefox settings for Cookies (see next step).
  • Adjust Firefox settings by clicking on Edit → Preferences. Click on the Privacy tab and disable “Accept cookies from sites” (you can control cookieson a per-site basis via the CookieSafe plugin). You may want to enable “Always clear my private data when I close Firefox” and change the settings to remove all data Click on the Security tab and disable “Remember passwords for sites” (if you do want to use a password manager, install keepassx which also protects the passwords in memory)

Anonymous browsing

  • install the firefox plugin Torbutton to easily switch anonymous browsing on and off.
  • install “macchanger” via Synaptics Packet Manager to change your MAC address when necessary. A quick explanation about the MAC address from Incognito: all network cards, both wired and wireless, have a unique identifier stored in them called their MAC address. This address is actually used to identify your computer on the local network, but it will never get out on the internet so people can not use it to trace you. however, other computers on the network could log it which then would provide proof that your computer has been connected to it. as such, this is not a concern if you are using the encrypted usb stick with your home internet connection as that can be linked to you any way, but if you are connecting your computer to an untrusted, public wireless network you might consider enabling it. it is never useful enabling this option if you are using a public computer – only use this if you are using a computer that can be linked to you on a public network.

Using the system

How to start a terminal

Click on Applications → Accessories → Terminal or press ALT-F2 and enter gnome-terminal.

How to find out the right device name

For some of the commands below you will need to enter the device names of the partitions that you created on the USB stick during install. If you followed the instructions in this tutorial, then the first partition on the stick will be the /boot filesystem, the second will be an encrypted volume for swap and the third will be an encrypted volume for the root filesystem. Now you can enter

$ sudo fdisk -l

and with the above knowledge about the partition table on the USB flash drive and the overall size of the USB flash drive you should be able to find out the correct device names.

Assuming you have a 16 GB USB flash drive running on a PC with windows installed on a built-in 40 GB hard disk, the output could look similar to this:

Disk /dev/sda: 40.0 GB, 40007761920 bytes
255 heads, 63 sectors/track, 4864 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xbd2bbd2b

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1        2432    19535008+   7  HPFS/NTFS
/dev/sda2            2433        4863    19527007+   f  W95 Ext'd (LBA)
/dev/sda5            2433        4226    14410273+   7  HPFS/NTFS
/dev/sda6            4227        4863     5116671    b  W95 FAT32

Disk /dev/sdb: 16.0 GB, 16026435072 bytes
255 heads, 63 sectors/track, 1948 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00065b0e

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1          16      128488+  83  Linux
/dev/sdb2              17          78      498015   83  Linux
/dev/sdb3              79        1948    15020775   83  Linux

in this example

  • the device name for the /boot filesystem on the USB flash drive is /dev/sdb1
  • the device name for the encrypted volume for swap on the USB flash drive is /dev/sdb2
  • the device name for the encrypted volume for the root /-filesystem on the USB flash drive is /dev/sdb3

How to edit a file with root privileges

To edit various configuration files, especially those in the /boot and /etc directories, you will need administrator or root privileges. Start a terminal and enter

$ sudo gedit </path/to/file>

How to change the user password

Start a terminal and enter the following command:

$ passwd

You will be asked to enter the current password and then the new one.

How to change the passphrase of the encrypted volume

To change the passphrase of an encrypted volume start a terminal first.

It is not possible to directly change the password for an encrypted volume with a single command. Instead, you need to add a new passphrase and then delete the old one. Add a new passphrase with the following command (remember that the passphrase should be at least 20 characters long and contain lower and uppercase letters, numbers and special characters):

sudo cryptsetup luksAddKey <device>

(where <device> is the device name of the encrypted volume, i.e.: /dev/sdb3)

Then delete the old passphrase:

sudo cryptsetup luksRemoveKey <device>

(where <device> is the device name of the encrypted volume, i.e.: /dev/sdb3)

You will be asked to enter the passphrase you want to remove and then a remaining passphrase.

How to copy your encrypted system from one usb device to another

The following procedures will only work if the usb device that you want to copy the system to has at least the same size as the original.

Using Linux:

Boot from any linux live CD (such as the Ubuntu live CD) or from a linux system installed on a hard drive. Insert the usb device you want to copy from and make sure you know the device name, then also insert the usb device you want to copy to and also make sure you know the device name.

CAUTION: If you get the two device names wrong, your complete encrypted system will be destroyed irretrievably.

Start a terminal and enter the following command

sudo dd if=<original device> of=<copy device>

(where <original device> is the name of the device with the encrypted system on it, i.e.: /dev/sdb and <copy device> is the name of the device that you want to copy to, i.e.: /dev/sdc).

Using Windows:

To create an image of your encrypted system which you can later copy to another usb device you can use the freeware (not open source :-() USB Image Tool download and install it (and also microsofts .net framework if you don’t have it already). To be able to create a copy of the complete system it is important to use the “device mode”. If you are running the software on Vista you need administrator rights to use device mode. To grant these to the program, right-click the executable and select “Run as administrator”.

Troubleshooting

I can not boot from my removable medium

I can not boot from my removable medium

If it is not possible to boot from your USB medium then the BIOS of your computer is probably too old. To solve this problem, go to a computer from which you can boot (or use the rescue system from the alternative install cd to start a console on the encrypted USB system) and create the following file (adapted from the privatix source at mandalka.name/privatix):

codetitle. /usr/local/sbin/mkbootiso

#!/bin/bash

# Creates CD-Boot-ISO for Privatix Live-System
# Version 8.12.07 by Markus Mandalka

TEMPDIR=/tmp/privatix-mkbootiso-$$
OUTFILE=/boot/boot.iso

# Create directories
mkdir -p $TEMPDIR/boot/grub

# Copy stage2
cp /usr/lib/grub/i386-pc/stage2_eltorito $TEMPDIR/boot/grub/

# Copy kernel and initramdisk
cp /vmlinuz $TEMPDIR/boot/
cp /initrd.img $TEMPDIR/boot/

# Write grub-menu
cat <<EOF >$TEMPDIR/boot/grub/menu.lst
default 0
timeout 5
color cyan/blue white/blue
title Boot from usb stick
root (cd)
kernel /boot/vmlinuz root=/dev/mapper/[YOUR_ENCRYPTED_DEVICE_NAME] ro quiet
initrd /boot/initrd.img
EOF

# create iso image
mkisofs -R -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 4 -boot-info-table -o $OUTFILE $TEMPDIR

# Clear Tempdirectory
rm -R $TEMPDIR

You need to change the line that begins with kernel – replace [YOUR_ENCRYPTED_DEVICE_NAME] with the name of your encrypted root device (i.e. “sdb3_crypt”).

When you have created the file; you can use it to create a boot cd. To do so, start a terminal and enter the following commands:

$ sudo chmod 755 /usr/local/sbin/mkbootiso
$ sudo /usr/local/sbin/mkbootiso

this will create an iso image in the /boot directory. Now you can start the file manager (Places → Home Folder), navigate to the /boot directory, right-click on the file boot.iso and choose “Open with ‘Disc Burner’” from the menu.

Now you can boot the computer from the CD and it will start the encrypted system from the usb stick.

IMPORTANT NOTE: Every time that an update of the linux kernel is installed, you will have to create a new iso image and burn it to a cd, otherwise you will continue working with the old kernel.

The Linux on my usb stick is very slow / I am worried about my USB/SSD device lifetime

If you find that the linux on your usb stick is too slow, there are a number of filesystem related tweaks you can use to speed up perfomance. Many of these are also useful to extend your USB/SSD device’s lifetime since frequent writes will cause failure eventually.

Turn off recording of access timestamps

If you followed the instructions in the installation part of this tutorial, then recording access timestamps has already been turned off. However, after a default installation the last accessed time attribute is written to files every time they are accessed causing a lot of writes. You can turn this off by adding the following mount option to /etc/fstab:

noatime

Reboot for the change to take effect.

Note: there is also the nodiratime mount option which only stops the recording of access times for directories. However, you do not need to add this when using the noatime option as noatime is for both files and direcories.

Change the default I/O scheduler

The I/O (input/output) scheduler controls the order in which applications write to disk. Since flash sticks and ssd drives work differently than spinning hard drives, the standard I/O scheduler does not work so well with them. Often while writing a large file to disk, any other application which tries to write hangs until the other write finishes.

You can change the I/O scheduler for a single device from the commandline with the following command:

$ sudo -i
# echo noop > /sys/block/<device>/queue/scheduler
# exit

(where <device> is the name of your usb device (i.e. sdb))

If you want to make this change permanent between reboots, include the following line in the file /etc/rc.local:

echo noop > /sys/block/<device>/queue/scheduler

(again, <device> is the name of your usb device (i.e. sdb))

If you are only going to use flash/ssd drives then you can change the standard scheduler for all drives connected to the computer instead by adding the following to the kopt line in your /boot/grub/menu.lst:

elevator=noop

CAUTION: Do not change the default scheduler to noop on mechanical harddrives

Use a ramdisk to store temporary data

If you have enough ram then you can use a ramdisk to store temporary data instead of having it written to disk. This will speed up the system and cause less wear on the drive. Add the following lines to /etc/fstab:

tmpfs /tmp      tmpfs  defaults,noatime,mode=1777  0  0
tmpfs /var/tmp  tmpfs  defaults,noatime,mode=1777  0  0

Reboot for the change to take effect

Use a ramdisk to store the firefox cache

You can also reduce disk writes and speed up firefox by moving its cache from your /home directory to the ramdisk created in the previous step. Open about:config in Firefox. Right click in an open area and create a new string value called browser.cache.disk.parent_directory and set the value to /tmp.

Turn off ext3-journaling or improve journaling

If you followed the instructions in the installation part of this tutorial, then you are already working on ext2 which is a filesystem without a journal. However, if you installed ext3 instead, then you can convert it to ext2 with the following command:

$ sudo tune2fs -O ^has_journal <device>

The journal is a filesystem feature for reconstructing a clean filesystem and possibly lost data in case of unclean shutdowns or system crashes. However, to do so more information needs to be written to disk so if you can do without the journal, harddisk performance will increase.

If you do not want to remove the journal, you can still optimise its performance with the following commands (you should be familiar with the syntax of the files /etc/fstab and /boot/grub/menu.lst first):

  • Change the way that journaling data will be written to disk. Increase data throughput with the following command – however, be aware that this may allow old data to appear in files after a crash and journal recovery:
     
    $ sudo tune2fs -O journal_data_writeback <device>
    

    if you use this also include the following ext3 mount option in your /etc/fstab:
     
    data=writeback
    

    and add this to the kopt line in /boot/grub/menu.lst:
     
    rootflags=data=writeback
    
  • You can also change the interval that data and metadata is synced to the journal. default is 5 seconds, so if you increase the number i.e. to 60, the disk will be accessed less often. Include the following ext3 mount option in your /etc/fstab:
     
    commit=60
    

    and add this to the kopt line in /boot/grub/menu.lst:
     
    rootflags=commit=60
    

    (if you also changed the journaling data mode above then you kopt line should now include this:)
     
    rootflags=data=writeback,commit=60
    
  • Reboot for the changes to take effect.

The encrypted swap is not mounted by UUID

The encrypted swap is not mounted by UUID

In this case you should follow these steps to create a new encryptd volume for swap that has a UUID and change the /etc/crypttab configuration file accordingly:

disable all active swap partitions:

$ sudo swapoff -a

close the encrypted volume for swap:

$ sudo cryptsetup luksClose <volume_name>

Where <volume_name> is the name used in the first column of the swap line in /etc/crypttab (i.e. /sdb2_crypt)

create a new encrypted volume for swap on the same partition you used before:

$ sudo cryptsetup -c aes-cbc-essiv:sha256 -h sha256 -s 256 -d /dev/urandom create <volume_name> <device>

Where <volume_name> is the name used in the first column of the swap line in /etc/crypttab (i.e. /sdb2_crypt) and <device> is the device name used in the second column of the swap line in /etc/crypttab (i.e. /dev/sdb2)

find out the UUID of the new encrypted volume:

$ sudo cryptsetup luksUUID /dev/sdb2

the output from that command should be something like this:

74f78cc3-a902-4074-8691-08a4e596fbf4

copy this number to the clipboard (mark with mouse, right-click and copy), then open the configuration file /etc/crypttab in a text editor:

$ sudo gedit /etc/crypttab

replace the old line for the encrypted volume for swap with the following line:

<volume_name> /dev/disk/by-uuid/<uuid> /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,swap

where <volume_name> is the name used in the first column of the swap line in /etc/crypttab (i.e. /sdb2_crypt) and <uuid> is the UUID you just copied in the step above (i.e. 74f78cc3-a902-4074-8691-08a4e596fbf4)

save the file and exit the editor, then restart all crypto disks:

$ sudo /etc/init.d/cryptdisks start

set up a swap area on the encrypted volume:

$ sudo mkswap /dev/mapper/<volume_name>

where <volume_name> is the name used in the first column of the swap line in /etc/crypttab (i.e. /sdb2_crypt)

activate the new swap partition:

$ sudo swapon -a

Todos

Todos

  • Improve the section on anonymous browsing by including a descritpion on how to install and use vidalia or including a link to a vidalia howto
  • Carry out research on how to implement further possible mitigations concerning cold boot attacks (i.e. safe passphrase protected suspend to disk using dm_crypt/luks or safe deletion of memory at shutdown)
  • Find encryption solution for multiuser systems. the current method is only safe for single-user systems. if we want this to be usable on a multi-user system, the users home directories should be seperately encrypted and automatically mounted only when the respective user logs in. possible solutions could be via
    a) ecryptfs using PAM
    b) cryptsetup using PAM
    c) …?
    test all these solutions, find advantages and disadvantages and choose the best method
  • include a troubleshooting guide to opening and repairing the encrypted system from a different medium such as ubuntu live system if errors occur (i.e. bootloader damage, filesystem damage etc.)
  • include a boot option to automatically start with macchanger running. Simply running an init.d script is not so useful as Apparently incognito does this
  • include USBCryptFormat from privatix