Introduction

During the last years we have seen a concerted attack by the so-called western democratic states on their citizens civil liberties and privacy. Simultaneously but with even less public attention, the same states are pushing to stifle any dissent, all forms of social struggles, protest and resistance that aim to bring about social liberation, self-determination and equality. To achieve this have been increased surveillance, databases and automated utilization, secret service activity, repression and criminalisation of protests – all justified with the pretext of anti-terrorism. In this context, privacy and security of electronic communication are of growing concern for anyone involving themselves in the struggle for an alternative, bottom-up social order.

We have been working for some time on improving security and privacy within our structures, sharing knowlege and providing assistance for groups and individuals. In this time we have found that many activists feel uneasy to completely remove their existing Windows operating system which they have become accustomed to and feel relatively confident using although knowing about its security drawbacks. Or they are reluctant to use software that will greatly improve their privacy and security such as PGP/GPG for email encryptivon because they find it difficult to learn and obstructive when working with several computers or travelling. To solve these problems, we have been testing a Ubuntu based encrypted Linux system for removable media such as USB memory drives, SSD drives or external hard disk drives. This can be used both for becoming aquainted to Linux and having a secure communication system to easily carry around and use on most PCs. Recently, we have begun carrying out workshops and helping people to install this system. This tutorial is meant to explain how it is done.

Please contact us for feedback, critique or suggestions. If you are seeking help to organise workshops on installing and using the portable encrypted system, please also get in touch (currently, we are based in Germany and France but may be able to provide contacts in other regions as well).

ping [at] gipfelsoli.org
INCLUDE EMAIL ADRESS FOR DISSENT.FR

Who is this for

Installing an encrypted Ubuntu (or Debian) system has become successively easier and you do not need magic nerd powers to be able to do it. This explanation is intended as a step-by-step guide for beginners. However, to quickly succeed in case something unexpected happens, some knowledge of Linux is advisable (such as an understanding of the Linux device naming scheme, being able to carry out basic console operations and knowing the main system configuration files). If you are new to Linux we advise you to find someone to help you carry out the installation and explain the system operation to you. If you are willing to invest some time and energy you can also teach yourself by using online documentation and communities – a good place to start would be the documentation at help.ubuntu.com and the ubuntu community at www.ubuntu.com/support/communitysupport

What this is . . .

This tutorial describes a method for installing an encrypted Ubuntu system on portable media such as a USB flash drive, SSD disk or external hard disk drive. It also suggests some configuration changes and additional software to enhance communication security and system performance and gives some advice on using the base system.

If you follow the instructions in this text, you should end up with

. . . and what it isn’t (remaining risks)

While the tutorial describes how to set up the encrypted system and install additional software, an indepth explanation of how to use the various additional software packages involved is beyond the scope of this text. Where possible, we will give some general information and link to other documents that provide more indepth explanations.

It is important to understand that safe communication is not just a matter of software but also of its configuration and usage so please don’t be fooled into thinking that just by installing the packages mentioned here you will be safe. Please read the external links included in this document or visit security workshops to learn how to use the recommended software safely.

Most importantly, it is necessary to understand that even with an encrypted system such as this, it is still possible for commited attackers to compromise you security and usurp your data. These are the main attack vectors known to us and some possible remedies:

As you can see, the one central truth of security is that there is no such thing as “absolute security”. It is for this reason that sensitive data that could endanger you or others should not be stored on electronic systems. The methods described here are still useful for protection against the everyday surveillance, data collection and evaluation, creation of personality profiles, mappings of structures and social networks that is today deployed by so-called “security agencies” of states against all emancipatory movements on a large scale.

Legal Note

Depending on the laws in your country, you may face charges up to a perennial prison sentence if you deny to hand over passwords for encrypted data to law enforcement agencies during certain investigations. Please find out about the applicable laws in your country before using encryption software to secure sensitive data. If you are travelling and crossing national borders, border police may be authorised to search any data you are carrying on electronic media and/or confiscate your hardware. If there is any chance of this happening, you may prefer to take only formated or freshly installed hardware and store any personal data which you can not do without on an encrypted volume which you can upload to a secure server prior to your travels and retrieve later once you have crossed the border.

Preparation

Software considerations

Before continuing it should be said that from a security point of view Debian is the better Linux distribution to use for this task (three reasons being a cautious package choice for a security hardened system, an insistence on open source software and faster updates). If you have some experience with Linux and feel comfortable with a system that will not provide you with some proprietary hardware drivers or all the newest software packages out of a box then we strongly suggest using Debian rather than Ubuntu. The installation process is almost identical to the one described here. Furthermore, an automated system for easily installing an encrypted debian 5.0 (lenny) system with additional safety adjustments to portable media already exists. It is open source and well documented (although only in german at the time of writing) and can be downloaded from mandalka.name/privatix .

However, since many activists come from a Windows background, are not well-versed in computer technology and easily put off by problems arising from a transition to Linux, we see that from a usability point of view Ubuntu is still the better choice for inexperienced users. From a security point of view, Ubuntu still performs drastically better than Windows.

Hardware considerations

Minimal hardware requirements to install and rund the system described here:

making a conscious choice of the portable medium to use for installing the encrypted system can considerably increase the perfomance of your system. If you buy a USB flash drive pay attention to its read and write speed. Where some memory drives only manage 3 mb/s others are able to do 15 mb/s or more. Installing the system on an external hard disk drive will provide you with optimal performance. But if you will be travelling or doing other things where your storage medium could be thrown about a lot, keep in mind that a device with mechanical components such as a hard disk drive is much more sensitive and prone to damage than a pure electronic medium such as a USB flash drive. If you want to use an SSD drive, you should be aware that quality of this relatively new technology varies greatly; some SSD drives are noticeably slower in writes than hard drives. Also, as a result of wear leveling technology, the performance of SSDs degrades with use.

Installation

partition type size use as (mount options) mount point encryption key
/dev/sdb1 primary 128 MB ext2 file system noatime /boot
/dev/sdb2 primary 512 MB physical volume for encryption inactive random key
/dev/sdb3 primary maximum physical volume for encryption inactive passphrase
partition use as (mount options) mount point
sdb2_crypt swap area
sdb3_crypt ext2 file system noatime /

System Configuration

Recommended software & software configuration

Email client and mail encryption

Safe browsing

Anonymous browsing

Using the system

How to start a terminal

Click on Applications → Accessories → Terminal or press ALT-F2 and enter gnome-terminal.

How to find out the right device name

For some of the commands below you will need to enter the device names of the partitions that you created on the USB stick during install. If you followed the instructions in this tutorial, then the first partition on the stick will be the /boot filesystem, the second will be an encrypted volume for swap and the third will be an encrypted volume for the root filesystem. Now you can enter

$ sudo fdisk -l

and with the above knowledge about the partition table on the USB flash drive and the overall size of the USB flash drive you should be able to find out the correct device names.

Assuming you have a 16 GB USB flash drive running on a PC with windows installed on a built-in 40 GB hard disk, the output could look similar to this:

Disk /dev/sda: 40.0 GB, 40007761920 bytes
255 heads, 63 sectors/track, 4864 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xbd2bbd2b

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1        2432    19535008+   7  HPFS/NTFS
/dev/sda2            2433        4863    19527007+   f  W95 Ext'd (LBA)
/dev/sda5            2433        4226    14410273+   7  HPFS/NTFS
/dev/sda6            4227        4863     5116671    b  W95 FAT32

Disk /dev/sdb: 16.0 GB, 16026435072 bytes
255 heads, 63 sectors/track, 1948 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00065b0e

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1          16      128488+  83  Linux
/dev/sdb2              17          78      498015   83  Linux
/dev/sdb3              79        1948    15020775   83  Linux

in this example

How to edit a file with root privileges

To edit various configuration files, especially those in the /boot and /etc directories, you will need administrator or root privileges. Start a terminal and enter

$ sudo gedit </path/to/file>

How to change the user password

Start a terminal and enter the following command:

$ passwd

You will be asked to enter the current password and then the new one.

How to change the passphrase of the encrypted volume

To change the passphrase of an encrypted volume start a terminal first.

It is not possible to directly change the password for an encrypted volume with a single command. Instead, you need to add a new passphrase and then delete the old one. Add a new passphrase with the following command (remember that the passphrase should be at least 20 characters long and contain lower and uppercase letters, numbers and special characters):

sudo cryptsetup luksAddKey <device>

(where <device> is the device name of the encrypted volume, i.e.: /dev/sdb3)

Then delete the old passphrase:

sudo cryptsetup luksRemoveKey <device>

(where <device> is the device name of the encrypted volume, i.e.: /dev/sdb3)

You will be asked to enter the passphrase you want to remove and then a remaining passphrase.

How to copy your encrypted system from one usb device to another

The following procedures will only work if the usb device that you want to copy the system to has at least the same size as the original.

Using Linux:

Boot from any linux live CD (such as the Ubuntu live CD) or from a linux system installed on a hard drive. Insert the usb device you want to copy from and make sure you know the device name, then also insert the usb device you want to copy to and also make sure you know the device name.

CAUTION: If you get the two device names wrong, your complete encrypted system will be destroyed irretrievably.

Start a terminal and enter the following command

sudo dd if=<original device> of=<copy device>

(where <original device> is the name of the device with the encrypted system on it, i.e.: /dev/sdb and <copy device> is the name of the device that you want to copy to, i.e.: /dev/sdc).

Using Windows:

To create an image of your encrypted system which you can later copy to another usb device you can use the freeware (not open source :-() USB Image Tool download and install it (and also microsofts .net framework if you don’t have it already). To be able to create a copy of the complete system it is important to use the “device mode”. If you are running the software on Vista you need administrator rights to use device mode. To grant these to the program, right-click the executable and select “Run as administrator”.

Troubleshooting

I can not boot from my removable medium

I can not boot from my removable medium

If it is not possible to boot from your USB medium then the BIOS of your computer is probably too old. To solve this problem, go to a computer from which you can boot (or use the rescue system from the alternative install cd to start a console on the encrypted USB system) and create the following file (adapted from the privatix source at mandalka.name/privatix):

codetitle. /usr/local/sbin/mkbootiso

#!/bin/bash

# Creates CD-Boot-ISO for Privatix Live-System
# Version 8.12.07 by Markus Mandalka

TEMPDIR=/tmp/privatix-mkbootiso-$$
OUTFILE=/boot/boot.iso

# Create directories
mkdir -p $TEMPDIR/boot/grub

# Copy stage2
cp /usr/lib/grub/i386-pc/stage2_eltorito $TEMPDIR/boot/grub/

# Copy kernel and initramdisk
cp /vmlinuz $TEMPDIR/boot/
cp /initrd.img $TEMPDIR/boot/

# Write grub-menu
cat <<EOF >$TEMPDIR/boot/grub/menu.lst
default 0
timeout 5
color cyan/blue white/blue
title Boot from usb stick
root (cd)
kernel /boot/vmlinuz root=/dev/mapper/[YOUR_ENCRYPTED_DEVICE_NAME] ro quiet
initrd /boot/initrd.img
EOF

# create iso image
mkisofs -R -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 4 -boot-info-table -o $OUTFILE $TEMPDIR

# Clear Tempdirectory
rm -R $TEMPDIR

You need to change the line that begins with kernel – replace [YOUR_ENCRYPTED_DEVICE_NAME] with the name of your encrypted root device (i.e. “sdb3_crypt”).

When you have created the file; you can use it to create a boot cd. To do so, start a terminal and enter the following commands:

$ sudo chmod 755 /usr/local/sbin/mkbootiso
$ sudo /usr/local/sbin/mkbootiso

this will create an iso image in the /boot directory. Now you can start the file manager (Places → Home Folder), navigate to the /boot directory, right-click on the file boot.iso and choose “Open with ‘Disc Burner’” from the menu.

Now you can boot the computer from the CD and it will start the encrypted system from the usb stick.

IMPORTANT NOTE: Every time that an update of the linux kernel is installed, you will have to create a new iso image and burn it to a cd, otherwise you will continue working with the old kernel.

The Linux on my usb stick is very slow / I am worried about my USB/SSD device lifetime

If you find that the linux on your usb stick is too slow, there are a number of filesystem related tweaks you can use to speed up perfomance. Many of these are also useful to extend your USB/SSD device’s lifetime since frequent writes will cause failure eventually.

Turn off recording of access timestamps

If you followed the instructions in the installation part of this tutorial, then recording access timestamps has already been turned off. However, after a default installation the last accessed time attribute is written to files every time they are accessed causing a lot of writes. You can turn this off by adding the following mount option to /etc/fstab:

noatime

Reboot for the change to take effect.

Note: there is also the nodiratime mount option which only stops the recording of access times for directories. However, you do not need to add this when using the noatime option as noatime is for both files and direcories.

Change the default I/O scheduler

The I/O (input/output) scheduler controls the order in which applications write to disk. Since flash sticks and ssd drives work differently than spinning hard drives, the standard I/O scheduler does not work so well with them. Often while writing a large file to disk, any other application which tries to write hangs until the other write finishes.

You can change the I/O scheduler for a single device from the commandline with the following command:

$ sudo -i
# echo noop > /sys/block/<device>/queue/scheduler
# exit

(where <device> is the name of your usb device (i.e. sdb))

If you want to make this change permanent between reboots, include the following line in the file /etc/rc.local:

echo noop > /sys/block/<device>/queue/scheduler

(again, <device> is the name of your usb device (i.e. sdb))

If you are only going to use flash/ssd drives then you can change the standard scheduler for all drives connected to the computer instead by adding the following to the kopt line in your /boot/grub/menu.lst:

elevator=noop

CAUTION: Do not change the default scheduler to noop on mechanical harddrives

Use a ramdisk to store temporary data

If you have enough ram then you can use a ramdisk to store temporary data instead of having it written to disk. This will speed up the system and cause less wear on the drive. Add the following lines to /etc/fstab:

tmpfs /tmp      tmpfs  defaults,noatime,mode=1777  0  0
tmpfs /var/tmp  tmpfs  defaults,noatime,mode=1777  0  0

Reboot for the change to take effect

Use a ramdisk to store the firefox cache

You can also reduce disk writes and speed up firefox by moving its cache from your /home directory to the ramdisk created in the previous step. Open about:config in Firefox. Right click in an open area and create a new string value called browser.cache.disk.parent_directory and set the value to /tmp.

Turn off ext3-journaling or improve journaling

If you followed the instructions in the installation part of this tutorial, then you are already working on ext2 which is a filesystem without a journal. However, if you installed ext3 instead, then you can convert it to ext2 with the following command:

$ sudo tune2fs -O ^has_journal <device>

The journal is a filesystem feature for reconstructing a clean filesystem and possibly lost data in case of unclean shutdowns or system crashes. However, to do so more information needs to be written to disk so if you can do without the journal, harddisk performance will increase.

If you do not want to remove the journal, you can still optimise its performance with the following commands (you should be familiar with the syntax of the files /etc/fstab and /boot/grub/menu.lst first):

The encrypted swap is not mounted by UUID

The encrypted swap is not mounted by UUID

In this case you should follow these steps to create a new encryptd volume for swap that has a UUID and change the /etc/crypttab configuration file accordingly:

disable all active swap partitions:

$ sudo swapoff -a

close the encrypted volume for swap:

$ sudo cryptsetup luksClose <volume_name>

Where <volume_name> is the name used in the first column of the swap line in /etc/crypttab (i.e. /sdb2_crypt)

create a new encrypted volume for swap on the same partition you used before:

$ sudo cryptsetup -c aes-cbc-essiv:sha256 -h sha256 -s 256 -d /dev/urandom create <volume_name> <device>

Where <volume_name> is the name used in the first column of the swap line in /etc/crypttab (i.e. /sdb2_crypt) and <device> is the device name used in the second column of the swap line in /etc/crypttab (i.e. /dev/sdb2)

find out the UUID of the new encrypted volume:

$ sudo cryptsetup luksUUID /dev/sdb2

the output from that command should be something like this:

74f78cc3-a902-4074-8691-08a4e596fbf4

copy this number to the clipboard (mark with mouse, right-click and copy), then open the configuration file /etc/crypttab in a text editor:

$ sudo gedit /etc/crypttab

replace the old line for the encrypted volume for swap with the following line:

<volume_name> /dev/disk/by-uuid/<uuid> /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,swap

where <volume_name> is the name used in the first column of the swap line in /etc/crypttab (i.e. /sdb2_crypt) and <uuid> is the UUID you just copied in the step above (i.e. 74f78cc3-a902-4074-8691-08a4e596fbf4)

save the file and exit the editor, then restart all crypto disks:

$ sudo /etc/init.d/cryptdisks start

set up a swap area on the encrypted volume:

$ sudo mkswap /dev/mapper/<volume_name>

where <volume_name> is the name used in the first column of the swap line in /etc/crypttab (i.e. /sdb2_crypt)

activate the new swap partition:

$ sudo swapon -a

Todos

Todos