diff options
-rw-r--r-- | build/entities/urls.ent | 3 | ||||
-rw-r--r-- | build/templates/docstruct.ent | 1 | ||||
-rw-r--r-- | en/boot-new/boot-new.xml | 147 | ||||
-rw-r--r-- | en/using-d-i/components.xml | 1 | ||||
-rw-r--r-- | en/using-d-i/modules/mdcfg.xml | 2 | ||||
-rw-r--r-- | en/using-d-i/modules/partman-crypto.xml | 363 |
6 files changed, 517 insertions, 0 deletions
diff --git a/build/entities/urls.ent b/build/entities/urls.ent index df87c9d90..453642618 100644 --- a/build/entities/urls.ent +++ b/build/entities/urls.ent @@ -174,6 +174,9 @@ <!ENTITY url-opn "http://www.openprojects.net/"> <!ENTITY opn-irc-server "irc.openprojects.net"> +<!-- LUKS --> +<!ENTITY url-luks "http://luks.endorphin.org/"> + <!-- ****************************************** HOWTOs and FAQs (general) diff --git a/build/templates/docstruct.ent b/build/templates/docstruct.ent index 26e5bee2d..583ed4689 100644 --- a/build/templates/docstruct.ent +++ b/build/templates/docstruct.ent @@ -117,6 +117,7 @@ <!ENTITY module-partconf.xml SYSTEM "##SRCPATH##/using-d-i/modules/partconf.xml"> <!ENTITY module-lvmcfg.xml SYSTEM "##SRCPATH##/using-d-i/modules/lvmcfg.xml"> <!ENTITY module-mdcfg.xml SYSTEM "##SRCPATH##/using-d-i/modules/mdcfg.xml"> + <!ENTITY module-partman-crypto.xml SYSTEM "##SRCPATH##/using-d-i/modules/partman-crypto.xml"> <!ENTITY module-finish-install.xml SYSTEM "##SRCPATH##/using-d-i/modules/finish-install.xml"> <!ENTITY module-base-installer.xml SYSTEM "##SRCPATH##/using-d-i/modules/base-installer.xml"> <!ENTITY module-kernel-chooser.xml SYSTEM "##SRCPATH##/using-d-i/modules/kernel-chooser.xml"> diff --git a/en/boot-new/boot-new.xml b/en/boot-new/boot-new.xml index d2452f3d2..faef837d0 100644 --- a/en/boot-new/boot-new.xml +++ b/en/boot-new/boot-new.xml @@ -187,6 +187,153 @@ for more information. </sect2> </sect1> + <sect1 id="mount-encrypted-volumes"> + <title>Mounting encrypted volumes</title> + +<para> + +If you created encrypted volumes during the installation and assigned +them mount points, you will be asked to enter the passphrase for each +of these volumes during the boot. The actual procedure differs +slightly between dm-crypt and loop-AES. + +</para> + + <sect2 id="mount-loop-aes"> + <title>loop-AES</title> + +<para> + +For partitions encrypted via loop-AES you will be shown the following +prompt during the boot: + +<informalexample><screen> +mount: going to use loop device /dev/loop<replaceable>X</replaceable> +Password: +</screen></informalexample> + +In the first line of the prompt, <replaceable>X</replaceable> is the +number of the loop device. You are now probably wondering +<emphasis>for which volume</emphasis> you are actually entering the +passphrase. Does is relate to your <filename>/home</filename>? Or to +<filename>/var</filename>? Of course, if you have just one encrypted +volume, this is easy and you can just enter the passphrase you used +when setting up this volume. If you set up more than one encrypted +volume during the installation, the notes you wrote down as the last +step in <xref linkend="partman-crypto"/> come in handy. If you did not +make a note of the mapping between +<filename>loop<replaceable>X</replaceable></filename> and the mount +points before, you can still find it +in <filename>/etc/fstab</filename> of your new system. + +</para><para> + +No characters (even asterisks) will be shown while entering the +passphrase. Be careful, you have only <emphasis>one try</emphasis>. If +you enter wrong passphrase, an error message will appear and the boot +process will skip that volume and continue to mount the next +filesystem. Please see <xref linkend="crypto-troubleshooting"/> for +further information. + +</para><para> + +After entering all passphrases the boot should continue as usual. + +</para> + </sect2> + + <sect2 id="mount-dm-crypt"> + <title>dm-crypt</title> + +<para condition="FIXME"> + +TODO: write something once it works. + +</para> + </sect2> + + <sect2 id="crypto-troubleshooting"> + <title>Troubleshooting</title> + +<para> + +If some of the encrypted volumes could not be mounted because a wrong +passphrase was entered, you will have to mount them manually after the +boot. There are several cases. + +</para> + +<itemizedlist> +<listitem><para> + +The first case concerns the root partition. When it is not mounted +correctly, the boot process will halt and you will have to reboot the +computer to try again. + +</para></listitem> +<listitem><para> + +The easiest case is for encrypted volumes holding data like +<filename>/home</filename> or <filename>/srv</filename>. You can +simply mount them manually after the boot. For loop-AES this is +one-step operation: + +<informalexample><screen> +<prompt>#</prompt> <userinput>mount <replaceable>/mount_point</replaceable></userinput> +<prompt>Password:</prompt> +</screen></informalexample> + +where <replaceable>/mount_point</replaceable> should be replaced by +the particular directory (e.g. <filename>/home</filename>). The only +difference from an ordinary mount is that you will be asked to enter +the passphrase for this volume. + +</para><para> + +For dm-crypt this is a bit trickier. First you need to register the +volumes with <application>device mapper</application> by running: + +<informalexample><screen> +<prompt>#</prompt> <userinput>/etc/init.d/cryptdisks start</userinput> +</screen></informalexample> + +This will scan all volumes mentioned +in <filename>/etc/crypttab</filename> and will create appropriate +devices under the <filename>/dev</filename> directory after entering +the correct passphrases. (Already registered volumes will be skipped, +so you can repeat this command several times without worrying.) After +successful registration you can simply mount the volumes the usual +way: + +<informalexample><screen> +<prompt>#</prompt> <userinput>mount <replaceable>/mount_point</replaceable></userinput> +</screen></informalexample> + +</para></listitem> +<listitem><para> + +If the volumes holding noncritical system files could not be mounted +(<filename>/usr</filename> or <filename>/var</filename>), the system +should still boot and you should be able to mount the volumes manually +like in the previous case. However, you will also need to (re)start +any services usually running in your default runlevel because it is +very likely that they were not started. The easiest way to achieve +this is by switching to the first runlevel and back by entering + +<informalexample><screen> +<prompt>#</prompt> <userinput>init 1</userinput> +</screen></informalexample> + +at the shell prompt and pressing <keycombo> <keycap>Control</keycap> +<keycap>D</keycap> </keycombo> when asked for the root password. + +</para></listitem> +</itemizedlist> + + </sect2> + </sect1> + + <sect1 id="login"> <title>Log In</title> diff --git a/en/using-d-i/components.xml b/en/using-d-i/components.xml index 68ab42b91..453bb9388 100644 --- a/en/using-d-i/components.xml +++ b/en/using-d-i/components.xml @@ -74,6 +74,7 @@ like LVM or RAID devices. &module-partconf.xml; &module-lvmcfg.xml; &module-mdcfg.xml; +&module-partman-crypto.xml; </sect2> <sect2 id="di-system-setup"> diff --git a/en/using-d-i/modules/mdcfg.xml b/en/using-d-i/modules/mdcfg.xml index e39e403bb..1a14f9580 100644 --- a/en/using-d-i/modules/mdcfg.xml +++ b/en/using-d-i/modules/mdcfg.xml @@ -168,6 +168,8 @@ configuration or installation steps manually from a shell. Next, you should choose <guimenuitem>Configure software RAID</guimenuitem> from the main <command>partman</command> menu. +(The menu will only appear after you mark at least one partition for +use as <guimenuitem>physical volume for RAID</guimenuitem>.) On the first screen of <command>mdcfg</command> simply select <guimenuitem>Create MD device</guimenuitem>. You will be presented with a list of supported types of MD devices, from which you should choose diff --git a/en/using-d-i/modules/partman-crypto.xml b/en/using-d-i/modules/partman-crypto.xml new file mode 100644 index 000000000..8b4c69c50 --- /dev/null +++ b/en/using-d-i/modules/partman-crypto.xml @@ -0,0 +1,363 @@ +<!-- retain these comments for translator revision tracking --> +<!-- $Id$ --> + + <sect3 id="partman-crypto"> + <title>Configuring Encrypted Volumes</title> +<para> + +&d-i; allows you to set up encrypted partitions. Every file you write +to such a partition is immediately saved to the device in encrypted +form. Access to the encrypted data is granted only after entering +the <firstterm>passphrase</firstterm> used when the encrypted +partition was originally created. This feature is useful to protect +sensitive data in case your laptop or hard drive gets stolen. The +thief might get physical access to the hard drive, but without knowing +the right passphrase, the data on the hard drive will look like random +characters. + +</para><para> + +The two most important partitions to encrypt are: the home partition, +where your private data resides, and the swap partition, where +sensitive data might be stored temporarily during operation. Of +course, nothing prevents you from encrypting any other partitions that might +be of interest. For example <filename>/var</filename> where database +servers, mail servers or print servers store their data, or +<filename>/tmp</filename> which is used by various programs to store +potentially interesting temporary files. Some people may even want to +encrypt their whole system. The only exception is +the <filename>/boot</filename> partition which must remain +unencrypted, because currently there is no way to load the kernel from +an encrypted partition. + +</para><note><para> + +Please note that the performance of encrypted partitions will be +less than that of unencrypted ones because the data needs to be +decrypted or encrypted for every read or write. The performance impact +depends on your CPU speed, chosen cipher and a key length. + +</para></note><para> + +To use encryption, you have to create a new partition by selecting +some free space in the main partitioning menu. Another option is to +choose an existing partition (e.g. a regular partition, an LVM logical +volume or a RAID volume). In the <guimenu>Partition setting</guimenu> +menu, you need to select <guimenuitem>physical volume for +encryption</guimenuitem> at the <menuchoice> <guimenu>Use +as:</guimenu> </menuchoice> option. The menu will then change to +include several cryptographic options for the partition. + +</para><para> + +&d-i; supports several encryption methods. The default method +is <firstterm>dm-crypt</firstterm> (included in newer Linux kernels, +able to host LVM physical volumes), the other +is <firstterm>loop-AES</firstterm> (older, maintained separately from +the Linux kernel tree). Unless you have compelling reasons to do +otherwise, it is recommended to use the default. + +<!-- TODO: link to the "Debian block device encryption guide" + once Max writes it :-) --> + +</para><para> + +First, let's have a look at available options available when you +select <userinput>Device-mapper (dm-crypt)</userinput> as the +encryption method. As always: when in doubt, use the defaults, because +they have been carefully chosen with security in mind. + +<variablelist> + +<varlistentry> +<term>Encryption: <userinput>aes</userinput></term> + +<listitem><para> + +This option lets you select the encryption algorithm +(<firstterm>cipher</firstterm>) which will be used to encrypt the data +on the partition. &d-i; currently supports the following block +ciphers: <firstterm>aes</firstterm>, <firstterm>blowfish</firstterm>, +<firstterm>serpent</firstterm>, and <firstterm>twofish</firstterm>. +It is beyond the scope of this document to discuss the qualities of +these different algorithms, however, it might help your decision to +know that in 2000, <emphasis>AES</emphasis> was chosen by the American +National Institute of Standards and Technology as the standard +encryption algorithm for protecting sensitive information in the 21st +century. + +</para></listitem> +</varlistentry> + +<varlistentry> +<term>Key size: <userinput>256</userinput></term> + +<listitem><para> + +Here you can specify the length of the encryption key. With a larger +key size, the strength of the encryption is generally improved. On the +other hand, increasing the length of the key usually has a negative +impact on performance. Available key sizes vary depending on the +cipher. + +</para></listitem> +</varlistentry> + +<varlistentry> +<term>IV algorithm: <userinput>cbc-essiv:sha256</userinput></term> + +<listitem><para> + +The <firstterm>Initialization Vector</firstterm> or +<firstterm>IV</firstterm> algorithm is used in cryptography to ensure +that applying the cipher on the same <firstterm>clear text</firstterm> +data with the same key always produces a unique +<firstterm>cipher text</firstterm>. The idea is to prevent the +attacker from deducing information from repeated patterns in the encrypted +data. + +</para><para> + +From the provided alternatives, the default +<userinput>cbc-essiv:sha256</userinput> is currently the least +vulnerable to known attacks. Use the other alternatives only when you +need to ensure compatibility with some previously installed system +that is not able to use newer algorithms. + +</para></listitem> +</varlistentry> + +<varlistentry> +<term>Encryption key: <userinput>Passphrase</userinput></term> + +<listitem><para> + +Here you can choose the type of the encryption key for this partition. + + <variablelist> + <varlistentry> + <term>Passphrase</term> + <listitem><para> + +The encryption key will be computed<footnote> +<para> + +Using a passphrase as the key currently means that the partition will +be set up using <ulink url="&url-luks;">LUKS</ulink>. + +</para></footnote> on the basis of a passphrase which you will be able +to enter later in the process. + + </para></listitem> + </varlistentry> + + <varlistentry> + <term>Random key</term> + <listitem><para> + +A new encryption key will be generated from random data each time you +try to bring up the encrypted partition. In other words: on every +shutdown the content of the partition will be lost as the key is +deleted from memory. (Of course, you could try to guess the key with a +brute force attack, but unless there is an unknown weakness in the +cipher algorithm, it is not achievable in our lifetime.) + + </para><para> + +Random keys are useful for swap partitions because you do not need to +bother yourself with remembering the passphrase or wiping sensitive +information from the swap partition before shutting down your +computer. However, it also means that you +will <emphasis>not</emphasis> be able to use +the <quote>suspend-to-disk</quote> functionality offered by newer +Linux kernels as it will be impossible (during a subsequent boot) to +recover the suspended data written to the swap partition. + + </para></listitem> + </varlistentry> + </variablelist> + +</para></listitem> +</varlistentry> + +<varlistentry> +<term>Erase data: <userinput>yes</userinput></term> + +<listitem><para> + +Determines whether the content of this partition should be overwritten +with random data before setting up the encryption. This is recommended +because it might otherwise be possible for an attacker to discern +which parts of the partition are in use and which are not. In +addition, this will make it harder to recover any leftover data from +previous installations<footnote><para> + +It is believed that the guys from three-letter agencies can restore +the data even after several rewrites of the magnetooptical media, +though. + +</para></footnote>. + +</para></listitem> +</varlistentry> + +</variablelist> + +</para><para> + +If you select <menuchoice> <guimenu>Encryption method:</guimenu> +<guimenuitem>Loopback (loop-AES)</guimenuitem> </menuchoice>, the menu +changes to provide the following options: + + +<variablelist> +<varlistentry> +<term>Encryption: <userinput>AES256</userinput></term> + +<listitem><para> + +For loop-AES, unlike dm-crypt, the options for cipher and key size are +combined, so you can select both at the same time. Please see the +above sections on ciphers and key sizes for further information. + +</para></listitem> +</varlistentry> + +<varlistentry> +<term>Encryption key: <userinput>Keyfile (GnuPG)</userinput></term> + +<listitem><para> + +Here you can select the type of the encryption key for this partition. + + <variablelist> + <varlistentry> + <term>Keyfile (GnuPG)</term> + <listitem><para> + +The encryption key will be generated from random data during the +installation. Moreover this key will be encrypted +with <application>GnuPG</application>, so to use it, you will need to +enter the proper passphrase (you will be asked to provide one later in +the process). + + </para></listitem> + </varlistentry> + + <varlistentry> + <term>Random key</term> + <listitem><para> + +Please see the the section on random keys above. + + </para></listitem> + </varlistentry> + </variablelist> + +</para></listitem> +</varlistentry> + +<varlistentry> +<term>Erase data: <userinput>yes</userinput></term> + +<listitem><para> + +Please see the the section on erasing data above. + +</para></listitem> +</varlistentry> + +</variablelist> + +</para><note><para> + +Please note that the <emphasis>graphical</emphasis> version of the +installer still has some limitations when compared to the textual +one. For cryptography it means you can set up only volumes using +<emphasis>passphrases</emphasis> as the encryption keys. + +</para></note><para> + + +After you have selected the desired parameters for your encrypted +partitions, return back to the main partitioning menu. There should +now be a new menu item called <guimenu>Configure encrypted +volumes</guimenu>. After you select it, you will be asked to confirm +the deletion of data on partitions marked to be erased and possibly +other actions such as writing a new partition table. For large +partitions this might take some time. + +</para><para> + +Next you will be asked to enter a passphrase for partitions configured +to use one. Good passphrases should be longer than 8 characters, +should be a mixture of letters, numbers and other characters and +should not contain common dictionary words or information easily +associable with you (such as birthdates, hobbies, pet names, names of +family members or relatives, etc.). + +</para><warning><para> + +Before you input any passphrases, you should have made sure that your +keyboard is configured correctly and generates the expected +characters. If you are unsure, you can switch to the second virtual +console and type some text at the prompt. This ensures that you won't be +surprised later, e.g. by trying to input a passphrase using a qwerty +keyboard layout when you used an azerty layout during the installation. +This situation can have several causes. Maybe you switched to another +keyboard layout during the installation, or the selected keyboard layout +might not have been set up yet when entering the passphrase for the +root file system. + +</para></warning><para> + +If you selected to use methods other than a passphrase to create +encryption keys, they will be generated now. Because the kernel may +not have gathered a sufficient amount of entropy at this early stage +of the installation, the process may take a long time. You can help +speed up the process by generating entropy: e.g. by pressing random +keys, or by switching to the shell on the second virtual console and +generating some network and disk traffic (downloading some files, +feeding big files into <filename>/dev/null</filename>, etc.). + +<!-- TODO: Mention hardware random generators when we will support + them --> + +This will be repeated for each partition to be encrypted. + +</para><para> + +After returning to the main partitioning menu, you will see all +encrypted volumes as additional partitions which can be configured in +the same way as ordinary partitions. The following example shows two +different volumes. The first one is encrypted via dm-crypt, the second +one via loop-AES. + +<informalexample><screen> +Encrypted volume (<replaceable>crypt0</replaceable>) - 115.1 GB Linux device-mapper + #1 115.1 GB F ext3 + +Loopback (<replaceable>loop0</replaceable>) - 515.2 MB AES256 keyfile + #1 515.2 MB F ext3 +</screen></informalexample> + +Now is the time to assign mount points to the volumes and optionally +change the file system types if the defaults do not suit you. + +</para><para> + +One thing to note here are the identifiers in parentheses +(<replaceable>crypt0</replaceable> +and <replaceable>loop0</replaceable> in this case) and the mount +points you assigned to each encrypted volume. You will need this +information later when booting the new system. The differences between +ordinary boot process and boot process with encryption involved will +be covered later in <xref linkend="mount-encrypted-volumes"/>. + +</para><para> + +Once you are satisfied with the partitioning scheme, continue with the +installation. + +</para> + </sect3> |