Booting encrypted system from USB stick

Introduction
This article is a somewhat less exhaustive version of SECURITY System Encryption DM-Crypt with LUKS. It focuses on a very specific setup that involves an encrypted hard disk and a bootable USB stick. In order to keep things short, there will be no background information provided by this article. For such things, please refer to other sources (like the aforementioned exhaustive article). If you already know your way around Gentoo Linux, and you want a no-frills, do it yourself guide on how to encrypt your entire hard disk and boot it from an USB stick, this article may be of use to you. Requirements

Before following this guide, make sure that you meet at least the following requirements:


 * A fast machine.


 * Gentoo is no fun on slow machines and it is especially not fun if the CPU has to work extra for encryption.


 * You absolutely must have at least one working backup copy of all your data.


 * Encrypting your hard disk can go horribly wrong, no matter how experienced you are. If you mess up, neither you nor anybody else will be able to recover any of your data. Without a backup, you will suffer from complete data loss. You've been warned.


 * Your system should be able to boot from USB.


 * Booting from USB is still somewhat shaky, as there is only very rudimentary support for USB in the booting stage, even on modern hardware. If your board does not wait long enough, or your stick does not respond fast enough, chances are that it just won't work. Please verify first that it actually works for you (by installing, i.e. grub and kernel, on a stick and booting from it). Otherwise you'll have an encrypted hard disk later and nothing to boot from.


 * Linux LiveCD/DVD or similar.


 * Any Linux system will do, as long as it comes with a current kernel and support for LUKS and LVM.

Encrypting the system
In this section, you will wipe, encrypt, and partition your entire hard disk. All examples will use as device name for the hard disk.

Wiping the hard disk
When you set up encryption on your disk later, sectors will be encrypted as they are written. This leaves out free space, so old data in free regions of your encrypted hard drive may still be accessible. By wiping the disk, you will make sure that there is no unencrypted data left on that disk that could be restored without knowing your password. This step is necessary if the hard disk you're encrypting already has your unencrypted data on it. If the disk is new, or does not contain any data of interest, you may skip to the next step, unless of course you prefer to wipe it anyway.

If you want to wipe your hard disk, follow the steps described in Secure deletion.

Setting up LUKS
Now you're going to put a layer of encryption on top of your hard disk. LUKS is one of the best tools for this task, as it makes things easy. You can have more than one password, and you can change them any time, allowing you to recover if you leak a password by accident. Everything that is necessary to unlock the encrypted disk is stored on the disk itself, so you can mount your data even from a LiveDVD. This means you're safe if your USB stick gets stolen and you can recover easily when it breaks.

To encrypt the hard disk using LUKS, you have to decide on a cipher, key size, and a password, and then format the disk with an appropriate LUKS header. The following example uses the aes-xts-plain cipher and a key size of 256, which is a good choice regarding both security and performance.

Formatting the drive
If you are installing on an x86_64 arch verify that the 64bit aes cipher has been loaded:

aes_x86_64             7292  2 aes_generic           26002  1 aes_x86_64

Format the drive using LUKS. This will ask you for the same password twice to make sure that you typed it correctly:

Verify that the command worked by having a look at part of the LUKS header: 00000000 4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|

Accessing the formatted drive
Now the hard disk is encrypted (even though the only thing that changed is the header of the disk). In order to access the encrypted data, you have to open it using your password.

When opening the drive using the command below you will be asked for your password.

Verify that the above command worked using fdisk:

Disk /dev/mapper/luks: 500.1 GB, 500107862016 bytes Disk /dev/mapper/luks doesn't contain a valid partition table

And that's all you have to do for your encryption needs. Until you reboot, you can treat this LUKS device as if it was a hard disk, the encryption will be done transparently through it. Right now, this hard disk will seem to have random data on it, as it's not partitioned or formatted yet.

Setting up LVM
Before you can install Gentoo, you have to partition the drive. Old fashioned partitions are hard to maintain (especially if the drive itself is encrypted), so use LVM instead for the task. Logical volumes can be added, removed, and resized any time, making it easy to manage lots of partitions on huge hard disks. In combination with a file system like XFS that can be easily resized as well, you don't have to worry about correct partition sizes that much anymore.


 * 1) Initialize the encrypted hard disk for LVM:


 * 1) Create a volume group:

With this, LVM is ready to be used. Any partitions you create will now show up as. This simple example will only create a 10GB root and a 2GB swap partition. Of course, you can create your own partitioning scheme instead, with separate partitions for usr, var, opt, home and more. You'll have to mount them later for chrooting though, so you may want to wait until your system actually boots and mounts these things automatically.


 * 1) Make a root partition and format it as XFS:


 * 1) Make a swap partition and enable it:

Finally you have an encrypted hard disk with usable partitions and swap on it.

Taking a break
If you want to take a break after the encryption ordeal above, you can shut down your PC, and reboot your LiveDVD sometime later. However, to make your encrypted hard disk and LVM partitions visible to the system again, you first have to open the disk again and enable the LVM volumes on it afterwards. This is also how you can access your data using any bootable Linux media anytime, in case something breaks and you need to go in and rescue it.


 * 1) You only need to do this if you took a break and rebooted the LiveDVD.
 * 2) Open the disk using your password:


 * 1) Scan and enable any LVM volumes:

Now you can access your disk as and your partitions as  again and continue where you left off.

Installing Gentoo
Finally you can proceed to actually installing Gentoo on your hard disk. In order to do this, you first have to mount the root partition you created.


 * 1) Mount the root partition:

From here on, follow the standard Gentoo installation procedure: download a stage3 tarball, extract it, configure it, update it, until you would usually be ready to boot the system for the first time. If you're not installing Gentoo from scratch, this is the point where you have to copy your old working installation over to the new encrypted partitions, with minor modifications to /etc/fstab so it will find the LVM partitions when you boot it later.

Since your new system is based on LUKS and LVM, you will have to emerge the corresponding packages. Make sure to set your USE flags correctly: the LUKS and LVM tools must not be dynamically linked, because they will be used in the initramfs later. In baselayout-1, no additional configuration of the packages should be necessary, for -2, you may have to add their init scripts to runlevel boot.


 * 1) Only if you are using sys-apps/baselayout-2:

With this, your system should be ready to use, except for the fact that it does not actually boot yet.

Preparing the USB stick
In order to boot your USB stick, you will need a kernel with an Initramfs that contains all the necessary tools to open the disk and enable the LVM root partition. The kernel will be stored on the USB stick, and booted by GRUB. If you do not like to compile the kernel and build the Initramfs manually, you can use genkernel instead. However, how to make genkernel actually work is beyond the scope of this document, so please refer to the genkernel documentation instead.

Building the Initramfs
Follow the steps described in the Initramfs article to build your own Initramfs from scratch. The Initramfs article also describes how to add support for cryptsetup and LVM, which is what you need.

Configuring the kernel
When configuring the kernel, make sure to add support for LVM and DM-Crypt.

Installing GRUB
In this section, you will create the boot partition on your USB stick, and make it boot using GRUB.

You'll have to create the partition that will be later used for storing GRUB and kernel images. GRUB is around 1MB, kernel around 5MB, so even a very small partition will get you going. However, unless you're actually trying to boot from a stone age 16MB USB stick, you should make the partition a lot bigger for comfort, so you can have more than just one kernel and maybe even additional software like memtest86 on it. If you have a really big stick, you could even add the Gentoo LiveDVD as a rescue system to it later.


 * 1) In this example,  is the USB stick.
 * 2) Create a bootable primary partition using cfdisk, 128MB in size:


 * 1) Format the boot partition


 * 1) Label the boot partition


 * 1) The label may only be detected when you reconnect the USB stick.

Since hot pluggable devices get a different device name every time, it can be hard to identify the boot partition properly. This problem is avoided by giving the ext2 file system an unique label. When plugging in the USB stick, you should be able to access the correct device as /dev/disk/by-label/boot_stick. You can also create a proper fstab entry for your boot partition, which allows it to be mounted properly later.

Now you can mount boot and install grub onto it.


 * 1) Mount the boot partition.


 * 1) Create a boot -> . symlink


 * 1) Run grub-install.


 * 1) Create a menu.lst -> grub.conf symlink

Of course, you have to create the grub.conf itself for grub to know what it is supposed to boot. The following example is sufficient for booting a kernel with integrated ram disk, like the one you compiled earlier.

Don't forget to copy the kernel image and System.map onto the USB key.

Booting the encrypted system
Exit the chroot, umount all disks, cross your fingers and reboot. GRUB from the USB stick should come up, load the kernel, prompt you for the LUKS password, and boot the system you just installed. If it does not work, find out what's wrong and fix it. The following section lists some common errors and how to solve them.

Troubleshooting
While there is no room for a fully fledged troubleshooting section in this article, maybe we can offer simple solutions to the most common problems here.


 * I'm getting GRUB error 16, 17, 25


 * A possible cause is that booting from USB does not work reliably with your hardware. Try another USB stick, try attaching it directly to one of the boards USB ports instead of going through a front panel / hub or similar.


 * LUKS says my password is wrong


 * If you can't unlock it from the LiveDVD again either, chances are that you forgot your password. If it works from the LiveDVD, your kernel is lacking device mapper / cryptographic API support. Another possibility is that you are using a keyboard layout different from US english while in your LiveDVD, but you are required to type it with an US english keyboard when rebooting. You can avoid this problem by adding both passwords to LUKS (pressing the same keys, once in your native layout, and once in the US layout, so both passwords will be valid).


 * I'm getting a kernel panic because init was killed


 * There is something wrong with your init script then. If you can't find out what it is, make it drop you to an interactive shell busybox --install -s; exec sh and investigate. If that does not work either, then the init of your initramfs may not be even executed. This may be due to a wrong path in your kernel config, a missing executable flag, or because the binaries you put in your initramfs are not statically linked.


 * The stick is plugged in and shows up as, but mount says the device does not exist.


 * This is a bug which will hopefully be fixed soon, see for details and a hackish workaround.


 * I'm getting a kernel panic because root file system was not found


 * You can try to add root_delay=10 to your boot options in grub.conf file. This will instruct kernel to wait 10 seconds before mounting root file system.

Addendum

 * Batten down the hatches


 * The easiest way to get at encrypted data is hacking or simply accessing the system while it is running. So don't give others carelessly access to your machine via SSH, and don't go away from your machine without locking the screen and keyboard with a password first. There are many ways to lock down your system properly, think about which ones are useful, required, and simple to implement to fit your needs.


 * Backups


 * If your data is important enough for you to encrypt it, you will also want to protect against data loss due to hardware failure or human error. If you encrypted your hard disk because it's a laptop and you don't want a thief to be able to access your data, it's probably fine to have unencrypted backups at home. If you're worried about the security of your data in general, all copies of your data will have to be encrypted as well. Encryption methods depend on your backup media; for hard disks you can use LUKS as shown in this article, for read-only devices like CD/DVD-R there are better solutions.


 * Live or Rescue System


 * Since you are already booting from USB, if your stick has some capacity (>=1GB), consider adding a Linux LiveCD/DVD of your choice to it. It will make your USB stick more useful than it is already, because you can use it with more than only one machine, and in case something goes wrong on your own system, you can use it as a rescue system to boot and repair from.

Related Articles

 * Secure deletion - How to effectively wipe the hard disk before encrypting it
 * DM-Crypt - Encrypting the hard disk using cryptsetup / LUKS
 * LVM - Logical Volume Management
 * Initramfs - How to build an Initramfs from scratch