dm-crypt/Specialties

Using a separate device to boot a system is a fairly straightforward procedure, and offers a significant security improvement against some kinds of attacks. Two vulnerable parts of a system employing an encrypted root filesystem are

• the Master Boot Record, and
• the /boot partition.

These must be stored unencrypted in order for the system to boot. In order to protect these from tampering, it is advisable to store them on a removable medium, such as a USB drive, and boot from that drive instead of the hard disk. As long as you keep the drive with you at all times, you can be certain that those components have not been tampered with, making authentication far more secure when unlocking your system.

It is assumed that you already have your system configured with a dedicated partition mounted at /boot. If you do not, please follow the steps in dm-crypt/System configuration#Kernel parameters, substituting your hard disk for a removable drive.

Prepare the removable drive (/dev/sdx).

# gdisk /dev/sdx #format if necessary. Alternatively, cgdisk, fdisk, cfdisk, gparted...
# mkfs.ext2 /dev/sdx1
# mount /dev/sdx1 /mnt

Copy your existing /boot contents to the new one.

# cp -ai /boot/* /mnt/

Mount the new partition. Do not forget to update your fstab file accordingly.

# umount /boot
# umount /mnt
# mount /dev/sdx1 /boot
# genfstab -p -U / > /etc/fstab

Update GRUB. grub-mkconfig should detect the new partition UUID automatically, but custom menu entries may need to be updated manually.

# grub-mkconfig -o /boot/grub/grub.cfg
# grub-install /dev/sdx #install to the removable device, not the hard disk.

Reboot and test the new configuration. Remember to set your device boot order accordingly in your BIOS or UEFI. If the system fails to boot, you should still be able to boot from the hard drive in order to correct the problem.

Referring to an article from the ct-magazine (Issue 3/12, page 146, 01.16.2012, ) the following script checks files under /boot for changes of SHA-1 hash, inode, and occupied blocks on the hard drive. It also checks the Master Boot Record. The script cannot prevent certain type of attacks, but a lot are made harder. No configuration of the script itself is stored in unencrypted /boot. With a locked/powered-off encrypted system, this makes it harder for some attackers because it is not apparent that an automatic checksum comparison of the partition is done upon boot. However, an attacker who anticipates these precautions can manipulate the firmware to run their own code on top of your kernel and intercept file system access, e.g. to boot, and present the untampered files. Generally, no security measures below the level of the firmware are able to guarantee trust and tamper evidence.

The script with installation instructions is available (Author: Juergen Schmidt, ju at heisec.de; License: GPLv2). There is also package chkboot^AUR to install.

After installation add a service file (the package includes one based on the following) and enable it:

[Unit]
Description=Check that boot is what we want
Requires=basic.target
After=basic.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/chkboot.sh

[Install]
WantedBy=multi-user.target

There is a small caveat for systemd. At the time of writing, the original chkboot.sh script provided contains an empty space at the beginning of #!/bin/bash which has to be removed for the service to start successfully.

As needs to be executed right after login, you need to add it to the autostart (e.g. under KDE -> System Settings -> Startup and Shutdown -> Autostart; GNOME 3: gnome-session-properties).

With Arch Linux, changes to /boot are pretty frequent, for example by new kernels rolling-in. Therefore it may be helpful to use the scripts with every full system update. One way to do so:

#!/bin/sh
#
# Note: Insert your <user> and execute it with sudo for pacman & chkboot to work automagically
#
echo "Pacman update [1] Quickcheck before updating" &
sudo -u <user> /usr/local/bin/chkboot_user.sh
/usr/local/bin/chkboot.sh
sudo -u <user> /usr/local/bin/chkboot_user.sh
echo "Pacman update [2] Syncing repos for pacman"
pacman -Syu
/usr/local/bin/chkboot.sh
sudo -u <user> /usr/local/bin/chkboot_user.sh
echo "Pacman update [3] All done, let us roll on ..."

is a mkinitcpio hook that performs integrity checks during early-userspace and advises the user not to enter their root partition password if the system appears to have been compromised. Security is achieved through an encrypted boot partition, which is unlocked using GRUB's cryptodisk.mod module, and a root filesystem partition, which is encrypted with a password different from the former. This way, the initramfs and kernel are secured against offline tampering, and the root partition can remain secure even if the /boot partition password is entered on a compromised machine (provided that the chkcryptoboot hook detects the compromise, and is not itself compromised at run-time). 

This hook requires release >=2.00 to function, and a dedicated, LUKS encrypted /boot partition with its own password in order to be secure.

Install and edit . If you want the ability of detecting if your boot partition was bypassed, edit the and variables, with values known only to you. You can follow the advice of using two hashes as is suggested right after the installation. Also, be sure to make the appropriate changes to the kernel command line in . Edit the line in /etc/mkinitcpio.conf, and insert the hook before . When finished, regenerate the initramfs.

consists of an install hook and a run-time hook for mkinitcpio. The install hook runs every time the initramfs is rebuilt, and hashes the GRUB EFI stub () (in the case of UEFI systems) or the first 446 bytes of the disk on which GRUB is installed (in the case of BIOS systems), and stores that hash inside the initramfs located inside the encrypted /boot partition. When the system is booted, GRUB prompts for the /boot password, then the run-time hook performs the same hashing operation and compares the resulting hashes before prompting for the root partition password. If they do not match, the hook will print an error like this:

CHKCRYPTOBOOT ALERT!
CHANGES HAVE BEEN DETECTED IN YOUR BOOT LOADER EFISTUB!
YOU ARE STRONGLY ADVISED NOT TO ENTER YOUR ROOT CONTAINER PASSWORD!
Please type uppercase yes to continue:

In addition to hashing the boot loader, the hook also checks the parameters of the running kernel against those configured in . This is checked both at run-time and after the boot process is done. This allows the hook to detect if GRUB's configuration was not bypassed at run-time and afterwards to detect if the entire /boot partition was not bypassed.

For BIOS systems the hook creates a hash of GRUB's first stage bootloader (installed to the first 446 bytes of the bootdevice) to compare at the later boot processes. The main second-stage GRUB bootloader core.img is not checked.

Alternatively to above scripts, a hash check can be set up with AIDE which can be customized via a very flexible configuration file.

While one of these methods should serve the purpose for most users, they do not address all security problems associated with the unencrypted /boot. One approach which endeavours to provide a fully authenticated boot chain was published with POTTS as an academic thesis to implement the STARK authentication framework.

The POTTS proof-of-concept uses Arch Linux as a base distribution and implements a system boot chain with:

• POTTS - a boot menu for a one-time authentication message prompt
• TrustedGrub - a GRUB Legacy implementation which authenticates the kernel and initramfs against TPM chip PCR registers
• TRESOR - a kernel patch which implements AES but keeps the master-key not in RAM but in CPU registers during runtime.

As part of the thesis installation instructions based on Arch Linux (ISO as of 2013-01) have been published. If you want to try it, be aware these tools are not in standard repositories and the solution will be time consuming to maintain.

The package provides a systemd-centric mkinitcpio hook named systemd-tool with the following set of features for systemd in initramfs:

The package requires the systemd hook. For more information be sure to read the project's README as well as the provided default systemd service unit files to get you started.

The recommended hooks are: .

Another package combination providing remote logins to the initcpio is and/or (for remote unlocking using a PPP connection over the internet) along with an SSH server. You have the option of using either or . Those hooks do not install any shell, so you also need to install the package. The instructions below can be used in any combination of the packages above. When there are different paths, it will be noted.

1. If you do not have an SSH key pair yet, generate one on the client system (the one which will be used to unlock the remote machine).
   Note: tinyssh only supports Ed25519 and ECDSA key types without passphrase. If you chose to use mkinitcpio-tinyssh, you need to create/use one of these.
2. Insert your SSH public key (i.e. the one you usually put onto hosts so that you can ssh in without a password, or the one you just created and which ends with .pub) into the remote machine's or file.
   Tip: This method can later be used to add other SSH public keys as needed; In the case of simply copying the content of the remote's ~/.ssh/authorized_keys, be sure to verify that it only contains keys you intend to be using to unlock the remote machine. When adding additional keys, regenerate your initrd as well using mkinitcpio. See also OpenSSH#Protection.
3. Add all three hooks before within the "HOOKS" array in /etc/mkinitcpio.conf (the replaces the hook). Then regenerate the initramfs.
4. Configure the required parameter and add the ip= kernel command parameter to your bootloader configuration with the appropriate arguments. For example, if the DHCP server does not attribute a static IP to your remote system, making it difficult to access via SSH across reboots, you can explicitly state the IP you want to be using:Alternatively, you can also specify the subnet mask and gateway required by the network:If using DHCP, consider adding the netconf_timeout= kernel parameter, to prevent netconf from trying to obtain an IP forever. For a detailed description of the ip= parameter, have a look at the according mkinitcpio section. When finished, update the configuration of your bootloader.
5. Finally, restart the remote system and try to ssh to it, explicitly stating the "root" username (even if the root account is disabled on the machine, this root user is used only in the initrd for the purpose of unlocking the remote system). If you are using the package and you also have the package installed, then you most probably will not get any warnings before logging in, because it convert and use the same host keys openssh uses (except Ed25519 keys, as dropbear does not support them). In case you are using , a script is bundled, so you can use the same keys as your installation (currently only Ed25519 keys). It may be required to manually copy the host key, via , to . In either case, you should have run the ssh daemon at least once, using the provided systemd units, so the keys can be generated first. After rebooting the machine, you should be prompted for the passphrase to unlock the root device. The system will complete its boot process and you can then ssh to it as you normally would (with the remote user of your choice).

The net hook is normally used with an Ethernet connection. In case you want to setup a computer with wireless only, and unlock it via WiFi, you can use a predefined hook or create a custom hook to connect to a WiFi network before the net hook is run.

You can install a predefined hook based on the one in this wiki:

1. Install .
2. Configure your WiFi connection by creating a wpa_supplicant configuration with your network properties:

   wpa_passphrase "ESSID" "passphrase" > /etc/wpa_supplicant/initcpio.conf

3. Add the hook before in your /etc/mkinitcpio.conf. Your WiFi-related modules should be auto-detected, if not: add them to the section.
4. Add to the kernel parameters.
5. Regenerate the initramfs.
6. Update the configuration of your boot loader.

Below example shows a setup using a USB WiFi adapter, connecting to a WiFi network protected with WPA2-PSK. In case you use for example WEP or another initramfs generator, you might need to adjust accordingly.

1. Modify /etc/mkinitcpio.conf:
   • Add the needed kernel module for your specific WiFi adapter.
   • Include the and binaries.
   • Add a hook (or a name of your choice, this is the custom hook that will be created) before the hook.

     MODULES=(''module'')<br>BINARIES=(wpa_passphrase wpa_supplicant)<br>HOOKS=(base udev autodetect ... '''wifi''' net ... dropbear encryptssh ...)

2. Create the hook in :
3. Create the hook installation file in /etc/initcpio/install/wifi:
4. Add to the kernel parameters. Remove so it does not conflict.
5. Optionally create an additional boot entry with kernel parameter .
6. Regenerate the initramfs.
7. Update the configuration of your boot loader.

Remember to setup WiFi, so you are able to login once the system is fully booted. In case you are unable to connect to the WiFi network, try increasing the sleep times a bit.

If you are using dracut instead of mkinitcpio, you might want to check out dracut-sshd as an alternative to the above options.

The management of multiple disks is a basic LVM feature and a major reason for its partitioning flexibility. It can also be used with dm-crypt, but only if LVM is employed as the first mapper. In such a LUKS on LVM setup the encrypted devices are created inside the logical volumes (with a separate passphrase/key per volume). The following covers the steps to expand that setup to another disk.

First, it may be desired to prepare a new disk according to dm-crypt/Drive preparation. Second, it is partitioned as a LVM, e.g. all space is allocated to /dev/sdY1 with partition type (Linux LVM). Third, the new disk/partition is attached to the existing LVM volume group, e.g.:

# pvcreate /dev/sdY1
# vgextend MyStorage /dev/sdY1

For the next step, the final allocation of the new diskspace, the logical volume to be extended has to be unmounted. It can be performed for the root partition, but in this case the procedure has to be performed from an Arch Install ISO.

In this example, it is assumed that the logical volume for (lv-name ) is going to be expanded with the fresh disk space:

# umount /home
# fsck /dev/mapper/home
# cryptsetup close /dev/mapper/home
# lvextend -l +100%FREE MyStorage/homevol

Now the logical volume is extended and the LUKS container comes next:

# cryptsetup open /dev/MyStorage/homevol home
# umount /home      # as a safety, in case it was automatically remounted
# cryptsetup --verbose resize home

Finally, the filesystem itself is resized:

# e2fsck -f /dev/mapper/home
# resize2fs /dev/mapper/home

Done! If it went to plan, can be remounted and now includes the span to the new disk:

# mount /dev/mapper/home /home

Note that the action does not affect encryption keys, and these have not changed.

Note that sd-encrypt supports multiple partitions out of the box. If several (or all) partitions opened this way share the same passphrase, sd-encrypt will try it for each and not ask for it multiple times. This may be an easier alternative to the following.

It is possible to modify the encrypt hook to allow multiple hard drive decrypt root () at boot. One way:

# cp /usr/lib/initcpio/install/encrypt /etc/initcpio/install/encrypt2
# cp /usr/lib/initcpio/hooks/encrypt  /etc/initcpio/hooks/encrypt2
# sed -i "s/cryptdevice/cryptdevice2/" /etc/initcpio/hooks/encrypt2
# sed -i "s/cryptkey/cryptkey2/" /etc/initcpio/hooks/encrypt2

Add to your boot options (and cryptkey2= if needed), and add the hook to your mkinitcpio.conf before rebuilding it. See dm-crypt/System configuration.

Maybe you have a requirement for using the hook on a non-root partition. Arch does not support this out of the box, however, you can easily change the cryptdev and cryptname values in (the first one to your /dev/sd* partition, the second to the name you want to attribute). That should be enough.

The big advantage is you can have everything automated, while setting up with an external key file (i.e. the keyfile is not on any internal hard drive partition) can be a pain - you need to make sure the USB/FireWire/... device gets mounted before the encrypted partition, which means you have to change the order of (at least).

Of course, if the package gets upgraded, you will have to change this script again. Unlike , only one partition is supported, but with some further hacking one should be able to have multiple partitions unlocked.

If you want to do this on a software RAID partition, there is one more thing you need to do. Just setting the device in is not enough; the hook will fail to find the key for some reason, and not prompt for a passphrase either. It looks like the RAID devices are not brought up until after the hook is run. You can solve this by putting the RAID array in , like

kernel /boot/vmlinuz-linux md=1,/dev/hda5,/dev/hdb5

If you set up your root partition as a RAID, you will notice the similarities with that setup. GRUB can handle multiple array definitions just fine:

kernel /boot/vmlinuz-linux root=/dev/md0 ro md=0,/dev/sda1,/dev/sdb1 md=1,/dev/sda5,/dev/sdb5,/dev/sdc5

Set the following kernel parameters:

rd.luks.name=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX=enc rd.luks.options=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX=header=/header.img:UUID=ZZZZZZZZ-ZZZZ-ZZZZ-ZZZZ-ZZZZZZZZZZZZ rd.luks.data=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX=/dev/disk/by-id/your-disk_id

• Replace XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX with the LUKS super block UUID. It can be acquired with or .
• Replace with the block device of volume in which the header file is located.

Alternatively, instead of using the kernel parameters, the options can be specified in a /etc/crypttab.initramfs file:

Next, modify /etc/mkinitcpio.conf to use systemd and to include the file system module for the volume in which the header is located. For example, if it is a FAT volume:

Regenerate the initramfs and you are done.

This method shows how to modify the hook in order to use a detached LUKS header. Now the hook has to be modified to let use the separate header (; base source and idea for these changes published on the BBS). Make a copy so it is not overwritten on a mkinitcpio update:

# cp /usr/lib/initcpio/hooks/encrypt /etc/initcpio/hooks/encrypt2
# cp /usr/lib/initcpio/install/encrypt /etc/initcpio/install/encrypt2

Now edit the mkinitcpio.conf to add the and lvm2 hooks, the to and the to , apart from other configuration the system requires:

This is required so the LUKS header is available on boot allowing the decryption of the system, exempting us from a more complicated setup to mount another separate USB device in order to access the header. After this set up the initramfs is created.

Next the boot loader is configured to specify the also passing the new option for this setup:

cryptdevice=/dev/disk/by-id/your-disk_id:enc:header

To finish, following dm-crypt/Encrypting an entire system#Post-installation is particularly useful with a /boot partition on an USB storage medium.

will be assumed to be the USB drive,  will be assumed to be the main hard drive.

Prepare the devices according to dm-crypt/Drive preparation.

Use gdisk to partition the disk according to the layout shown here, with the exception that it should only include the first two partitions. So as follows:

Before running , look at the Encryption options for LUKS mode and Ciphers and modes of operation first to select your desired settings.

Prepare the boot partition but do not any partition yet and Format the EFI system partition.

# mount /dev/mapper/cryptboot /mnt
# dd if=/dev/urandom of=/mnt/key.img bs=filesize count=1
# cryptsetup luksFormat /mnt/key.img
# cryptsetup open /mnt/key.img lukskey

filesize is in bytes but can be followed by a suffix such as M. Having too small of a file will get you a nasty error. As a rough reference, creating a 4M file will encrypt it successfully. You should make the file larger than the space needed since the encrypted loop device will be a little smaller than the file's size.

With a big file, you can use and to navigate to the correct position (see Gentoo:Custom Initramfs#Encrypted keyfile).

Now you should have opened in a loop device (underneath ), mapped as .

# truncate -s 16M /mnt/header.img
# cryptsetup --key-file=/dev/mapper/lukskey --keyfile-offset=offset --keyfile-size=size luksFormat /dev/sda --offset 32768 --header /mnt/header.img

Pick an offset and size in bytes (8192 KiB is the maximum keyfile size for ).

# cryptsetup open --header /mnt/header.img --key-file=/dev/mapper/lukskey --keyfile-offset=offset --keyfile-size=size /dev/sda enc 
# cryptsetup close lukskey
# umount /mnt

Follow Preparing the logical volumes to set up LVM on LUKS.

See Partitioning#Discrete partitions for recommendations on the size of your partitions.

Once your root partition is mounted, your encrypted boot partition as and your EFI system partition as /mnt/efi.

Follow the installation guide up to the step but do not do it yet, and skip the partitioning, formatting, and mounting steps as they have already been done.

In order to get the encrypted setup to work, you need to build your own hook, which is thankfully easy to do and here is the code you need. You will have to follow Persistent block device naming#by-id and by-path to figure out your own values for the usb and main hard drive (they are linked -> to or ).

You should be using the instead of just or because sdX can change and this ensures it is the correct device.

You can name anything you want, and custom build hooks can be placed in the and folders of . Keep a backup of both files ( them over to the partition or your user's directory after you make one). is not a typo.

usbdrive is your USB drive , and is your main hard drive .

# cp /usr/lib/initcpio/install/encrypt /etc/initcpio/install/customencrypthook

Now edit the copied file and remove the section as it is not necessary.

/etc/mkinitcpio.conf (edit this only do not replace it, these are just excerpts of the necessary parts)

MODULES=(loop)
...
HOOKS=(base udev autodetect modconf block customencrypthook lvm2 filesystems keyboard fsck)

The and arrays are empty, and you should not have to replace array entirely just edit in after and before , and make sure and encrypt are removed.

Finish the Installation Guide from the step. To boot you would need either GRUB or efibootmgr. Note you can use GRUB to support the encrypted disks by Configuring the boot loader but editing the is not necessary for this set up.

Or use direct UEFI Secure Boot by generating keys with then signing the initramfs and kernel and creating a bootable .efi file for your EFI system partition with sbupdate-git^AUR. Before using cryptboot or sbupdate note this excerpt from Secure Boot#Using your own keys:

# efibootmgr --create --disk /dev/device --part partition_number --label "Arch Linux Signed" --loader "EFI\Arch\linux-signed.efi" --unicode

See for an explanation of the options.

Make sure the boot order puts first. If not change it with .

# cryptsetup --header /boot/header.img --key-file=/dev/mapper/lukskey --keyfile-offset=offset --keyfile-size=size luksChangeKey /dev/mapper/enc /dev/mapper/lukskey2 --new-keyfile-size=newsize --new-keyfile-offset=newoffset

Afterwards, and shred or dd the old keyfile with random data before deleting it, then make sure that the new keyfile is renamed to the same name of the old one: key.img or other name.