Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 23rd, 2015
Linux Advisory Watch: March 20th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Encrypted Root Filesystem HOWTO

Encrypted Root Filesystem HOWTO

Christophe Devine

Revision History
Revision v1.32005-03-13Revised by: cd
Updated the packages version.
Revision v1.22004-10-20Revised by: cd
Updated the packages version.
Revision v1.12003-12-01Revised by: cd
Added support for GRUB.
Revision v1.02003-09-24Revised by: cd
Initial release, reviewed by LDP.
Revision v0.92003-09-11Revised by: cd
Updated and converted to DocBook XML.

This document explains how to make your personal data secure by encrypting your Linux root filesystem using strong cryptography.

1. Preparing the system

1.1. Setting up the partition layout

Your hard disk (hda) should contain at least three partitions:

  • hda1: this small unencrypted partition will ask for a password in order to mount the encrypted root filesystem.

  • hda2: this partition will contain your encrypted root filesystem; make sure it is large enough.

  • hda3: this partition holds the current GNU/Linux system.

At this point, both hda1 and hda2 are unused. hda3 is where your Linux distribution is currently installed; /usr and /boot must not be separated from this partition.

Here's an example of what your partition layout might look like:

# fdisk -l /dev/hda

Disk /dev/hda: 255 heads, 63 sectors, 2432 cylinders
Units = cylinders of 16065 * 512 bytes

   Device Boot    Start       End    Blocks   Id  System
/dev/hda1             1         1      8001   83  Linux
/dev/hda2             2       263   2104515   83  Linux
/dev/hda3           264       525   2104515   83  Linux
/dev/hda4           526      2047  12225465   83  Linux

1.2. Required packages

If you use Debian, the following packages are mandatory:

apt-get install gcc make libncurses5-dev patch bzip2 wget

To make copy & paste easier, you should also install:

apt-get install lynx gpm

1.3. Installing Linux-2.4.29

There are two main projects which add loopback encryption support in the kernel: cryptoloop and loop-AES. This howto is based on loop-AES, since it features an extremely fast and highly optimized implementation of Rijndael in assembly language, and therefore provides maximum performance if you have an IA-32 (x86) CPU. Besides, there are some security concerns about cryptoloop.

First of all, download and unpack the loop-AES package:

cd /usr/src
tar -xvjf loop-AES-v3.0b.tar.bz2

Then you must download and patch the kernel source:

tar -xvjf linux-2.4.29.tar.bz2
cd linux-2.4.29
rm include/linux/loop.h drivers/block/loop.c
patch -Np1 -i ../loop-AES-v3.0b/kernel-2.4.28.diff

Setup the keyboard map:

dumpkeys | loadkeys -m - > drivers/char/defkeymap.c

Next, configure your kernel; make sure the following options are set:

make menuconfig

    Block devices  --->

        <*> Loopback device support
        [*]   AES encrypted loop device support (NEW)

        <*> RAM disk support
        (4096)   Default RAM disk size (NEW)
        [*]   Initial RAM disk (initrd) support

    File systems  --->

        <*> Ext3 journalling file system support
        <*> Second extended fs support

(important note: do not enable /dev file system support)

Compile the kernel and install it:

make dep bzImage
make modules modules_install
cp arch/i386/boot/bzImage /boot/vmlinuz

If grub is your bootloader, update /boot/grub/menu.lst or /boot/grub/grub.conf:

cat > /boot/grub/menu.lst << EOF
default 0
timeout 10
color green/black light-green/black
title Linux
    root (hd0,2)
    kernel /boot/vmlinuz ro root=/dev/hda3

Otherwise, update /etc/lilo.conf and run lilo:

cat > /etc/lilo.conf << EOF

You may now restart the system.

1.4. Installing Linux-2.6.10

Proceed as described in the previous section, using loop-aes' kernel-2.6.10.diff patch instead, and make sure cryptoloop support is not activated. Note that modules support require that you have the module-init-tools package installed.

1.5. Installing util-linux-2.12p

The losetup program, which is part of the util-linux package, must be patched and recompiled in order to add strong cryptography support. Download, unpack and patch util-linux:

cd /usr/src
tar -xvjf util-linux-2.12p.tar.bz2
cd util-linux-2.12p
patch -Np1 -i ../loop-AES-v3.0b/util-linux-2.12p.diff

To use passwords that are less than 20 characters, enter:


Security is certainly your major concern. For this reason, please do not enable passwords shorter than 20 characters. Data privacy is not free, one has to 'pay' in form of long passwords.

Compile losetup and install it as root:

./configure && make lib mount
mv -f /sbin/losetup /sbin/losetup~
rm -f /usr/share/man/man8/losetup.8*
cd mount
gzip losetup.8
cp losetup /sbin
cp losetup.8.gz /usr/share/man/man8/
chattr +i /sbin/losetup



Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
OpenSSL Mystery Patch is No Heartbleed
Study: One-third of top websites vulnerable or hacked
Threat-sharing cybersecurity bill unveiled
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.