Archive for September, 2013

Encrypted, persistent storage on Ubuntu livecd (13.04)

Posted in Uncategorized on September 12, 2013 by voline

When my system fails to boot, I have a rescue usb stick with an Ubuntu livecd which can be loopback booted to be used as a rescue system. Sometimes fixing the issue requires trial-and-error and several boots.  This can cause headaches as the livecd is not persistent by default.  So if there’s several web pages I’m perusing to help solve the problem, they’re gone on the next boot.

Persistent livecd

Good news is that the Ubuntu livecd already supports persistence for a livecd session; the bad news is you have to configure it.  And while its a slight pain in the ass, I’ve not found it too difficult.  I like the method where by a file named casper-rw formatted as an ext3 partition is written to the FAT filesystem on the usb stick.  This makes it easier to resize the persistent storage should I run out of space (I abhor manipulating partition tables, and with they would just go away!).  The biggest pain is that the newer livecds don’t have a grub entry which tells the livecd to boot with persistence, so it must be added each time you boot the livecd.  This is old news though and been known abut and done for a long time.

No Encryption

Now lets say you’re in the middle of trying to figure out why your computer isn’t booting, and determine you need to buy a new harddrive.  Since you’re in your persistent livecd session you can just got to your favorite online retailer and order one up.  That’s all find an good, until several days later you realize that your usb has been lost and it has the password to your online account stored in the firefox profile on the persistent storage.  We wouldn’t want that getting into the wrong hands.  It would be nice if the persistent storage was encrypted so that regardless of whether there was important data on there it  wouldn’t be accessible to the world, should it fall into the wrong hands.

Encryption

There are two obvious methods for encrypting the persistent data:

  1. Use encryption at the filesystem layer, such as ecryptfs, which Ubuntu uses for its “Encrypt Home” feature
  2. Use block-level encryption to encrypt the whole casper-rw block device.

I won’t go much into the first method because I dislike filesystem encryption vs. block layer encryption, partly because there is some information leakage (such as number of files).  However in this context, ecryptfs does have some potential benefits over block layer encryption.    For one, it requires no additional support in the livecd.  All you need to do is follow one of the many recipes for using this feature in Ubuntu.

The second method, involves encrypting the whole block device with a block-level encryption system such as LUKS, which is the linux standard for such things.  Unfortunately, this required additional support in the livecd to support unlocking the device at boot.  Fortunately, the heavy lifting has already been done in this patch to the initrd of the raring desktop iso (ubuntu bug).

The Solution

So until Ubuntu can get this integrated into their iso, here’s how to modify the current iso to add encrypted persistence support.

  1. Download the Ubuntu iso and initrd patch.
  2. Download edit_iso.sh and edit_initrd.sh and chmod +x them.
  3. $ edit_iso.sh <iso file>
  4. edit the initrd
  5. $ patch -p1 < <initrd patch>
    1. Make sure that the patch applies successfully!
  6. add extra crypto modules if desired (the iso by default only comes with aes)
    1. $ rsync -uavSP {,.}/lib/modules/*/kernel/crypto
    2. $ rsync -uavSP {,.}/lib/modules/*/kernel/arch/x86/crypto
  7. $ exit ### to build the new initrd and resume editing the iso
  8. edit grub config
    1. Add “persistent” to the linux command.
  9. finish the other edit_iso questions, with defaults if desired.

Now you should have another iso that you can loopback boot from as you did the original iso, except that this one will boot with luks-encrypted, persistent storage.

NOTE: The luks-encrypted device must have a password slot.  Currently there is no way to use keyfile, and storing a keyfile on the USB would effectively nullify the encryption.  Also, the device must be a file named casper-rw.  It can not be a partition on the usb stick.  This is because there would be no way for the livecd to know which luks-encrypted partition to use (in the case of multiple).  Without encryption, the livecd will search for the persistent storage by looking for a file named casper-rw or a partition with a filesystem with a filesystem label of “casper-rw”.  LUKS devices do not allow tagging or adding of labels (unless you count some UUID scheme).

Advertisements