Everyday Thaumaturgy
(It's a Miracle If I Get Anything Done Around Here)
a blog by William S. Statler

Laptop computer renovation, Part 4

Wed, 11 Feb 2009 20:00:00 PST

At the end of Part 3 of this series, I had a laptop with a working Windows XP installation on the first partition, and three empty partitions waiting for my Ubuntu Linux 8.10 installation. Ubuntu is pretty easy to install — the real challenge here was to make a single encrypted partition for my personal files that would be usable in both Linux and Windows.

I researched this issue in advance, but still ended up having to reformat a partition to fix a problem. In brief: there's an excellent freeware Windows driver that allows reading/writing of Linux ext2 and ext3 formatted disks. But a brand-new change in version 8.10 of Ubuntu makes the installer use an ext2/ext3 format which is unreadable by this driver. The workaround is to format manually, not using the Ubuntu installer's default settings.

Anyway, on to the extremely gory details...

An encrypted drive partition shared by Linux and Windows

There are many ways to encrypt a whole partition, but only a few which will work under Windows and Linux both — and, I believe, only one which doesn't require proprietary software.

On the Linux side, the necessary software is included with Ubuntu (and with many other Linux versions). It goes by the unwieldy name of dm-crypt/LUKS. As I understand it, dm-crypt handles the encryption, and LUKS is an enhancement that takes care of the keys.

On the Windows side, FreeOTFE is compatible with dm-crypt/LUKS. There's a limited range of encryption options that work properly with both systems: they're listed near the bottom of this link. I ended up using twofish encryption with a 256-bit key and the cbc-essiv:sha256 IV algorithm. Whatever that means.

(In case it's not already obvious, I am not an expert on encryption software. I'm stumbling about and relying on information and opinions posted by seemingly-knowledgable people on the Net. I'm not trying to protect my data from the NSA here — I just want to make it hard for a laptop thief to read my files. So it's quite possible that I haven't chosen the very best encryption software, or the most secure settings. It does look like I've assembled something that works. But please perform your own "due diligence" research before you blindly follow my instructions.)

Conceptually, partition-encryption software sits between the drive hardware and the operating system. All data written to the disk gets scrambled; all data read from it gets unscrambled. To the operating system, the encrypted partition looks like an entirely separate physical disk drive. Which means that you can't use it without formatting it first. I think of it as three layers: the formatting sits on top of the encryption, which sits on top of the physical drive partition. (This is actually pretty cool, because it means that even the formatting is encrypted. That makes it even more difficult for Bad Guy to figure out what you've got on your disk.)

Anyway, I needed to pick a format that both Windows and Linux could read. I went with ext3, which is commonly used on Linux systems. Windows can't read ext3 natively, but a nice freeware driver, the Ext2 Installable File System, takes care of that problem (as long as the formatting is done with certain parameters set: this is what caused me a headache later in the process).

Yes, I did get it working. Eventually.

Installing Ubuntu 8.10 (with encryption)

The Ubuntu Linux installation disk comes in a lot of versions. Generally, to do anything unusual (like encrypting a partition), you will need to use the text-based installer (a.k.a. the Debian installer), which is found on either the "alternate install CD" or the "install/live DVD". (I used the latter.)

One question I was unable to answer even after lots of Googling: would the text-based installer's default options allow me to create the encrypted partition, or would I need to install in "expert mode"? No clue. So I went with expert mode, like this:

file=/cdrom/preseed/ubuntu.seed initrd=/install/initrd.gz quiet -- file=/cdrom/preseed/ubuntu.seed initrd=/install/initrd.gz priority=low quiet --

The installer started up in expert mode. At this point I also remembered to plug in my network cable: I wanted the installer to use the newest versions of everything it was installing, not just what was on the installation disk.

Expert mode is kinda interesting even for a non-expert. You get to see all the things the installer is doing to your system. There are a lot of questions and choices demanding your input, but you can just accept the defaults on anything you don't quite understand. So I won't document every item — I either made the obvious choice or accepted the default for most questions.

The fun stuff started when I reached Partition disks on the menu. I'd already done the basic partitioning (see Part 3), and Windows was installed on Partition #1. That left three blank partitions for the Ubuntu root directory, /home, and the swap partition. (I'd spared myself some confusion by using only the four primary partitions, so there was no need for worrying about logical volumes.) I wanted encryption for /home and swap, and all three still needed formatting.

I selected Partitioning method: Manual and verified that the displayed partitions matched what I'd created earlier. From this list I selected Partition #2, and entered the following:

(No, I don't know what "relatime" is, or why there should be 5% reserved blocks for the superuser. These are examples of where I just accepted the defaults, because I really didn't want to spend the time researching every single item.)

Partition #2 was easy: I only wanted to use it from Linux (in fact, I preferred not to see it at all from Windows, so that I wouldn't mess something up by accident), and I didn't plan to encrypt it. (This is a slight security risk, because it leaves things like the /tmp directory visible.)

Partition #3 was to be my Linux /home directory and my Windows encrypted drive for private stuff. So the first step was to set up the encryption:

Two items of note. Encryption key: Passphrase is what makes this dm-crypt/LUKS encryption, and not just plain dm-crypt. The installer prompts for a passphrase at a later step. And Erase data: yes forces the partition to be overwritten with random data, making it harder for Bad Guy to distinguish what is actual encrypted data and what is junk.

At this point there was still more configuration to be done for the encrypted Partition #3, but it was easier to continue first with the preliminary setup for Partition #4, a 4 GB swap partition. I wanted this encrypted too. A swap partition (or a pagefile in Windows) can contain all sorts of private stuff, anything that happens to be in memory when the memory fills up and the overflow gets written to disk.

My settings for Partition #4 were identical to what's shown above for Partition #3, with one exception:

A new, random encryption key is created for this partition at every system restart. This is ideal for a swap partition, because the user doesn't need to remember a key: the computer knows what the key is. (There is one downside to this: hibernate mode (also known as suspend to disk) won't work. During hibernate, the system memory is copied to the swap partition before shutdown; but after restart, the old key is lost, and the memory data can't be recovered.)

At this point there was a new menu item on the Partition disks menu: Configure encrypted volumes. This confusingly-named selection sets up the encrypted partitions but also formats any non-encrypted partitions that you've set up. So, after a warning, four things happened:

I'm sure you all know this, but: DO NOT FORGET YOUR PASSPHRASE! If you forget it, your data is gone. Making regular non-encrypted backups of your data is also a really good idea.

One more step: Partitions #3 and #4 were encrypted, but they weren't yet formatted. They appeared on the menu as two new devices, named sda3_crypt and sda4_crypt.

Here is what I ought to have done at this point:

mkfs.ext3 -I 128 /dev/mapper/sda3_crypt

I believe that would have created an encrypted partition with an ext3 format compatible with the Windows Ext2 Installable File System driver, which requires 128-bit inodes. (That's what the "-I 128" does in the formatting command. And no, I don't know, or care, what an inode is!)

Unfortunately, the Ubuntu installer didn't flash a big red warning sign saying "Hey! We changed the default action of mkfs.ext3 to use 256-bit inodes!" Nor did it provide any way to select anything other than the default inode size. So, oblivious, I barged ahead with sda3_crypt in the installer:

(This gave me an encrypted /home directory which worked just fine in Linux, but was unreadable in Windows. More later on how I fixed that.)

The encrypted swap partition, sda4_crypt, still needed attention:

I then selected Finish partitioning and write changes to disk. And that was the end of partitioning and formatting.

The rest of the Ubuntu installation was fairly uneventful, but I'd like to point out a couple of minor traps.

The Ubuntu designers do not want you to log in as root. They believe it is safer to do the same tasks using sudo. In fact, they are so firm about this that it is now forbidden to discuss root logins on the Ubuntu forums. I don't much appreciate this attitude of "we know what's best for you" — it reminds me of Microsoft. In the 31/2 years I've been using Ubuntu, I've run into several problems that would be very difficult to fix without logging in as root.

Surprisingly, the expert-mode install I was using did offer an option to allow login as root. I said "yes" to this option. Turns out that was a mistake; there's an easier way to enable the root account after installation. I ended up with a system where none of the regular user accounts had sudo privileges. This was annoying to fix.

One other issue that might cause confusion: near the end of the installation, there are three menu options:

These options are mutually exclusive. I chose to install GRUB.

After the Ubuntu installation finished, I restarted the computer. In a few seconds I was at a GRUB menu that allowed me to choose between Ubuntu and Windows XP (as well as a few other options such as an exhaustive memory test). During the Ubuntu startup I was prompted for the passphrase for my encrypted /home partition. After login I was able to use this partition with no problems.

Next step: persuading Windows to read/write the encrypted partition. But this blog entry is already so huge, I'm going to break here and continue with Windows in Part 5.

Back to Part 3

Onward to Part 5

Copyright © 2009 William S. Statler (except for quotes and
contributions from other authors). This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
which grants limited rights of non-commercial distribution and reuse. Please read
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
for details. All other rights reserved.