Part 3: Protecting Your Data in Linux – A Deeper Look at Disk Encryption

January 20, 2016 | Views: 1693

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

We’ve already prepared UEFI bootable USB stick and root partition for DM_CRYPT + LUKS encryption, as well as installed Linux distribution of choice in Part 1. We’ve also prepared initramfs sources for embedding into kernel in Part 2. Now, it’s time to configure kernel itself. There are a lot of good tutorials about kernel configuration on the Internet, so I’ll skip background and get straight to the point.

Step 5.3. Configure kernel

Download and unpack kernel sources to /usr/src/linux directory, then start menuconfig:

# cd /usr/src/linux
# make menuconfig

Configuring for dm_crypt:

First of all, we need dm_crypt and cryptographic APIs support:

Device Drivers —>
Multiple devices driver support (RAID and LVM) —>
Device mapper support
Crypt target support

Cryptographic API —>
Cryptographic algorithm manager
CBC support
XTS support
SHA512 digest algorithm (SSSE3/AVX/AVX2)
SHA384 and SHA512 digest algorithms
AES cipher algorithms
AES cipher algorithms (x86_64)
AES cipher algorithms (AES-NI)

Configuring for initramfs:

General setup  —>
(/usr/src/initramfs) Initramfs source files(s)
(0)     User ID to map to 0 (user root)
(0)     Group ID to map to 0 (group root)
Initial RAM filesystem and RAM disk (initramfs/initrd) support

Configuring for UEFI support:

Processor type and features  —>
EFI runtime service support
EFI stub support

Since we don’t use boot loader, any command line options (which are to be passed to kernel) should be included. We need to pass root:

Processor type and features  —>
Built-in kernel command line
(root=/dev/dm-1) Built-in kernel command string

Enable the block layer —>
Partition types —>
Advanced partition selection
EFI GUID Partition support

Firmware Drivers —>
EFI (Extensible Firmware Interface) Support —>
<*> EFI Variable Support via sysfs

Also enable EFI frame buffer support:

Device Drivers —>
Graphics Support —>
Frame buffer Devices —>
Support for frame buffer devices —>
EFI-based Framebuffer Support

And, don’t forget to include drivers for hard disk and USB into kernel. Otherwise, it won’t be able to boot the system.

For debugging purposes it could be useful to enable early kernel logging:
Kernel hacking —>
Early printk
Early printk via the EFI framebuffer

That’s pretty much it. Save the configuration and compile:

# make && make modules_install && make install

When everything is complete, just copy the built kernel to EFIBOOT folder on the bootable USB stick under BOOTX64.EFI name:

# cp /boot/vmlinuz-4.1.12 /mnt/usb-boot/EFI/BOOT/BOOTX64.EFI

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. I dont understand, will this work on the bootable usb

  2. To have only one password to log in your device.

  3. it so great class ,have yielded a lots

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?