Cybrary Pro Day is here!
Ready to Start Your Career?

Part 3: Protecting Your Data in Linux - A Deeper Look at Disk Encryption

zhak 's profile image

By: zhak

January 20, 2016

Part 3: Protecting Your Data in Linux - A Deeper Look at Disk Encryption - CybraryWe've already prepared UEFI bootable USB stick and root partition for DM_CRYPT + LUKS encryption, as well as installed Linux distribution of choice in Part 1. We've also prepared initramfs sources for embedding into kernel in Part 2. Now, it's time to configure kernel itself. There are a lot of good tutorials about kernel configuration on the Internet, so I'll skip background and get straight to the point.

Step 5.3. Configure kernel

Download and unpack kernel sources to /usr/src/linux directory, then start menuconfig:# cd /usr/src/linux# make menuconfigConfiguring for dm_crypt:First of all, we need dm_crypt and cryptographic APIs support:Device Drivers --->Multiple devices driver support (RAID and LVM) --->Device mapper supportCrypt target supportCryptographic API --->Cryptographic algorithm managerCBC supportXTS supportSHA512 digest algorithm (SSSE3/AVX/AVX2)SHA384 and SHA512 digest algorithmsAES cipher algorithmsAES cipher algorithms (x86_64)AES cipher algorithms (AES-NI)Configuring for initramfs:General setup  --->(/usr/src/initramfs) Initramfs source files(s)(0)     User ID to map to 0 (user root)(0)     Group ID to map to 0 (group root)Initial RAM filesystem and RAM disk (initramfs/initrd) supportConfiguring for UEFI support:Processor type and features  --->EFI runtime service supportEFI stub supportSince we don't use boot loader, any command line options (which are to be passed to kernel) should be included. We need to pass root:Processor type and features  --->Built-in kernel command line(root=/dev/dm-1) Built-in kernel command stringEnable the block layer --->Partition types --->Advanced partition selectionEFI GUID Partition supportFirmware Drivers --->EFI (Extensible Firmware Interface) Support ---><*> EFI Variable Support via sysfsAlso enable EFI frame buffer support:Device Drivers --->Graphics Support --->Frame buffer Devices --->Support for frame buffer devices --->EFI-based Framebuffer SupportAnd, don't forget to include drivers for hard disk and USB into kernel. Otherwise, it won't be able to boot the system.For debugging purposes it could be useful to enable early kernel logging:Kernel hacking --->Early printkEarly printk via the EFI framebufferThat's pretty much it. Save the configuration and compile:# make && make modules_install && make installWhen everything is complete, just copy the built kernel to EFIBOOT folder on the bootable USB stick under BOOTX64.EFI name:# cp /boot/vmlinuz-4.1.12 /mnt/usb-boot/EFI/BOOT/BOOTX64.EFI
Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry