Tuesday, November 24, 2009

How To Encrypt Home on Fedora

Encrypt Your Linux Home Partition

This how to explains the process of encrypting a partition on an existing system.

If you are installing a new Linux box, or reinstalling, the graphical installation for RHEL5.4 and later, Fedora, Ubuntu, OpenSuSE now all provide easy GUI tools to accomplish this.

Doing so on an existing system takes a bit of care so as not to destroy data.

The following are notes that I took while running through the process for the first time. Some steps may be redundant or unnecessary, if so, feel free to add comments and I'll adjust the process.

  1. Identify the partition that should be encrypted. In this example, I'm going to encrypt the partition (/dev/sdb1) that is mounted as /home
  2. Backup the data before proceeding. The process of encrypting requires a format, since this is /home, it makes sense to log out of the desktop, log in as root to the terminal (CTRL ALT F2) and 'init 3'. The /home directory can be safely unmounted
    # init 3
    # mkdir -p /backup/$(hostname -s)
    # rsync -a /home /backup/$(hostname -s)
    # umount /home

  3. Use cryptsetup to initialize the LUKS partition (again, make sure it is umounted) and set the initial key / passphrase. Use whatever good passphrase you want to unlock this device in the future. If necessary, additional keys can be added for multi user support.
    # cryptsetup luksFormat /dev/sdb1
  4. Identify the UUID of the partition
    # blkid /dev/sdb1

    /dev/sdb1: UUID="186f67df-9872-44d5-947c-a010d831f570" TYPE="crypto_LUKS"
  5. Open the LUKS partition setting up a mapping named based on the UUID (this is the default naming convention used by the Fedora installer)
    # cryptsetup luksOpen /dev/sdb1 luks-186f67df-9872-44d5-947c-a010d831f570
  6. Format the device, I'll use ext4 since it's the new standard on Fedora and Ubuntu
    # mkfs.ext4 /dev/mapper/luks-186f67df-9872-44d5-947c-a010d831f570
  7. Once again, verify the UUID for the device, if you don't get this correct, the system will hang at bootup as it attempts to mount the device
    # blkid /dev/sdb1

    /dev/sdb1: UUID="186f67df-9872-44d5-947c-a010d831f570" TYPE="crypto_LUKS"
  8. Add the device to crypttab to map it to the correct UUID
    # vi /etc/crypttab

    luks-186f67df-9872-44d5-947c-a010d831f570 UUID=186f67df-9872-44d5-947c-a010d831f570 none
  9. Add the new mount to /etc/fstab so that it mounts at boot (make sure to comment or remove the existing /home entry). If you choose to automount encrypted partitions the boot process will pause prompting for the passphrase. This may be undesireable, especially in the case of a server where you might choose to mount manually following boot!
    # vi /etc/fstab

    /dev/mapper/luks-186f67df-9872-44d5-947c-a010d831f570 /home ext4 defaults 1 2
  10. Before you reboot, make sure to locate a copy of the installation media just in case you need to enter recovery mode (most likely due to a typo in fstab or crypttab)
    # /sbin/shutdown -r now
  11. During the boot process you'll be prompted to enter a passphrase to unlock the partition.
  12. If you need multiple keys (maybe this is a shared workstation or laptop), you can add new keys as follows
    # cryptsetup luksAddKey /dev/sdb1

Chromium on Fedora 12

Update: Google now has an official repo for Linux that work for Fedora 12 and 13

20100917 - Updated the contents of this post to replace 'beta' package references to 'stable'.

Create the Google yum repository configuration file (replace x86_64 with i386 in the repo file to use the 32bit Google repository)
$ sudo vim /etc/yum.repos.d/google-chrome.repo

name=google - x86_64

Then install Google Chrome
$ sudo yum install google-chrome-stable

Package                                    Arch                          Version                                      Repository   
google-chrome-stable                       x86_64                        5.0.307.11-39572                             google-chrome
Installing for dependencies:
cvs                                        x86_64                        1.11.23-8.fc12                               fedora       
foomatic                                   x86_64                        4.0.3-8.fc12                                 updates      
foomatic-db                                noarch                        4.0-8.20091126.fc12                          updates      
gettext                                    x86_64                        0.17-16.fc12                                 updates      
libmodplug                                 x86_64                        1:0.8.7-2.fc12                               fedora       
libmpcdec                                  x86_64                        1.2.6-6.fc12                                 fedora       
patch                                      x86_64                        2.6.1-1.fc12                                 updates      
pax                                        x86_64                        3.4-10.fc12                                  fedora       
phonon                                     x86_64                        4.3.80-5.fc12                                updates      
phonon-backend-xine                        x86_64                        4.3.80-5.fc12                                updates      
qt                                         x86_64                        1:4.6.2-3.fc12                               updates      
qt-sqlite                                  x86_64                        1:4.6.2-3.fc12                               updates      
qt-x11                                     x86_64                        1:4.6.2-3.fc12                               updates      
qt3                                        x86_64                        3.3.8b-28.fc12                               fedora       
redhat-lsb                                 x86_64                        3.2-7.fc12                                   fedora       
xine-lib                                   x86_64                                            updates

Original content:
Want to run Google Chrome web browser on your Fedora workstation? Not exactly Chrome, but you can install and run the open source browser (devoid of Google branding), Chromium, of which Google Chrome is based.

Chromium will install on both 32bit and 64bit systems.

First, create a new yum repository configuration file (/etc/yum.repos.d/chromium.repo):
name=Chromium Test Packages
Next install chromium, 2 packages will come from the chromium repo, chromium and v8:
$ sudo yum install chromium

Dependencies Resolved

Package      Arch      Version                            Repository     Size
chromium    x86_64   chromium      9.7 M
Installing for dependencies:
minizip     x86_64  1.2.3-23.fc12                         fedora         24 k
nss-mdns    x86_64  0.10-8.fc12                           fedora         21 k
v8          x86_64  2.0.0-1.20091118svn3334.fc12          chromium      810 k

Once installed, you'll find Chromium on the Applications menu under Internet.

v8 is Google's open source JavaScript engine.