Encrypted OMV installation with aes-xts-plain64 cipher, random key for swap and exposing the rest of boot disk to store data

= Preface =

OpenMediaVault is an extraordinary piece of software for building a network attached storage but it does not provide support for data encryption out of the box. However, it’s a modified Debian distribution so it’s possible to use methods available on Debian. Moreover, it’s pretty simple even though it may seem a bit complicated at the beginning. This tutorial will guide you through the installation and configuration of fully encrypted system (only /boot will remain unencrypted) with dm-crypt and LUKS. Additionally, as an extra benefit you’ll be able to use the rest of your system disk as a storage area for OMV. Default OMV installation uses entire disk for system data so most of the space is just wasted.

= Requirements =


 * Original OMV image
 * Some other Linux distribution installed (Live CD should also do the trick) e.g. Ubuntu – to modify original OMV image
 * Time and patience – overwriting entire disk with random data may take several hours or even days on large disks! So, be patient :)
 * Access to the internet to fetch additional packages during installation (or download them earlier and include in modified image)

= Step 0 - Modify OMV iso to enable manual disk partitioning =

Default OMV iso has been configured in a way that it’s easy and quick to install even for a beginner so most of the configuration during installation has been hidden from the user and pre-configured already. This includes partitioning so we need to modify the iso a bit to enable that option. This has to be done on Linux so you can use e.g. Ubuntu.


 * Note to Volker – maybe it’s worth leaving partitioning active in the image? It wouldn’t be more difficult for beginner users to install OMV – they can always choose Guided Partitioning on entire disk.


 * Download current iso from http://sourceforge.net/projects/openmediavault/files/ e.g. openmediavault_0.3_i386.iso and run following commands to extract its content:

mkdir loopdir mount -o loop openmediavault_0.3_i386.iso loopdir/ mkdir omv_image rsync -a -H --exclude=TRANS.TBL loopdir/ omv_image umount loopdir


 * Use your favourite editor to change content of omv_image/install/preseed.cfg file and comment (put “#” in the first colum) each line in “### Partitioning” section. So, it should look like that:


 * 1) Partitioning
 * 2) This makes partman automatically partition without confirmation.
 * 3) d-i partman-auto/method string regular
 * 4) d-i partman-auto/init_automatically_partition select Guided - use entire disk
 * 5) d-i partman-auto/choose_recipe select All files in one partition (recommended for new users)
 * 6) d-i partman/default_filesystem string ext4
 * 7) d-i partman/choose_partition select Finish partitioning and write changes to disk
 * 8) d-i partman/confirm boolean true

Save the file.
 * Now we need to update its md5 sum. First let’s count it:

md5sum omv_image/install/preseed.cfg


 * Put the result of that command into omv_image/md5sum.txt file. Use your favourite editor, find the line for ./install/preseed.cfg and replace md5 sum with current value, e.g.

102f40cfedd76e12a2e08b5212290edf ./install/preseed.cfg

mkisofs -o openmediavault_corrected_0.3_i386.iso -r -J -no-emul-boot -boot-load-size 4 -boot-info-tab
 * Now it’s time to create new iso file:

This iso can be used to install OMV the same as the original one. The only difference is the possibility to partition your disk manually.

= Step 1 - Installation =

Boot your system with modified iso and proceed the same as with the original one until you’re asked about partitioning options (screenshot). Remember to give strong root password – your system is only as secure as its weakest part.

Step 1.1 - Easy way – use installer defaults
This way is much easier to configure but you’re limited to default encryption options provided by the installer, which are still considered very secure. It uses aes-cbc-essiv:sha256 cipher with 256 bit long key. Your system data and swap will be on the same encrypted partition thus secured by the same key.

The downside of that method is that you won’t be able to use the rest of your disk as a device to store data in OMV.


 * Choose "Guided – use entire disk and set up encrypted LVM"
 * Choose the disk you want to install OMV to. Note, that all data currently stored on this disk will be erased
 * Choose partitioning scheme. "All files in one partition (recommended for new users)" should be fine for most users
 * Confirm writing the changes to disk. Now the installer will erase all data on target disk and overwrite it with random data. This will take a lot of time! With big disks it make take several hours to complete. However, it’s normal and highly recommended – this way the attacker won’t be able to distinguish where your data ends on the disk which makes the attack much more complicated and time-consuming.
 * Enter encryption passphrase. Once again – remember it must be a strong one. There’s a nice paragraph explain how should you choose your passphrase: https://help.ubuntu.com/community/EncryptedFilesystemHowto#I_want_to_use_a_passphrase._How_long_does_it_need_to_be.3F
 * Re-enter the passphrase to confirm it’s correct
 * Write all partitioning changes to disk by choosing "Finish partitioning and write changes to disk"
 * Confirm writing changes to disk and watch the system being installed
 * Chose Debian mirror closest to you.
 * Enter data of the proxy server you use in your network, if any an wait until additional packages are fetched and installed
 * Finally, remove your installation media and press "Continue" to reboot you fresh installed system.
 * Right after reboot it should ask you for the encryption password. You will have to enter it each time you reboot the machine (unless you configure a key file stored on some pendrive or SSH server to unlock it remotely – check "What’s next" paragraph)

Step 1.2 - Paranoid way – manual encryption with aes-xts-plain64 cipher and random key for swap
This approach allows you to unleash the whole power of encryption on Linux: - allows you to use aes-xts-plain64 cipher which is currently considered as the best option for encrypting a drive with dm-crypt and works well with large disks (larger than 2TB) - set up swap encrypted with random key every time it’s mounted. This way nobody will be able to fetch your crucial data stored temporarily in swap. The downside of using random key is a fact that you won’t be able to put your system to sleep/hibernate, but it’s not a problem for a NAS system which is supposed to work all the time. - additionally it allows exposing the rest of boot disk to store data in OMV

So: cd /root uname –a Linux openmediavault 2.6.32-5-486 #1 Sun May 6 03:29:22 UTC 2012 i686 GNU/Linux
 * When you’re asked about partitioning options, choose "Manual"
 * Choose the disk you want to install OMV to. Note, that all data currently stored on this disk will be erased
 * Confirm creating new empty partition table
 * Create partition for /boot
 * Select free disk space
 * Choose "Create a new partition"
 * 256 MB should be more than enough even in case new kernel updates will be installed on your NAS
 * Chose "Primary" as a partition type
 * Place the partition on the beginning of the disk
 * Select mount point "/boot". You may also change file system from default ext3 to ext4 if you wish. Then select "Done setting up the partition"
 * Create partition for swap
 * Select free disk space
 * Choose "Create a new partition"
 * Usually it’s recommended to use twice as big swap as the amount of RAM memory in your computer
 * Chose "Primary" as a partition type
 * Place the partition at the end of the disk
 * Go to "Use as" and select "physical volume for encryption".
 * In "Encryption key" choose "Random key"
 * Leave "Erase data" option set to "yes" so it will overwrite your swap area with random data. Then select "Done setting up the partition"
 * Create partition for root file system and data space
 * Select free disk space
 * Choose "Create a new partition" and use all remaining disk size
 * Chose "Logical" as a partition type
 * Place the partition at the end of the disk
 * Go to "Use as" and select "physical volume for encryption" similarly as for swap
 * You can leave any setting for key and cipher, we’ll change them manually soon
 * Leave "Erase data" option set to "no". We will manually overwrite this partition with random data. Then select "Done setting up the partition"
 * Configure encrypted volumes
 * Choose "Configure encrypted volumes"
 * Confirm writing latest changes to disk
 * Select "Create encrypted volumes"
 * Select partitions for root file system and swap. In this case it’s /dev/sda5 and /dev/sda2. Then press "Continue"
 * Choose "Finish"
 * Confirm that you really want to erase data on swap partition and wait until the erase it done
 * Enter and then re-enter for confirmation any passphrase for root filesystem encryption. Just enter anything, we’ll re-create encryption on this partition manually with proper passphrase soon.
 * If you’ve entered something really weak, just confirm that you really want to use it
 * Re-create encrypted partition with aes-xts-plain64 cipher
 * When back at the main "partition disks" screen, press Alt-F2 to switch to the 2nd console and press Enter to activate it
 * Go to /root folder and download linux-image package which contains modules necessary for XTS encryption. To find out which version of that package to download just check what’s your current kernel version, e.g.:

or what’s in /lib/modules ls /lib/modules 2.6.32-5-486 wget http://ftp.de.debian.org/debian/pool/main/l/linux-2.6/linux-image-2.6.32-5-486_2.6.32-46_i386.deb ar vx linux-image-2.6.32-5-486_2.6.32-46_i386.deb mkdir temp tar xzf data.tar.gz -C temp/ Side note – instead downloading the package during installation you can pre-fetch it and put it somewhere on your iso image. Just check "Step 0 - Modify OMV iso to enable manual disk partitioning" paragraph for hints. cp temp/lib/modules/2.6.32-5-486/kernel/crypto/xts.ko /lib/modules/2.6.32-5-486/kernel/crypto/ cp temp/lib/modules/2.6.32-5-486/kernel/crypto/gf128mul.ko /lib/modules/2.6.32-5-486/kernel/crypto/ depmod -a modprobe xts dmsetup ls cryptsetup remove sda5_crypt dd if=/dev/urandom of=/dev/sda5 bs=1M ps | grep dd kill –USR1  and switch back to the second console by pressing Alt+F2 cryptsetup -c aes-xts-plain64 -s 512 -h sha512 -i 5000 -y luksFormat /dev/sda5 cryptsetup luksOpen /dev/sda5 pvcrypt pvcreate /dev/mapper/pvcrypt vgcreate openmediavault /dev/mapper/pvcrypt lvcreate -n root -L 8G openmediavault lvcreate -n omv_local -l 100%FREE openmediavault cd /mnt mkdir root mount /dev/mapper/openmediavault-root root/ mount /dev/sda1 root/boot/ chroot root/ mount -t proc proc /proc mount -t sysfs sys /sys mount -t devpts devpts /dev/pts pvcrypt /dev/sda5 none luks update-initramfs –u
 * Correct package can be found on http://packages.debian.org e.g. http://packages.debian.org/squeeze/i386/linux-image-2.6.32-5-486/download Just choose any mirror close to you
 * Download the package and uncompress its data.tar.gz content to some temporary folder
 * Copy xts.ko and gf128mul.ko modules to default folder with crypto modules for your kernel
 * Load xts module
 * Check what’s currently encrypted on your system and remove encryption on your root filesystem partition. Be careful – do not remove the one for swap!
 * Overwrite entire partition with random data. This will take a lot of time! With big disks it make take several hours or even days to complete. However, it’s normal and highly recommended – this way the attacker won’t be able to distinguish where your data ends on the disk which makes the attack much more complicated and time-consuming.
 * Wait patiently until it finishes. You can check the progress by sending USR1 signal to dd process. To do so, switch to another console by pressing Alt+F3 and find dd process ID. Then send USR1 signal to it:
 * When dd finishes encrypt the partition with aes-xts-plain64 cipher and 512 bit long key. Remember to enter a strong passphrase. There’s a nice paragraph explain how should you choose your passphrase: https://help.ubuntu.com/community/EncryptedFilesystemHowto#I_want_to_use_a_passphrase._How_long_does_it_need_to_be.3F
 * Configure LVM volumes
 * Open newly encrypted partition and create two LVM volumes: one for main root filesystem (8GB) and one for the rest of the disk to be used as a data storage in OMV.
 * Final partition configuration and system installation
 * Press Alt+F1 to go back to the installer screen. Choose "Go back" there and then "Partition disk" so the disk is rescanned an all changes we made manually are introduced into the installer. You may get some errors – do not worry about them, just press go back and you’ll finally get to main partitioning screen with all changes visible there
 * Select LV root and press enter to configure that partition
 * Go to "Use as" and select "Ext4 journaling file system"
 * Go to "Mount point" and select "/ - the root file system"
 * Select "Done setting up the partition"
 * Select LV omv_local and press enter to configure that partition
 * Go to "Use as" and select "Ext4 journaling file system". Leave "Mount point" as "none" – you’ll be able to mount it later on in OMV web GUI
 * Go to "Reserved blocks" and select "0%" there to use all partition space to store data
 * Select "Done setting up the partition"
 * When you’re back to main "Partition disk" page select "Finish partitioning and write changes to disk"
 * You’ll get a warning that omv_local has no mount point assigned and you should go back to partitioning menu. Do not go back.
 * Confirm writing all changes to disk and watch the system installed.
 * Chose Debian mirror closest to you.
 * Enter data of the proxy server you use in your network, if any an wait until additional packages are fetched and installed
 * When final message asking you to remove your installation media and press "Continue" to reboot to fresh installed system – do NOT continue yet
 * Update crypttab and initramfs
 * Press Alt-F2 to switch to the 2nd console
 * Chroot to the freshly installed system
 * Add encrypted sda5 partition to /etc/crypttab. Edit the file with nano editor (Alt+6, Ctrl+U to copy the first line so it’s easier just to modify). Add the following:
 * Update initramfs
 * Final reboot
 * Press Alt+F1 to go back to the installer screen and continue to reboot
 * Right after reboot it should ask you for the encryption password. You will have to enter it each time you reboot the machine (unless you configure a key file stored on some pendrive or SSH server to unlock it remotely – check "What’s next" paragraph)

= Step 2 - Mount partition from local disk in OMV web GUI = To use remaining part of the disk configured as "omv_local" LVM volume, it must be mounted in OMV web GUI. Just go to "Filesystems", select /dev/mapper/openmediavault-omv_local and press Mount

= Step 3 - RAID encrypted with a key file mounted automatically on system startup = dd if=/dev/urandom of=/dev/md0 bs=1M cryptsetup -c aes-xts-plain64 -s 512 -h sha512 -i 5000 -y luksFormat /dev/md0 cryptsetup luksOpen /dev/md0 raid1 mkfs.ext4 -m 0 /dev/mapper/raid1 dd if=/dev/urandom of=/root/keyfile bs=1024 count=4 chown root. /root/keyfile chmod 0400 /root/keyfile cryptsetup luksAddKey /dev/md0 /root/keyfile blkid raid1 UUID=b0825b66-5272-4058-817a-00f77975bc02 /root/keyfile luks update-initramfs –u Just go to "Filesystems", select /dev/mapper/raid1 and press Mount
 * Connect your disks and create raid in the web GUI in a standard way. Wait until the array is build clean
 * Login to OMV root console
 * Overwrite entire array with random data. This will take a lot of time! With big disks it make take several hours or even days to complete. However, it’s normal and highly recommended – this way the attacker won’t be able to distinguish where your data ends on the disk which makes the attack much more complicated and time-consuming.
 * When dd finishes, encrypt the partition with aes-xts-plain64 cipher and 512 bit long key. Remember to enter a strong passphrase. There’s a nice paragraph explain how should you choose your passphrase: https://help.ubuntu.com/community/EncryptedFilesystemHowto#I_want_to_use_a_passphrase._How_long_does_it_need_to_be.3F
 * Open encrypted array and create ext4 file system there without any reserved blocks which are not really needed on non-system partition:
 * Choose a file for a key to your encrypted raid. It can be either randomly generated one or some mp3 or photo (better, as it’s more difficult to find out if that’s a key or just a normal file, just make sure you use a file created by yourself so nobody else has it).
 * You can use dd to create random key file
 * Limit the rights to the keyfile
 * Add the key file to your array crypto header
 * Find out what’s UUID of your array. The one pointing to /dev/md0 is the correct one
 * Add the array encryption configuration to /etc/crypttab
 * Update initramfs
 * Reboot and then mount partition form local disk in OMV web GUI

= What’s next =
 * Add a key file stored on pendrive to unlock your system
 * Configure SSH server to unlock the system remotely
 * Configure a script to check if nobody was tampering with your /boot partition
 * Create backups of crypto headers and possibly the whole system

= Additional notes = Always use strong passphrases but something you can memorize.There’s a nice paragraph explain how should you choose your passphrase: https://help.ubuntu.com/community/EncryptedFilesystemHowto#I_want_to_use_a_passphrase._How_long_does_it_need_to_be.3F

Definitely one of the best tutorials I saw is for ArchLinux. Check [5]

Ideas, feedback, discussion
Any feedback or ideas about this manual to be posted on the forum: http://forums.openmediavault.org/viewtopic.php?f=12&t=984