dm-crypt/Encrypting a non-root file system
Back to Dm-crypt with LUKS/draft.
This example covers the encryption of the
/home partition, but it can be applied to any other comparable non-root partition containing user data.
First, prepare the partition by securely erasing it, see LUKS#Secure erasure of the hard disk drive.
Then setup the LUKS header with:
# cryptsetup options luksFormat device
device with the previously created partition. See LUKS#Mapping Physical Partitions to LUKS for details.
To gain access to the encrypted partition, unlock it with the device mapper, using:
# cryptsetup open device name
See LUKS#Using LUKS to Format Partitions with a Passphrase for details.
After unlocking the partition, it will be available at
/dev/mapper/name. Now create a file system of your choice with:
# mkfs.fstype /dev/mapper/name
Mount the file system to
/home, or if it should be accessible to only one user to
Before shutting down, the file system needs to unmounted and, in this order, the LUKS partition needs to be closed with:
# cryptsetup close name
Automated unlocking and mounting
There are two different solutions for automating the process of unlocking the partition and mounting its filesystem:
- Using crypttab, unlocking happens at boot time: this is the recommended solution if you want to use one common partition for all user's home partitions. See Dm-crypt with LUKS/Common Scenarios/temp#Mount an encrypted partition at boot.
- With Pam mount, unlocking happens on user login: this is the recommended solution if you want to have a single user's home directory on a partition. See Pam mount.
Loopback file system
A loop device enables to map a blockdevice to a file with the standard util-linux tool
losetup. The file can then contain a filesystem, which can be used quite like any other filesystem. A lot of users know Truecrypt as a tool to create encrypted containers. Just about the same functionality can be achieved with a loopback filesystem encrypted with LUKS and is shown in the following example.
First, start by creating an encrypted container:
dd if=/dev/urandom of=/bigsecret bs=1M count=10
This will create the file
bigsecret with a size of 10 megabytes. Next create the device node
/dev/loop0, so that we can mount/use our container:
losetup /dev/loop0 /bigsecret
From now on the procedure is the same as for #Partition, except for the fact that the container is already randomised and won't need another secure erasure.
Manual mounting and unmounting
To unmount the container:
umount /mnt/secret cryptsetup luksClose secret
Also free the loopdevice with:
losetup -d /dev/loop0
If you want to mount the container again, just apply the following commands:
losetup /dev/loop0 /bigsecret cryptsetup open --type luks /dev/loop0 secret mount -t ext2 /dev/mapper/secret /mnt/secret