dm-crypt/Encrypting a non-root file system

From ArchWiki
< Dm-crypt
Revision as of 10:47, 23 November 2013 by Kynikos (talk | contribs) (moved from Dm-crypt with LUKS/Common Scenarios)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Tango-document-new.pngThis article is a stub.Tango-document-new.png

Notes: This article is currently under heavy restructuring: for its latest stable revision see Dm-crypt with LUKS (Discuss in Talk:Dm-crypt/Encrypting a non-root file system#)

Back to Dm-crypt with LUKS/draft.


This example covers the encryption of the /home partition, but it can be applied to any other comparable non-root partition containing user data.

Tip: You can either have a single user's /home directory on a partition, or create a common partition for all user's /home partitions.

First, prepare the partition by securely erasing it, see LUKS#Secure erasure of the hard disk drive.

Then setup the LUKS header with:

# cryptsetup  options luksFormat device

Replace device with the previously created partition. See LUKS#Mapping Physical Partitions to LUKS for details.

To gain access to the encrypted partition, unlock it with the device mapper, using:

# cryptsetup open device name

See LUKS#Using LUKS to Format Partitions with a Passphrase for details.

After unlocking the partition, it will be available at /dev/mapper/name. Now create a file system of your choice with:

# mkfs.fstype /dev/mapper/name

Mount the file system to /home, or if it should be accessible to only one user to /home/username.

Before shutting down, the file system needs to unmounted and, in this order, the LUKS partition needs to be closed with:

# cryptsetup close name

Automated unlocking and mounting

There are two different solutions for automating the process of unlocking the partition and mounting its filesystem:

Loopback file system

A loop device enables to map a blockdevice to a file with the standard util-linux tool losetup. The file can then contain a filesystem, which can be used quite like any other filesystem. A lot of users know Truecrypt as a tool to create encrypted containers. Just about the same functionality can be achieved with a loopback filesystem encrypted with LUKS and is shown in the following example.

First, start by creating an encrypted container:

dd if=/dev/urandom of=/bigsecret bs=1M count=10

This will create the file bigsecret with a size of 10 megabytes. Next create the device node /dev/loop0, so that we can mount/use our container:

losetup /dev/loop0 /bigsecret
Note: If it gives you the error /dev/loop0: No such file or directory, you need to first load the kernel module with modprobe loop. These days (Kernel 3.2) loop devices are created on demand. Ask for a new loop device with losetup -f.

From now on the procedure is the same as for #Partition, except for the fact that the container is already randomised and won't need another secure erasure.

Note: If while running cryptsetup luksFormat /dev/loop0 you get an error like:
Command failed: Failed to setup dm-crypt key mapping. Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/loop0 contains at least 133 sectors
then run modprobe dm-mod.

Manual mounting and unmounting

To unmount the container:

umount /mnt/secret
cryptsetup luksClose secret

Also free the loopdevice with:

losetup -d /dev/loop0

If you want to mount the container again, just apply the following commands:

losetup /dev/loop0 /bigsecret
cryptsetup open --type luks /dev/loop0 secret
mount -t ext2 /dev/mapper/secret /mnt/secret

Resizing the loopback filesystem

See Dm-crypt with LUKS/Common Scenarios/temp#Resizing an encrypted loopback filesystem.