dm-crypt/Encrypting a non-root file system

From ArchWiki
< Dm-crypt
Revision as of 04:08, 1 December 2013 by Kynikos (Talk | contribs) (update links)

Jump to: navigation, search

Tango-document-new.pngThis article is a stub.Tango-document-new.png

Notes: This article is currently under heavy restructuring: for its latest stable revision see Dm-crypt with LUKS (Discuss in Talk:Dm-crypt/Encrypting a non-root file system#)

Back to Dm-crypt.

Partition

This example covers the encryption of the /home partition, but it can be applied to any other comparable non-root partition containing user data.

Tip: You can either have a single user's /home directory on a partition, or create a common partition for all user's /home partitions.

First, prepare the partition by securely erasing it, see Dm-crypt/Drive Preparation#Secure erasure of the hard disk drive.

Then setup the LUKS header with: 

# cryptsetup options luksFormat device

Replace device with the previously created partition. See Dm-crypt/Device Encryption#Mapping Physical Partitions to LUKS for details like the available options.

To gain access to the encrypted partition, unlock it with the device mapper, using: 

# cryptsetup open device name

After unlocking the partition, it will be available at /dev/mapper/name. Now create a file system of your choice with: 

# mkfs.fstype /dev/mapper/name

Mount the file system to /home, or if it should be accessible to only one user to /home/username, see #Manual mounting and unmounting.

Tip: Unmount and mount once to verify that the mapping is working as intended.

Manual mounting and unmounting

To mount the partition: 

cryptsetup open --type luks device name
mount -t ext2 /dev/mapper/name /mnt/home

To unmount it: 

umount /mnt/home
cryptsetup luksClose name

Automated unlocking and mounting

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Does unmounting need to be automated too? (Discuss in Talk:Dm-crypt/Encrypting a non-root file system#)

There are two different solutions for automating the process of unlocking the partition and mounting its filesystem.

Crypttab

Using crypttab, unlocking happens at boot time: this is the recommended solution if you want to use one common partition for all user's home partitions.

To make systemd open and mount the encrypted partition on boot, two files need to be edited, /etc/crypttab and /etc/fstab. The /etc/crypttab file describes encrypted block devices that are set up during system boot by systemd-cryptsetup-generator automatically.

For example, to open the encrypted LUKS partition on the device /dev/sdx1 with the name home, add this line: 

/etc/crypttab
home /dev/sdx1 none luks

The option none will trigger a prompt during boot to type the passphrase for unlocking the partition. A keyfile can also be set up and referenced instead. This results in an automatic unlocking, if the keyfile is accessible during boot. Since LUKS offers the option to have multiple keys, the chosen option can also be changed later.

See man crypttab (5) and read the file /etc/crypttab for more information.

Edit /etc/fstab and add an entry for the previously created path in /dev/mapper. Following above example the fstab entry looks like this: 

/etc/fstab
/dev/mapper/home /home <filesystem> defaults 0 2

Pam mount

With Pam mount, unlocking happens on user login: this is the recommended solution if you want to have a single user's home directory on a partition.

See Pam mount.

Loop device

A loop device enables to map a blockdevice to a file with the standard util-linux tool losetup. The file can then contain a filesystem, which can be used quite like any other filesystem. A lot of users know Truecrypt as a tool to create encrypted containers. Just about the same functionality can be achieved with a loopback filesystem encrypted with LUKS and is shown in the following example.

First, start by creating an encrypted container: 

dd if=/dev/urandom of=/bigsecret bs=1M count=10

This will create the file bigsecret with a size of 10 megabytes. Next create the device node /dev/loop0, so that we can mount/use our container: 

losetup /dev/loop0 /bigsecret
Note: If it gives you the error /dev/loop0: No such file or directory, you need to first load the kernel module with modprobe loop. These days (Kernel 3.2) loop devices are created on demand. Ask for a new loop device with losetup -f.

From now on the procedure is the same as for #Partition, except for the fact that the container is already randomised and won't need another secure erasure.

Note: If while running cryptsetup luksFormat /dev/loop0 you get an error like: 
Command failed: Failed to setup dm-crypt key mapping. Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/loop0 contains at least 133 sectors
then run modprobe dm-mod.

Manual mounting and unmounting

To unmount the container: 

umount /mnt/secret
cryptsetup luksClose secret
losetup -d /dev/loop0

To mount the container again: 

losetup /dev/loop0 /bigsecret
cryptsetup open --type luks /dev/loop0 secret
mount -t ext2 /dev/mapper/secret /mnt/secret

Resizing the loopback filesystem

First unmount the encrypted container: 

umount /mnt/secret
cryptsetup luksClose secret
losetup -d /dev/loop0

After this expand the container file with the size of the data you want to add: 

dd if=/dev/urandom bs=1M count=1024 | cat - >> /bigsecret
Warning: Be careful to really use two >, or you will override your current container.

You could use /dev/zero instead of /dev/urandom to significantly speed up the process, but with /dev/zero your encrypted filesystems will not be as secure. See Random Number Generation for more alternatives. A faster (almost instant) method than dd is truncate, but its use has the same security implications as using /dev/zero. The size passed to truncate is the final size to make the file, so do not use a value less than that of the current file or you will lose data. E.g. to increase a 20G file by 10G run truncate -s 30G filename.

Now map the container to the loop device: 

losetup /dev/loop0 /bigsecret
cryptsetup open --type luks /dev/loop0 secret

After this resize the encrypted part of the container to the maximum size of the container file: 

cryptsetup resize secret

Finally, resize the filesystem. Here is an example for ext2/3/4 (check the file system first as it's a bad idea to resize it if it is broken): 

e2fsck -f /dev/mapper/secret
resize2fs /dev/mapper/secret

You can now mount your container again: 

mount /dev/mapper/secret /mnt/secret
Retrieved from "https://wiki.archlinux.org/index.php?title=Dm-crypt/Encrypting_a_non-root_file_system&oldid=285580"