This article describes how to encrypt whole partitions, file containers and even swap space using dm-crypt/cryptsetup-luks.
In order to use dm-crypt, several requirements have to be met.
- a linux kernel which supports it (NOTE: the stock kernel comes with NO dm-crypt support -- but doing "modprobe dm-crypt" and "modprobe aes-i586" might enable it for you.)
- at least one cryptographic algorithm (aes)
- a userspace utility (cryptsetup-luks).
- To use encrypted container files, you'll need loopback support support in your kernel.
zcat /proc/config.gz | grep DM_CRYPT
This should output
CONFIG_DM_CRYPT=y (or 'm').
Next thing is to install cryptsetup-luks. You can get it from [current] now:
pacman -S cryptsetup
So, let's start by creating an encrypted container!
dd if=/dev/zero of=/bigsecret bs=1M count=10 # you can also use if=/dev/urandom, if you're really paranoid
This will create the file 'bigsecret' with a size of 10 megabytes.
losetup /dev/loop0 /bigsecret
This will create the device node /dev/loop0, so that we can mount/use our container.
cryptsetup luksFormat /dev/loop0
This will ask you for a password for your new container file.
cryptsetup luksOpen /dev/loop0 secret
The encrypted container is now available through the devicefile /dev/mapper/secret Now we are able to create a partition in the container, for example reiserfs
and mount it...
mkdir /mnt/secret mount -t reiserfs /dev/mapper/secret /mnt/secret
We can now use the container as if it was a normal partition! To umount/deactivate the container, we have to do the following:
umount /mnt/secret cryptsetup luksClose secret losetup -d /dev/loop0 # free the loopdevice.
so, if you want to mount the container again, you just apply the following commands:
losetup /dev/loop0 /bigsecret cryptsetup luksOpen /dev/loop0 secret mount -t reiserfs /dev/mapper/secret /mnt/secret
Pretty easy, huh? If you want to encrypt a partition rather than a container file, you would do the following:
cryptsetup luksFormat /dev/hda2 # /dev/hda2 being the partition we want to encrypt cryptsetup luksOpen /dev/hda2 secret mkreiserfs /dev/mapper/secret # or whatever filesystem you desire mount /dev/mapper/secret /mnt/secret
and we're set! to unmount it just do
umount /mnt/secret cryptsetup luksClose secret
Using a key (keyfile) to encrypt a partition
Let's first generate a 2048 Byte random keyfile :
dd if=/dev/urandom of=keyfile bs=1k count=2
We can now format our container using this key
cryptsetup luksFormat /dev/loop0 keyfile
or our partition :
cryptsetup luksFormat /dev/hda2 keyfile
Once formatted, we can now open the luks device using the key:
cryptsetup -d keyfile luksOpen /dev/loop0 container
You can now like before format the device /dev/mapper/container with your favourite filesystem and then mount it just as easily.
The keyfile is now the only key to your file. I personnaly advise to encrypt your keyfile using your private GPG key and storing an offsite secured copy of the file.
Highly paranoid: Encrypted swap partition
To use an encrypted swap partition, we have to do the following:
- comment your swap partition from /etc/fstab, so that it doesn't get activated during boot
- then put the following lines into your /etc/rc.local:
cryptsetup -c aes -s 256 -d /dev/urandom create swap0 /dev/foo # where foo is your swap partition mkswap /dev/mapper/swap0 swapon /dev/mapper/swap0
Let's take a look at my configuration:
I have three partitions, which are encrypted using dm-crypt. /home and /var, both mounted at boot time, and an encrypted swap partition. I'm using different keyfiles for /home and /var, which are saved in an encrypted container on my usbstick. I'm also able to decrypt the partitions with a password, if the keyfiles are fscked (thanks to luks :) The swap space is encrypted with a key which is generated at boot time (so nothing will be readable after reboot) The keyfile for the usbstick is in /etc (unencrypted), so the usbstick becomes the key to my system.