Using DM-Crypt

From ArchWiki
Revision as of 06:41, 23 May 2007 by Gilneas (talk | contribs) (Requirements)
Jump to: navigation, search

This article describes how to encrypt whole partitions, file containers and even swap space using dm-crypt/cryptsetup-luks.


In order to use dm-crypt, several requirements have to be met.

  • a linux kernel which supports it (NOTE: the stock kernel comes with NO dm-crypt support -- but doing "modprobe dm-crypt" and "modprobe aes-i586" might enable it for you.)
  • at least one cryptographic algorithm (aes)
  • a userspace utility (cryptsetup-luks).
  • To use encrypted container files, you'll need loopback support support in your kernel.
zcat /proc/config.gz | grep DM_CRYPT

This should output

CONFIG_DM_CRYPT=y (or 'm').

Next thing is to install cryptsetup-luks. You can get it from [current] now:

pacman -S cryptsetup

Using crytpsetup-luks

So, let's start by creating an encrypted container!

dd if=/dev/zero of=/bigsecret bs=1M count=10 # you can also use if=/dev/urandom, if you're really paranoid

This will create the file 'bigsecret' with a size of 10 megabytes.

losetup /dev/loop0 /bigsecret

This will create the device node /dev/loop0, so that we can mount/use our container.

cryptsetup luksFormat /dev/loop0

This will ask you for a password for your new container file.

cryptsetup luksOpen /dev/loop0 secret

The encrypted container is now available through the devicefile /dev/mapper/secret Now we are able to create a partition in the container, for example reiserfs

mkreiserfs /dev/mapper/secret

and mount it...

mkdir /mnt/secret
mount -t reiserfs /dev/mapper/secret /mnt/secret

We can now use the container as if it was a normal partition! To umount/deactivate the container, we have to do the following:

umount /mnt/secret
cryptsetup luksClose secret
losetup -d /dev/loop0 # free the loopdevice.

so, if you want to mount the container again, you just apply the following commands:

losetup /dev/loop0 /bigsecret
cryptsetup luksOpen /dev/loop0 secret
mount -t reiserfs /dev/mapper/secret /mnt/secret

Pretty easy, huh? If you want to encrypt a partition rather than a container file, you would do the following:

cryptsetup luksFormat /dev/hda2 # /dev/hda2 being the partition we want to encrypt
cryptsetup luksOpen /dev/hda2 secret
mkreiserfs /dev/mapper/secret # or whatever filesystem you desire
mount /dev/mapper/secret /mnt/secret

and we're set! to unmount it just do

umount /mnt/secret
cryptsetup luksClose secret

Using a key (keyfile) to encrypt a partition

Let's first generate a 2048 Byte random keyfile :

dd if=/dev/urandom of=keyfile bs=1k count=2

We can now format our container using this key

cryptsetup luksFormat /dev/loop0 keyfile

or our partition :

cryptsetup luksFormat /dev/hda2 keyfile

Once formatted, we can now open the luks device using the key:

cryptsetup -d keyfile luksOpen /dev/loop0 container

You can now like before format the device /dev/mapper/container with your favourite filesystem and then mount it just as easily.

The keyfile is now the only key to your file. I personnaly advise to encrypt your keyfile using your private GPG key and storing an offsite secured copy of the file.

Highly paranoid: Encrypted swap partition

To use an encrypted swap partition, we have to do the following:

  • comment your swap partition from /etc/fstab, so that it doesn't get activated during boot
  • then put the following lines into your /etc/rc.local:
cryptsetup -c aes -s 256 -d /dev/urandom create swap0 /dev/foo # where foo is your swap partition
mkswap /dev/mapper/swap0
swapon /dev/mapper/swap0


Let's take a look at my configuration:

I have three partitions, which are encrypted using dm-crypt. /home and /var, both mounted at boot time, and an encrypted swap partition. I'm using different keyfiles for /home and /var, which are saved in an encrypted container on my usbstick. I'm also able to decrypt the partitions with a password, if the keyfiles are fscked (thanks to luks :) The swap space is encrypted with a key which is generated at boot time (so nothing will be readable after reboot) The keyfile for the usbstick is in /etc (unencrypted), so the usbstick becomes the key to my system.