Using DM-Crypt

From ArchWiki
Revision as of 08:56, 1 December 2007 by Chris.Giles (talk | contribs) (→‎Encrypted tmp partition: - minor mod and add)
Jump to navigation Jump to search

This article describes how to encrypt whole partitions, file containers and even swap space using dm-crypt/cryptsetup-luks.


In order to use dm-crypt, several requirements have to be met.

  • a linux kernel which supports it (NOTE: the stock kernel comes with NO dm-crypt support -- but doing "modprobe dm-crypt" and "modprobe aes-i586" might enable it for you.)
  • at least one cryptographic algorithm (aes)
  • a userspace utility (cryptsetup-luks).
  • To use encrypted container files, you'll need loopback support in your kernel.
zcat /proc/config.gz | grep DM_CRYPT

This should output

CONFIG_DM_CRYPT=y (or 'm').

Next thing is to install cryptsetup-luks. You can get it from [current] now:

pacman -S cryptsetup

Using crytpsetup-luks

So, let's start by creating an encrypted container!

dd if=/dev/zero of=/bigsecret bs=1M count=10 # you can also use if=/dev/urandom, if you're really paranoid

This will create the file 'bigsecret' with a size of 10 megabytes.

losetup /dev/loop0 /bigsecret

This will create the device node /dev/loop0, so that we can mount/use our container.

cryptsetup luksFormat /dev/loop0

This will ask you for a password for your new container file.

cryptsetup luksOpen /dev/loop0 secret

The encrypted container is now available through the devicefile /dev/mapper/secret Now we are able to create a partition in the container, for example reiserfs

mkreiserfs /dev/mapper/secret

and mount it...

mkdir /mnt/secret
mount -t reiserfs /dev/mapper/secret /mnt/secret

We can now use the container as if it was a normal partition! To unmount/deactivate the container, we have to do the following:

umount /mnt/secret
cryptsetup luksClose secret
losetup -d /dev/loop0 # free the loopdevice.

so, if you want to mount the container again, you just apply the following commands:

losetup /dev/loop0 /bigsecret
cryptsetup luksOpen /dev/loop0 secret
mount -t reiserfs /dev/mapper/secret /mnt/secret

Pretty easy, huh? If you want to encrypt a partition rather than a container file, you would do the following:

cryptsetup luksFormat /dev/hda2 # /dev/hda2 being the partition we want to encrypt
cryptsetup luksOpen /dev/hda2 secret
mkreiserfs /dev/mapper/secret # or whatever filesystem you desire
mount /dev/mapper/secret /mnt/secret

and we're set! to unmount it just do

umount /mnt/secret
cryptsetup luksClose secret

Using a key (keyfile) to encrypt a partition

Let's first generate a 2048 Byte random keyfile :

dd if=/dev/urandom of=keyfile bs=1k count=2

We can now format our container using this key

cryptsetup luksFormat /dev/loop0 keyfile

or our partition :

cryptsetup luksFormat /dev/hda2 keyfile

Once formatted, we can now open the luks device using the key:

cryptsetup -d keyfile luksOpen /dev/loop0 container

You can now like before format the device /dev/mapper/container with your favorite filesystem and then mount it just as easily.

The keyfile is now the only key to your file. I personally advise to encrypt your keyfile using your private GPG key and storing an offsite secured copy of the file.

Encrypted swap partition

To use an encrypted swap partition, do the following:

  • comment your swap partition from /etc/fstab, so that it doesn't get activated during boot
  • then put the following lines into your /etc/rc.local:
cryptsetup -c aes -s 256 -d /dev/urandom create swap0 /dev/foo # where foo is your swap partition
mkswap /dev/mapper/swap0
swapon /dev/mapper/swap0

Encrypted tmp partition

To use an encrypted tmp partition, do the following:

Put the following line into your /etc/crypttab:

tmp0 /dev/sdaX /dev/urandom "-c aes-cbc-essiv:sha256 -h sha256 -s 256" # where sdaX is your tmp partition

Put the following lines into your /etc/rc.local:

mkfs.ext2 /dev/mapper/tmp0
mount /dev/mapper/tmp0
chmod 777 /tmp

Put the following line into your /etc/fstab:

/dev/mapper/tmp0 /tmp ext2 defaults,noauto,noatime 0 0

Reboot the machine and check that it has worked via 'df'. The results should be like this:

/dev/mapper/tmp0        1035660      1408    981644   1% /tmp

You might also want to replace /var/tmp/ with a symbolic link to /tmp.


Let's take a look at my configuration:

I have three partitions, which are encrypted using dm-crypt. /home and /var, both mounted at boot time, and an encrypted swap partition. I'm using different keyfiles for /home and /var, which are saved in an encrypted container on my usbstick. I'm also able to decrypt the partitions with a password, if the keyfiles are fscked (thanks to luks :) The swap space is encrypted with a key which is generated at boot time (so nothing will be readable after reboot) The keyfile for the usbstick is in /etc (unencrypted), so the usbstick becomes the key to my system.