This article describes how to encrypt whole partitions, file containers and even swap space using dm-crypt/cryptsetup-luks.
In order to use dm-crypt, several requirements have to be met.
- a linux kernel which supports it (NOTE: the stock kernel comes with NO dm-crypt support -- but doing "modprobe dm-crypt" and "modprobe aes-i586" might enable it for you.)
- at least one cryptographic algorithm (aes)
- a userspace utility (cryptsetup-luks).
- To use encrypted container files, you'll need loopback support in your kernel.
zcat /proc/config.gz | grep DM_CRYPT
This should output
CONFIG_DM_CRYPT=y (or 'm').
Next thing is to install cryptsetup-luks. You can get it from [current] now:
pacman -S cryptsetup
So, let's start by creating an encrypted container!
dd if=/dev/zero of=/bigsecret bs=1M count=10 # you can also use if=/dev/urandom, if you're really paranoid
This will create the file 'bigsecret' with a size of 10 megabytes.
losetup /dev/loop0 /bigsecret
This will create the device node /dev/loop0, so that we can mount/use our container.
cryptsetup luksFormat /dev/loop0
This will ask you for a password for your new container file.
cryptsetup luksOpen /dev/loop0 secret
The encrypted container is now available through the devicefile /dev/mapper/secret Now we are able to create a partition in the container, for example reiserfs
and mount it...
mkdir /mnt/secret mount -t reiserfs /dev/mapper/secret /mnt/secret
We can now use the container as if it was a normal partition! To unmount/deactivate the container, we have to do the following:
umount /mnt/secret cryptsetup luksClose secret losetup -d /dev/loop0 # free the loopdevice.
so, if you want to mount the container again, you just apply the following commands:
losetup /dev/loop0 /bigsecret cryptsetup luksOpen /dev/loop0 secret mount -t reiserfs /dev/mapper/secret /mnt/secret
Pretty easy, huh? If you want to encrypt a partition rather than a container file, you would do the following:
cryptsetup luksFormat /dev/hda2 # /dev/hda2 being the partition we want to encrypt cryptsetup luksOpen /dev/hda2 secret mkreiserfs /dev/mapper/secret # or whatever filesystem you desire mount /dev/mapper/secret /mnt/secret
and we're set! to unmount it just do
umount /mnt/secret cryptsetup luksClose secret
Using a key (keyfile) to encrypt a partition
Let's first generate a 2048 Byte random keyfile :
dd if=/dev/urandom of=keyfile bs=1k count=2
We can now format our container using this key
cryptsetup luksFormat /dev/loop0 keyfile
or our partition :
cryptsetup luksFormat /dev/hda2 keyfile
Once formatted, we can now open the luks device using the key:
cryptsetup -d keyfile luksOpen /dev/loop0 container
You can now like before format the device /dev/mapper/container with your favorite filesystem and then mount it just as easily.
The keyfile is now the only key to your file. I personally advise to encrypt your keyfile using your private GPG key and storing an offsite secured copy of the file.
Encrypted swap partition
To use an encrypted swap partition, do the following:
- comment your swap partition from /etc/fstab, so that it doesn't get activated during boot
- then put the following lines into your /etc/rc.local:
cryptsetup -c aes -s 256 -d /dev/urandom create swap0 /dev/foo # where foo is your swap partition mkswap /dev/mapper/swap0 swapon /dev/mapper/swap0
Encrypted tmp partition
To use an encrypted tmp partition, do the following:
Put the following line into your /etc/crypttab:
tmp0 /dev/sdaX /dev/urandom "-c aes-cbc-essiv:sha256 -h sha256 -s 256" # where sdaX is your tmp partition
Put the following lines into your /etc/rc.local:
mkfs.ext2 /dev/mapper/tmp0 mount /dev/mapper/tmp0 chmod 777 /tmp
Put the following line into your /etc/fstab:
/dev/mapper/tmp0 /tmp ext2 defaults,noauto,noatime 0 0
Reboot the machine and check that it has worked via 'df'. The results should be like this:
/dev/mapper/tmp0 1035660 1408 981644 1% /tmp
You might also want to replace /var/tmp/ with a symbolic link to /tmp.
Let's take a look at my configuration:
I have three partitions, which are encrypted using dm-crypt. /home and /var, both mounted at boot time, and an encrypted swap partition. I'm using different keyfiles for /home and /var, which are saved in an encrypted container on my usbstick. I'm also able to decrypt the partitions with a password, if the keyfiles are fscked (thanks to luks :) The swap space is encrypted with a key which is generated at boot time (so nothing will be readable after reboot) The keyfile for the usbstick is in /etc (unencrypted), so the usbstick becomes the key to my system.