User Tools

Site Tools


security:encpart

Using DM-CRYPT for on-the-fly encrypted containers

19 Aug 2008
last updated: 27 Jun 2012

If you want to keep some secret documents well guarded on your hard disk, you can encrypt them using for example, GPG suite. But if you don't want to type a password every 5 minutes, you can use an entire partition to store your sensitive materials in a very secure way. How's that? Follow these steps…

Some background infos:

Device Mapper and DM-Crypt

Starting in version 2.6, the Linux kernel started providing the Device-Mapper interface. This interface allowed for the creation of layers of virtual block devices on top of real block devices. These devices are used for things like RAID formats, snapshot or encryption. The DM-Crypt is the module for Device-Mapper that provides access to the cryptographic functions.

Cryptsetup

Cryptsetup is the primary userland tool for creating and managing encrypted partitions and containers for DM-Crypt.

Linux Unified Key Setup (LUKS)

LUKS provides a standard on-disk format for encrypted partitions to facilitate cross distribution compatibility, to allow for multiple users/passwords, effective password revocation, and to provide additional security against low entropy attacks. To use LUKS, you must use an enabled version of cryptsetup. To the authors knowledge currently only Debian (Etch, Lenny and Sid), Ubuntu and Gentoo offer LUKS enabled versions of cryptsetup in their repositories.

STEP 1: Prepare your kernel

In your kernel you must enable (this is a 2.6.23 one):

Code maturity level options
        Prompt for development or/and incomplete code/drivers
Device Drivers -> Multiple devices driver support (RAID and LVM)
        (*) Device mapper support
        (M) Crypt target support
Cryptographic API
        (M) AES cipher algorithms
        (M) SHA256 digest algorithm

Compile and install the new kernel if it's the case.

STEP 2: Install required software

Install cryptosetup. If you have the chance to find a package for your distro, alright. Otherwise, install it from the sources. You can grab it from here (./configure; make; make install)

STEP 3: Create the partition you need

Create one or more partitions on the drive. Let's suppose that we'll need a 1 GB secure partition from our 80 GB harddisk. We'll use cfdisk (of fdisk or any other partitioning tool at your choice) and make /dev/sda3.

(after that, reboot your machine to make sure that new partition is properly seen)

STEP 4: Setup LUKS

cryptsetup --verbose --verify-passphrase luksFormat /dev/sda3
cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sda3 # AES cipher in XTS mode

You'll be prompted for a passphrase. Don't spoil everything by choosing a week password! If you'll get errors this step, make sure that you have loaded the next modules: dm_crypt, sha256, aes.

If you get the error message “Command failed: No setup backend available” after you enter YES at this moment, you should recompile cryptsetup with enable libdevmapper option

./configure --enable-libdevmapper

This library can be found in device-mapper package. Just download it, ./configure; make && make install

STEP 5: Open the encrypted device and assign it to a virtual

cryptsetup luksOpen /dev/sda3 private 

Instead of 'private' you can choose any name you'd like.

ls -l /dev/mapper
brw-rw---- 1 root disk 254,  0 2007-12-10 17:10 private

STEP 6: Create a filesystem on the encrypted device

mkreiserfs /dev/mapper/private

I use here a reiserfs one. You can use also ext3 with some optimizations:

mkfs.ext3 -j -m  1 -O dir_index,filetype,sparse_super /dev/mapper/private

STEP 7: Mount the encrypted partition and use it (finally)

mkdir /mnt/secure_partition
mount /dev/mapper/private /mnt/secure_partition

STEP 8: Unmount the encrypted partition

umount /mnt/secure_partition
cryptsetup luksClose /dev/mapper/private

After that, no one can read that partition without knowing the right passphrase! Great news, huh?

To make the whole process easy to digest (mount-umount stuff) you can create two simple scripts like:

#!/bin/sh
 
cryptsetup luksOpen /dev/sda3 private 
mount /dev/mapper/private /mnt/secure_partition

and

#!/bin/sh
 
umount /mnt/secure_partition
cryptsetup luksClose /dev/mapper/private

Save them to a folder; than create two shortcuts on your Desktop to these scripts. Don't forget to alter options for “Run in terminal” (to be able to enter the password) and “Run as a different user” (as root - to be able to mount the encrypted filesystem).

STEP 9 (optional) Automount the partitions at the startup

You can do this and you'll be prompted for the passwords in the startup sequence. Modify /etc/fstab to include the new partitions.

E.g.

/dev/mapper/crypthome   /home                   ext3    defaults        1 2

and in /etc/crypttab

crypthome       /dev/sda2

security/encpart.txt · Last modified: 2013/03/16 17:41 (external edit)