19 Aug 2008
last updated: 27 Jun 2012
If you want to keep some secret documents well guarded on your hard disk, you can encrypt them using for example, GPG suite. But if you don't want to type a password every 5 minutes, you can use an entire partition to store your sensitive materials in a very secure way. How's that? Follow these steps…
Some background infos:
Device Mapper and DM-Crypt
Starting in version 2.6, the Linux kernel started providing the Device-Mapper interface. This interface allowed for the creation of layers of virtual block devices on top of real block devices. These devices are used for things like RAID formats, snapshot or encryption. The DM-Crypt is the module for Device-Mapper that provides access to the cryptographic functions.
Cryptsetup is the primary userland tool for creating and managing encrypted partitions and containers for DM-Crypt.
Linux Unified Key Setup (LUKS)
LUKS provides a standard on-disk format for encrypted partitions to facilitate cross distribution compatibility, to allow for multiple users/passwords, effective password revocation, and to provide additional security against low entropy attacks. To use LUKS, you must use an enabled version of cryptsetup. To the authors knowledge currently only Debian (Etch, Lenny and Sid), Ubuntu and Gentoo offer LUKS enabled versions of cryptsetup in their repositories.
In your kernel you must enable (this is a 2.6.23 one):
Code maturity level options Prompt for development or/and incomplete code/drivers Device Drivers -> Multiple devices driver support (RAID and LVM) (*) Device mapper support (M) Crypt target support Cryptographic API (M) AES cipher algorithms (M) SHA256 digest algorithm
Compile and install the new kernel if it's the case.
Install cryptosetup. If you have the chance to find a package for your distro, alright. Otherwise, install it from the sources. You can grab it from here (./configure; make; make install)
Create one or more partitions on the drive. Let's suppose that we'll need a 1 GB secure partition from our 80 GB harddisk. We'll use cfdisk (of fdisk or any other partitioning tool at your choice) and make /dev/sda3.
(after that, reboot your machine to make sure that new partition is properly seen)
cryptsetup --verbose --verify-passphrase luksFormat /dev/sda3 cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sda3 # AES cipher in XTS mode
You'll be prompted for a passphrase. Don't spoil everything by choosing a week password! If you'll get errors this step, make sure that you have loaded the next modules: dm_crypt, sha256, aes.
If you get the error message “Command failed: No setup backend available” after you enter YES at this moment, you should recompile cryptsetup with enable libdevmapper option
This library can be found in device-mapper package. Just download it, ./configure; make && make install
cryptsetup luksOpen /dev/sda3 private
Instead of 'private' you can choose any name you'd like.
ls -l /dev/mapper brw-rw---- 1 root disk 254, 0 2007-12-10 17:10 private
I use here a reiserfs one. You can use also ext3 with some optimizations:
mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/private
mkdir /mnt/secure_partition mount /dev/mapper/private /mnt/secure_partition
umount /mnt/secure_partition cryptsetup luksClose /dev/mapper/private
After that, no one can read that partition without knowing the right passphrase! Great news, huh?
To make the whole process easy to digest (mount-umount stuff) you can create two simple scripts like:
#!/bin/sh cryptsetup luksOpen /dev/sda3 private mount /dev/mapper/private /mnt/secure_partition
#!/bin/sh umount /mnt/secure_partition cryptsetup luksClose /dev/mapper/private
Save them to a folder; than create two shortcuts on your Desktop to these scripts. Don't forget to alter options for “Run in terminal” (to be able to enter the password) and “Run as a different user” (as root - to be able to mount the encrypted filesystem).
You can do this and you'll be prompted for the passwords in the startup sequence. Modify /etc/fstab to include the new partitions.
/dev/mapper/crypthome /home ext3 defaults 1 2
and in /etc/crypttab