HOWTO: dm-crypt and on-the-fly encryption
20 February 2009
This quick tutorial is aimed for those who want to have a very secure computer, including here encrypted swap.
Some background infos:
Well, even with encrypted partitions all over your computer, the information can end up in the swap partition. If this partition is not protected, the information there can be retrieved by malicious users (or the government agencies ;) ).
Cryptsetup is the primary userland tool for creating and managing encrypted partitions and containers for DM-Crypt.
Device Mapper and DM-Crypt
Starting in version 2.6, the Linux kernel started providing the Device-Mapper interface. This interface allowed for the creation of layers of virtual block devices on top of real block devices. These devices are used for things like RAID formats, snapshot or encryption. The DM-Crypt is the module for Device-Mapper that provides access to the cryptographic functions.
Linux Unified Key Setup (LUKS)
LUKS provides a standard on-disk format for encrypted partitions to facilitate cross distribution compatibility, to allow for multiple users/passwords, effective password revocation, and to provide additional security against low entropy attacks. To use LUKS, you must use an enabled version of cryptsetup. To the authors knowledge currently only Debian (Etch, Lenny and Sid), Ubuntu and Gentoo offer LUKS enabled versions of cryptsetup in their repositories.
In your kernel you must enable (this is a 2.6.23 one):
Code maturity level options Prompt for development or/and incomplete code/drivers Device Drivers -> Multiple devices driver support (RAID and LVM) (*) Device mapper support (M) Crypt target support Cryptographic API (M) AES cipher algorithms (M) SHA256 digest algorithm
Compile and install the new kernel if it's the case.
Install cryptosetup. If you have the chance to find a package for your distro, alright. Otherwise, install it from the sources. You can grab it from here (./configure; make; make install)
device mapper should be active
ls -l /dev/mapper/ total 0 crw-rw---- 1 root root 10, 63 2009-02-20 11:11 control
and it should have support for crypto
# dmsetup targets | grep crypt crypt v1.5.0
kernel needs to support encryption algorithms (and these modules should be loaded)
cat /proc/crypto | grep name name : sha256 name : cbc(aes) name : aes name : lzf name : md4
First, disable the swap partition if active:
swapoff /dev/hda3 # or whatever is your swap
Note: if you don't know where is your swap, run swapon -s in console.
Fill it then with junk data (this could take a while):
# dd if=/dev/urandom of=/dev/hda3 bs=1M
In /etc/crypttab (create this file if none)
cryptswap /dev/sda2 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap
/dev/urandom here means that everytime we boot, the swap will be encrypted with a different key.
…and in /etc/fstab replace the current swap record with:
/dev/mapper/cryptswap none swap sw 0 0
Reboot (really… )
# cat /proc/swaps Filename Type Size Used Priority /dev/mapper/cryptswap partition 522104 0 -1 # cryptsetup status cryptswap /dev/mapper/cryptswap is active: cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/hda3 offset: 0 sectors size: 1044225 sectors mode: read/write