HOWTO: dm-crypt and on-the-fly encryption
20 February 2009

This quick tutorial is aimed for those who want to have a very secure computer, including here encrypted swap.

Some background infos:

Why?

Well, even with encrypted partitions all over your computer, the information can end up in the swap partition. If this partition is not protected, the information there can be retrieved by malicious users (or the government agencies ;) ).

Cryptsetup

Cryptsetup is the primary userland tool for creating and managing encrypted partitions and containers for DM-Crypt.

Device Mapper and DM-Crypt

Starting in version 2.6, the Linux kernel started providing the Device-Mapper interface. This interface allowed for the creation of layers of virtual block devices on top of real block devices. These devices are used for things like RAID formats, snapshot or encryption. The DM-Crypt is the module for Device-Mapper that provides access to the cryptographic functions.

Linux Unified Key Setup (LUKS)

LUKS provides a standard on-disk format for encrypted partitions to facilitate cross distribution compatibility, to allow for multiple users/passwords, effective password revocation, and to provide additional security against low entropy attacks. To use LUKS, you must use an enabled version of cryptsetup. To the authors knowledge currently only Debian (Etch, Lenny and Sid), Ubuntu and Gentoo offer LUKS enabled versions of cryptsetup in their repositories.

In your kernel you must enable (this is a 2.6.23 one):

Code maturity level options
        Prompt for development or/and incomplete code/drivers
Device Drivers -> Multiple devices driver support (RAID and LVM)
        (*) Device mapper support
        (M) Crypt target support
Cryptographic API
        (M) AES cipher algorithms
        (M) SHA256 digest algorithm

Compile and install the new kernel if it's the case.

Install cryptosetup. If you have the chance to find a package for your distro, alright. Otherwise, install it from the sources. You can grab it from here (./configure; make; make install)

device mapper should be active

ls -l /dev/mapper/
total 0
crw-rw----  1 root root  10, 63 2009-02-20 11:11 control

and it should have support for crypto

# dmsetup targets | grep crypt
crypt            v1.5.0

kernel needs to support encryption algorithms (and these modules should be loaded)

cat /proc/crypto | grep name
name         : sha256
name         : cbc(aes)
name         : aes
name         : lzf
name         : md4

First, disable the swap partition if active:

swapoff /dev/hda3 # or whatever is your swap

Note: if you don't know where is your swap, run swapon -s in console.

Fill it then with junk data (this could take a while):

# dd if=/dev/urandom of=/dev/hda3 bs=1M

In /etc/crypttab (create this file if none)

cryptswap  /dev/sda2  /dev/urandom     cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap

/dev/urandom here means that everytime we boot, the swap will be encrypted with a different key.

…and in /etc/fstab replace the current swap record with:

/dev/mapper/cryptswap 	none 	swap 	sw 	0 0

Reboot (really… )

# cat /proc/swaps
Filename                                Type            Size    Used    Priority
/dev/mapper/cryptswap                   partition       522104  0       -1
 
# cryptsetup status cryptswap
/dev/mapper/cryptswap is active:
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/hda3
  offset:  0 sectors
  size:    1044225 sectors
  mode:    read/write