This short HOWTO shows how to create an encrypted data partition using DM-CRYPT on Debian Etch.
In this example a Linux MD software RAID partition is encrypted and mounted at /home.
See the MD HOWTO if you need to create your RAID array, or use the Debian Instaler.
A LUKS format partition is used to allow multiple keys to be used.
Run the following commands to first load the aes module and then install the user space tools:
modprobe aes aptitude install dmsetup cryptsetup
To create a dm-crypt partition (using LUKS for key management):
cryptsetup luksFormat /dev/md2
To open a dm-crypt partition (where crypthome is the name of the device mapper target to be created):
cryptsetup luksOpen /dev/md2 crypthome
To list and show the status of dm-crypt partitions:
dmsetup ls cryptsetup status crypthome
To close a dm-crypt partition:
cryptsetup luksClose /dev/mapper/crypthome
To create a key:
cryptsetup luksAddKey /dev/md2
To delete a key you will need to know the number identifying the key. You can get that by opening the partition and entering the password. The message show should indicate the number. Then you can use the following command (where 1 is the number of the key to delete):
cryptsetup luksDelKey /dev/md2 1
To automatically mount a dm-crypt partition at boot list the partition in /etc/crypttab:
crypthome /dev/md2 none luks,tries=3,timeout=60
You will be prompted for the password at boot. In this example we have set a maximum of 3 attempts per reboot, and an automatic timeout on password entry after 60 seconds. That's important if you access your system over a network and don't have physical access.
If you've created one big encrypted partition then at this stage you may want to install LVM on top of it. LVM would allow you to further sub-divide it in to several smaller partitions, and to easily grow and manage those partitions. See the LVM2 HOWTO for details, or proceed to format it with an ext3 file system directly as shown in the example below.
To format the encrypted partition with the ext3 file system (or any other):
mkfs.ext3 /dev/mapper/crypthome
To mount your encrypted partition at /home (assuming your existing /home is empty):
mount /dev/mapper/crypthome /home
To automatically mount your partition at boot list it in /etc/fstab:
/dev/mapper/crypthome /home ext3 rw,noatime 0 0
This short HOWTO describes how to encrypt your swap with DM-CRYPT on Debian.
First deactivate any existing swap:
swapoff -a
Your /etc/fstab file should have a swap entry like this:
# <file system> <mount point> <type> <options> <dump> <pass> /dev/hda1 none swap sw 0 0
Now just replace /dev/hda1 (or whatever partition your swap is on) with /dev/mapper/cryptswap where we will create the device mapper target for our encrypted swap:
# <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/cryptswap none swap sw 0 0
To have the device mapper target for your encrypted swap created automatically at boot, list your original swap partition in /etc/crypttab:
# <target name> <source device> <key file> <options> cryptswap /dev/hda1 /dev/urandom swap,cipher=aes-cbc-plain,size=128,hash=ripemd160
To manually mount your encrypted swap partition:
/etc/init.d/cryptdisks restart
To reactivate your swap:
swapon -a
Further Reference
crypttab(5) manpage
See: http://deb.riseup.net/storage/encryption/dmcrypt/
Create and open an encrypted partition (without using LUKS):
# cryptsetup -y create crypt /dev/md3
Show status:
dmsetup ls cryptsetup status crypt
Close an encrypted partition:
# cryptsetup remove crypt