How to encrypt a file-system with DM-CRYPT + LUKS
This short HOWTO shows how to create an encrypted data partition using DM-CRYPT on Debian Etch.
In this example a Linux MD software RAID partition is encrypted and mounted at /home.
See the MD HOWTO if you need to create your RAID array, or use the Debian Instaler.
A LUKS format partition is used to allow multiple keys to be used.
User-space Tools Installation
Run the following commands to first load the aes module and then install the user space tools:
modprobe aes aptitude install dmsetup cryptsetup
Partition Management
To create a dm-crypt partition (using LUKS for key management):
cryptsetup luksFormat /dev/md2
To open a dm-crypt partition (where crypthome is the name of the device mapper target to be created):
cryptsetup luksOpen /dev/md2 crypthome
To list and show the status of dm-crypt partitions:
dmsetup ls cryptsetup status crypthome
To close a dm-crypt partition:
cryptsetup luksClose /dev/mapper/crypthome
LUKS Key Management
To create a key:
cryptsetup luksAddKey /dev/md2
To delete a key you will need to know the number identifying the key. You can get that by opening the partition and entering the password. The message show should indicate the number. Then you can use the following command (where 1 is the number of the key to delete):
cryptsetup luksDelKey /dev/md2 1
Mounting Encrypted Partitions at Boot
To automatically mount a dm-crypt partition at boot list the partition in /etc/crypttab:
crypthome /dev/md2 none luks,tries=3,timeout=60
You will be prompted for the password at boot. In this example we have set a maximum of 3 attempts per reboot, and an automatic timeout on password entry after 60 seconds. That's important if you access your system over a network and don't have physical access.
Formatting and Mounting Your Encrypted Partition
If you've created one big encrypted partition then at this stage you may want to install LVM on top of it. LVM would allow you to further sub-divide it in to several smaller partitions, and to easily grow and manage those partitions. See the LVM2 HOWTO for details, or proceed to format it with an ext3 file system directly as shown in the example below.
To format the encrypted partition with the ext3 file system (or any other):
mkfs.ext3 /dev/mapper/crypthome
To mount your encrypted partition at /home (assuming your existing /home is empty):
mount /dev/mapper/crypthome /home
To automatically mount your partition at boot list it in /etc/fstab:
/dev/mapper/crypthome /home ext3 rw,noatime 0 0
Further Reference
DM-CRYPT SWAP HOWTO
This short HOWTO describes how to encrypt your swap with DM-CRYPT on Debian.
First deactivate any existing swap:
swapoff -a
Your /etc/fstab file should have a swap entry like this:
# <file system> <mount point> <type> <options> <dump> <pass> /dev/hda1 none swap sw 0 0
Now just replace /dev/hda1 (or whatever partition your swap is on) with /dev/mapper/cryptswap where we will create the device mapper target for our encrypted swap:
# <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/cryptswap none swap sw 0 0
To have the device mapper target for your encrypted swap created automatically at boot, list your original swap partition in /etc/crypttab:
# <target name> <source device> <key file> <options> cryptswap /dev/hda1 /dev/urandom swap,cipher=aes-cbc-plain,size=128,hash=ripemd160
To manually mount your encrypted swap partition:
/etc/init.d/cryptdisks restart
To reactivate your swap:
swapon -a
Further Reference
crypttab(5) manpage
DM-CRYPT NO LUKS
See: http://deb.riseup.net/storage/encryption/dmcrypt/
Create and open an encrypted partition (without using LUKS):
# cryptsetup -y create crypt /dev/md3
Show status:
dmsetup ls cryptsetup status crypt
Close an encrypted partition:
# cryptsetup remove crypt
Subscribe to the RSS feed for Andy's Debian HOWTOs
Article from Andy's Debian HOWTOs (http://www.besy.co.uk/debian/debian)
Discussion
There is a glitch:
# <target name> <source device> <key file> <options> cswap /dev/hda1 /dev/urandom swap,cipher=aes-cbc-plain,size=128,hash=ripemd160
The correct name would be cryptswap instead of cswap. Thanks anyways, it`s working for me!
Thanks for the feedback, that's fixed.
Some time before, I really needed to buy a building for my corporation but I didn't earn enough money and couldn't purchase something. Thank God my mother suggested to take the <a href=“http://lowest-rate-loans.com”>loan</a> at creditors. Thence, I did that and was satisfied with my credit loan.
If I were you I would share such kind of good release like this post utilizing the <a href=“http://www.4submission.com”>article submission service</a>.
Do you need particular issue such as <a href=“http://www.essaysbank.com/essays/sports”>sports essay</a>? I don't see problems with it. You just will be able to use professional writing service to purchase <a href=“http://www.essaysbank.com”>term paper</a>.
Yeah absolutely very essential for the lecturer it was pleasant to read about this topic! If you need to get a great job firstofall you need <a href=“http://www.prime-resume.com”>resume writing services</a>. Study and don't forget - if you have to work and study at the same time, there areold pros who are ready to benefit you with your resume when you under time burden and looking for a great job.
The <a href=“http://www.bestwritingservice.com”>essay writing</a> service would be created especially for college students, just because they need the custom essays performed perfectly.
There is no other simple way to receive A+ than to write the <a href=“http://www.manyessays.com”>research paper</a> about this good topic but that’s, likewise, possible to buy the <a href=“http://www.manyessays.com/essays/europe”>europe essay paper</a> at the online essay writing service.
I've written up a small howto on how to use pam_mount on Debian Squeeze to mount LUKS loopback images automaticall at login. If anybody is interested: http://nerdcenter.de/howto-debian-loopback-dm-crypt-luks-pam-mount/
Re: preparing to use an encrypted SWAP partition.
Random data written to fill the swap partition as an initial step will enhance the protection that crypt provides.
On Ubuntu GNU/Linux 10.04, with swap partition on /dev/sdb3 and utilising random-generating device /dev/urandom, and as root : Ensure swap is not mounted (as per the procedure outlined earlier) :
root@boridenstti:/root# dd if=/dev/urandom of=/dev/sdb3 bs=1M count=10000000
A count of 10 000 000 ( ten followed by 7 zeros, no spaces) will fill a partition of size 10 Gb. Count can be any number equal to or greater than the size of the partition expressed in Megabytes.
Good , thanks for sharing College term paper help with dissertation and college essay writing, college research papers, and masters thesis writing service to help write term papers, http://www.universityessayexperts.com is here for you CUSTOM ESSAY WRITING SERVICES CALL NOW: 813-260-2525 EMAIL & IM: universityessayexperts@live.com SKYPE ID: universityessayexperts
Good , thanks for sharing College term paper help with dissertation and college essay writing, college research papers, and masters thesis writing service to help write term papers, http://www.universityessayexperts.com is here for you CUSTOM ESSAY WRITING SERVICES CALL NOW: 813-260-2525 EMAIL & IM: universityessayexperts@live.com SKYPE ID: universityessayexperts