Linux DM-Crypt

 Main Page | Debian Setup for Mixes

Contents 1 HowTo encrypt data with DM-Crypt 1.1 Encrypt a hard disk partition 1.2 Encrypted image file 1.3 Encrypt SWAP space and /tmp (Debian)

HowTo encrypt data with DM-Crypt

DM-Crypt is part of the Linux kernel and thus available in all recent Linux distributions. DM-Crypt uses encrypted containers with fixed size. A container may be a hard disk partition or an image file.

You have to install the following software packages:

• cryptsetup create, open, close and manage encrypted container.
• pam-mount simplyfy the opening and closing with scripts.

For installation you may use the package manager of your distribution:

Debian: aptitude install cryptsetup libpam-mount
RedHat: yum install util-linux-crypto libpam-mount

Note: If you got en error using cryptsetup like "Command failed: Failed to setup dm-crypt key mapping", you have to load the kernel module dm_crypt first.

modprobe dm_crypt

Encrypt a hard disk partition

Encryption of a free hard disk partition is simple. The example shows the encryption of /dev/sda4. The script will ask you 3 times for the passphrase.

luksformat -t ext3 /dev/sda4

If the package pam-mount was installed, you can mount the encrypted partition with mount.crypt'.

mount.crypt /dev/sda4 /mnt

You can close the container with umount.crypt.

umount.crypt /mnt

Encrypted image file

If there is no free partition on your server, you can use an image file.

1. Create an empty image file large enough to hold your data (example: 100 MByte)
2. Connect a loop device to the image file.
3. Fill the first 2 MB with random data.
4. Init the encrypted data container (luksFormat).
5. Open the encrypted data container (luksOpen).
6. Create a file system on the new device.
7. Close the encrypted data container (luksClose).
8. Close the loop device.

dd if=/dev/zero of=geheim.luks bs=1M count=100
losetup /dev/loop0 geheim.luks
dd if=/dev/urandom of=/dev/loop5 bs=1M count=2
cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 -y /dev/loop/0
cryptsetup luksOpen /dev/loop0 <name>
mkfs.ext3 /dev/mapper/<name>
cryptsetup luksClose <name>
losetup -d /dev/loop0

If the package pam-mount has been installed, you can mount the encrypted partition with mount.crypt' in one step.

mount.crypt geheim.luks /mnt -o loop

You can close the container with umount.crypt.

umount.crypt /mnt

The script mount.crypt executes 3 steps. You can do these steps by hand, if mount.crypt did not work.

losetup /dev/loop0 geheim.luks
cryptsetup luksOpen /dev/loop0 <name>
mount /dev/mapper/<name> /mnt

The script mount.crypt executes 3 steps too.

umount /mnt
cryptsetup luksClose <name>
losetup -d /dev/loop0

Encrypt SWAP space and /tmp (Debian)

SWAP and /tmp may hold sensible data. It is recommended to encrypt both. Debian GNU/Linux and Ubuntu are prepared for this task. An init script make it simple. During boot the partitions are encrypted with a random passwort. After shutdown the password is lost an can not restored.

First clean the partition for /tmp. It has not contain any data and no file system. Replace /dev/hda8 by your TMP partition.

umount /tmp
dd if=/dev/zero of=/dev/hda8

You have to edit the file /etc/crypttab. Please replace /dev/hda5 and /dev/hda8 by your partitions used for SWAP and /tmp.

cryptswp  /dev/hda5  /dev/urandom  swap
crypttmp  /dev/hda8  /dev/urandom  tmp

Afterwards edit the file /etc/fstab to mount the new encrypted partitions for SWAP and /tmp at boot time.

/dev/mapper/cryptswp  none  swap  sw  0  0
/dev/mapper/crypttmp  /tmp  ext2  defaults  0  0

Reboot your server.