Linux DM-Crypt
Main Page | Debian Setup for Mixes
Contents |
HowTo encrypt data with DM-Crypt
DM-Crypt is part of the Linux kernel and thus available in all recent Linux distributions. DM-Crypt uses encrypted containers with fixed size. A container may be a hard disk partition or an image file.
You have to install the following software packages:
- cryptsetup create, open, close and manage encrypted container.
- pam-mount simplyfy the opening and closing with scripts.
For installation you may use the package manager of your distribution:
Debian: aptitude install cryptsetup libpam-mount
RedHat: yum install util-linux-crypto libpam-mount
Note: If you got en error using cryptsetup like "Command failed: Failed to setup dm-crypt key mapping", you have to load the kernel module dm_crypt first.
modprobe dm_crypt
Encrypt a hard disk partition
Encryption of a free hard disk partition is simple. The example shows the encryption of /dev/sda4. The script will ask you 3 times for the passphrase.
luksformat -t ext3 /dev/sda4
If the package pam-mount was installed, you can mount the encrypted partition with mount.crypt'.
mount.crypt /dev/sda4 /mnt
You can close the container with umount.crypt.
umount.crypt /mnt
Encrypted image file
If there is no free partition on your server, you can use an image file.
- Create an empty image file large enough to hold your data (example: 100 MByte)
- Connect a loop device to the image file.
- Fill the first 2 MB with random data.
- Init the encrypted data container (luksFormat).
- Open the encrypted data container (luksOpen).
- Create a file system on the new device.
- Close the encrypted data container (luksClose).
- Close the loop device.
dd if=/dev/zero of=geheim.luks bs=1M count=100
losetup /dev/loop0 geheim.luks
dd if=/dev/urandom of=/dev/loop5 bs=1M count=2
cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 -y /dev/loop/0
cryptsetup luksOpen /dev/loop0 <name>
mkfs.ext3 /dev/mapper/<name>
cryptsetup luksClose <name>
losetup -d /dev/loop0
If the package pam-mount has been installed, you can mount the encrypted partition with mount.crypt' in one step.
mount.crypt geheim.luks /mnt -o loop
You can close the container with umount.crypt.
umount.crypt /mnt
The script mount.crypt executes 3 steps. You can do these steps by hand, if mount.crypt did not work.
losetup /dev/loop0 geheim.luks
cryptsetup luksOpen /dev/loop0 <name>
mount /dev/mapper/<name> /mnt
The script mount.crypt executes 3 steps too.
umount /mnt
cryptsetup luksClose <name>
losetup -d /dev/loop0
Encrypt SWAP space and /tmp (Debian)
SWAP and /tmp may hold sensible data. It is recommended to encrypt both. Debian GNU/Linux and Ubuntu are prepared for this task. An init script make it simple. During boot the partitions are encrypted with a random passwort. After shutdown the password is lost an can not restored.
First clean the partition for /tmp. It has not contain any data and no file system. Replace /dev/hda8 by your TMP partition.
umount /tmp
dd if=/dev/zero of=/dev/hda8
You have to edit the file /etc/crypttab. Please replace /dev/hda5 and /dev/hda8 by your partitions used for SWAP and /tmp.
cryptswp /dev/hda5 /dev/urandom swap
crypttmp /dev/hda8 /dev/urandom tmp
Afterwards edit the file /etc/fstab to mount the new encrypted partitions for SWAP and /tmp at boot time.
/dev/mapper/cryptswp none swap sw 0 0
/dev/mapper/crypttmp /tmp ext2 defaults 0 0
Reboot your server.