Linux DM-Crypt

From JonDonym Wiki
Revision as of 11:24, 12 March 2010 by Geko (Talk | contribs)
Jump to: navigation, search

File:En.png File:De.png

HowTo encrypt data with DM-Crypt

DM-Crypt is part of the Linux kernel. All distributions contain suitable software (kernel modul, userspace tools). DM-Crypt uses encrypted containers with fixed size. A container may be a hard disk partition or an image file.

You have to install the following software packages:

  • cryptsetup create, open, close and manage encrypted container.
  • pam-mount simplyfy the opening and closing with scripts.

For installation you may use the package manager of your distribution:

Debian: aptitude install cryptsetup libpam-mount
RedHat: yum install util-linux-crypto libpam-mount

Note: If you got en error using cryptsetup like "Command failed: Failed to setup dm-crypt key mapping", you have to load the kernel module dm_crypt first.

modprobe dm_crypt

Encrypt a hard disk partition

Encryption of a free hard disk partition is simple. The example shows the encryption of /dev/sda4. The script will ask you 3 times for the passphrase.

luksformat -t ext3 /dev/sda4

If the package pam-mount was installed, you can mount the encrypted partition with mount.crypt'.

mount.crypt /dev/sda4 /mnt

You can close the container with umount.crypt.

umount.crypt /mnt

Encrypted image file

If there is no free partition on your server, you can use an image file.

  1. Create an empty image file large enough to hold your data (example: 100 MByte)
  2. Connect a loop device to the image file.
  3. Fill the first 2 MB with random data.
  4. Init the encrypted data container (luksFormat).
  5. Open the encrypted data container (luksOpen).
  6. Create a file system on the new device.
  7. Close the encrypted data container (luksClose).
  8. Close the loop device.
dd if=/dev/zero of=geheim.luks bs=1M count=100
losetup /dev/loop0 geheim.luks
dd if=/dev/urandom of=/dev/loop5 bs=1M count=2
cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 -y /dev/loop/0
cryptsetup luksOpen /dev/loop0 <name>
mkfs.ext3 /dev/mapper/<name>
cryptsetup luksClose <name>
losetup -d /dev/loop0

If the package pam-mount has been installed, you can mount the encrypted partition with mount.crypt' in one step.

mount.crypt geheim.luks /mnt -o loop

You can close the container with umount.crypt.

umount.crypt /mnt

The script mount.crypt executes 3 steps. You can do these steps by hand, if mount.crypt did not work.

losetup /dev/loop0 geheim.luks
cryptsetup luksOpen /dev/loop0 <name>
mount /dev/mapper/<name> /mnt

The script mount.crypt executes 3 steps too.

umount /mnt
cryptsetup luksClose <name>
losetup -d /dev/loop0
Personal tools