Emidio Planamente's Homepage (Linux

Emidio Planamente 's Homepage

Google linux

Debian

  Apt-get
  Debian Anatomy
  Debian Backports
  Debian Help
  Debian Planet
  Debian Swiss
  History of Debian
  Getdeb
  Kernel
  Kernel 2.6
  Packages
  Refcard for newbie
  Reference book
  SATA raid
  Weekly News

Official Docs

  Distrowatch
  Firewire
  Gimp
  Gimp Photo Archive
  Linuxdoc
  Linuxdoc Reference
  Linux Focus
  Linux From Scratch
  Linux Hacks
  Linux Hardware
  Linux Printing
  MySQL
  O'Reilly
  Rute
  Source Forge
  USB guide

Installation

Instalinux
Preseed

Laptop

  Linux on Laptops
  Linux Toshiba
  Tux Mobil

Live-CDs

  Create it Your self
  Knoppix
  Kororaa XGL 3

Pictures

  Bay13
  Gnomelook
  Kuznetsov

Security

GNU/Linux
PortsDB

Linux based product

Dreambox

Free web service

S5 presents

Against Micro$oft

Combatti Micro$oft
Microsuck

dm-crypt howto

1. Introduction

1.1. What is dm-crypt

2. Installation

2.1. Kernel-space
2.2. Kernel-space issue with USB keyboard
2.3. User-space

3. Commands

3.1. Creating a crypted partition
3.2. Removing a crypted partition
3.3. Creating a crypted swap

4. Using dm-crypt with LVM

4.1. Possibilities
4.2. Enabling LVM over dm-crypt

5. Using dm-crypt for root partition

6. Using LUKS extension

6.1. Introduction
6.2. Creating LUKS device using a passphrase
6.3. Closing crypted device
6.4. Creating LUKS device using a key file
6.5. Opening crypted device with keyfile
6.6. Adding key
6.7. Deleting key
6.8. Dumping LUKS header

7. Related documents

7.1. dm-crypt homepage
7.2. dm-crypt wiki
7.3. dm-crypt howto for Debian
7.4. dm-crypt howto for LVM

8. About

8.1. Author
8.2. History

1. Introduction

This document is based on the official dm-crypt homepage and briefly explains how to create a crypted filesystem using dm-crypt.

1.1. What is dm-crypt

Device Mapper crypt is a recent infrastructure that uses the Linux 2.6 cryptoapi. The device is crypted with a key and protected with a passphrase. Without them, it is not possible to access the data.

The big advantages of using dm-crypt are:

- better code of cryptoloop

- flexible configuration interface

- imperceptible performance lost

- the LUKS (Linux Unified Key Setup) extension

2. Installation

2.1. Kernel-space

To work with dm-crypt, the kernel must support the following elements:

CONFIG_BLK_DEV_DM (Multi-device support (RAID and LVM))

CONFIG_DM_CRYPT (Multi-device support (RAID and LVM))

CONFIG_CRYPTO_AES_586 (Cryptographic options)

2.2. Kernel-space issue with USB keyboard

2.2.1. Problem description

During the system start up, the user is asked for the passphrase(s). If you have a USB keyboard and the USB driver is not available yet, there is no way to enter the necessary passphrase(s).

This problem has been solved by adding a timeout. In this way, if no password can be entered, the startup process will still continue sooner or later.

2.2.2. Problem solution

A safe solution is to build all the needed drivers directly in the kernel (not as module). I now there are other solutions, but I think it is important to guarantee as soon as possible that the input device will work properly. What could you do when something would go wrong and the keyboard would not work? Whit this solution, the keyboard can be used to try to solve the problem.

Here the elements that have to be compiled (built-in and not as module!) in the kernel:

CONFIG_INPUT

CONFIG_INPUT_KEYBOARD

CONFIG_USB

CONFIG_USB_EHCI_HCD

CONFIG_USB_OHCI_HCD

CONFIG_USB_UHCI_HCD

CONFIG_USB_HID

CONFIG_USB_HIDINPUT

CONFIG_USB_HIDDEV

2.3. User-space

There is package providing all the needed user-space applications. To install it execute:

apt-get install cryptsetup

Additionally, to create a key inside a file install:

apt-get install hashalot

3. Commands

3.1. Creating a crypted partition

In order to create a crypted partition, it must be created a normal partition which will be be associated to the crypted device.

3.1.1. Creating not crypted partition

The partition can be a normal partition (e.g. /dev/hda2) or a LVM partition (e.g.: /dev/vg0/lv0)

For normal partition:

cfdisk /dev/hda

For LVM (depracated, see "Using dm-crypt with LVM"):

lvcreate -L 1G -n lvmcrypted vg

3.1.2. Creating the crypted device

For normal partition:

cryptsetup -y create crypted /dev/hda2

The crypted device is called "crypted" and has been associated to /dev/hda2.

For LVM (depracated, see "Using dm-crypt with LVM"):

cryptsetup -y create crypted /dev/mapper/vg-lvmcrypted

The crypted device is called "crypted" and has been associated to /dev/mapper/vg-lvmcrypted.

3.1.3. Creating filesystem on the crypted device

Create the filesystem as normaly:

mkfs.reiserfs /dev/mapper/crypted

Note that the filesystem has been created on the associated crypted device /dev/mapper/crypted and not on the not crypted partition /dev/hda2.

3.1.4. Updating /etc/crypttab

To make the crypted device available to the system also after a reboot, the crypttab file must be updated.

For normal partition, add a line like the following:

crypted /dev/hda2

For normal partition using the LUKS extension, add a line like the following:

crypted /dev/hda2 none luks

For LVM partition, add a line like the following (depracated, see "Using dm-crypt with LVM"):

crypted /dev/vg/lvmcrypted

3.1.5. Updating /etc/fstab

To mount the crypted partitions after each boot, a mount point must be created and the fstab file must be updated.

Create the mount point:

mkdir /mnt/crypted

Add a line like the following in /etc/fstab:

/dev/mapper/crypted /mnt/crypted reiserfs defaults

Here, there isn't any difference between normal partition and LVM partitions, because in both cases the access to the data is done via the crypted device only.

3.1.6. Mounting crypted partition

Now, it's possible the mount the partition:

mount /mnt/crypted

3.2. Removing a crypted partition

3.2.1. Unmounting crypted partition

In order to remove a crypted partition, it must be first unmounted:

umount /mnt/crypted

3.2.2. Removing the crypted device

Now it's possible to remove the crypted device:

cryptsetup remove crypted

3.2.3. Cleaning up

Don't forget to udpate the /etc/fstab and /etc/crypttab files, and to remove the unused mountpoint and partition.

3.3. Creating a crypted swap

Since data can be temporary copied to the swap, it's a good idea to crypt also this last.

Also here, it must be created a normal partition and then associated to the crypted device.

3.3.1. Creating not crypted partition

The partition can be a normal partition (e.g. /dev/hda3) or a LVM partition (e.g.: /dev/vg0/lv1)

For normal partition:

cfdisk /dev/hda

For LVM (depracated, see "Using dm-crypt with LVM"):

lvcreate -L 1G -n lvmswap vg

3.3.2. Creating the crypted device

For normal partition:

cryptsetup -y create cryptedswap /dev/hda3

For LVM (depracated, see "Using dm-crypt with LVM"):

cryptsetup -y create cryptedswap /dev/mapper/vg-lvmswap

3.3.3. Creating filesystem

Create a swap filesystem as normally:

mkswap /dev/mapper/cryptswap

Note that also here the filesystem has been created on the associated crypted device /dev/mapper/cryptswapt and not on the not crypted partition /dev/hda3.

3.3.4. Updating /etc/crypttab

To make also this crypted device available to the system after a reboot, the crypttab file must be updated.

For normal partition, add a line like the following:

cryptswap /dev/hda2 /dev/random swap

For LVM partition, add a line like the following (depracated, see "Using dm-crypt with LVM"):

cryptedswap /dev/vg/swap /dev/random swap

Using /dev/random as key, will create a new random key at each boot and you won't be prompted for a password each time.

3.3.5. Updating /etc/fstab

To mount the crypted swap after each boot, the fstab file must be updated.

Add a line like the following in /etc/fstab:

/dev/mapper/cryptswap none swap sw,pri=1

Also here, there isn't any difference between normal partition and LVM partitions, because in both cases the access to the data is done via the crypted device.

3.3.6. Activating swap

Activate all the swap partitions, just by calling:

swapon -a

4. Using dm-crypt with LVM

4.1. Possibilities

There are the following possibilities for using dm-crypt with LVM:

1) dm-crypt over LVM

2) LVM over dm-crypt

The first one, creates a LVM partition and then creates a dm-crypt device linked to the LVM partition.

With this solution, you need a dm-crypt device for each LVM partition, which means entering the passphrase for each crypted partition.

This solution has been reported to work, but I haven't tryed it.

The second one, creates a dm-crypt partition and then creates one or more LVM partitions.

With this solution, you need only one dm-crypt device for more LVs, which means entering the passphrase only once.

This is the only solution described in my document.

4.2. Enabling LVM over dm-crypt

It could be, that the system is not configured to allow to create a LVM partition on a device mapper. This would mean, it's not possibile to create a LVM partition on a dm-crypt device.

To enable LVM over dm-crypt, just add such a line in your /etc/lvm/lvm.conf:

types = [ "device-mapper", 16 ]

If this file is missing, you can create one with the following command:

lvm dumpconfig > /etc/lvm/lvm.conf

5. Using dm-crypt for root partition

I have written a separate howto that describes how to install the whole OS in a crypted partition.

See http://emidio.planamente.ch/pages/linux_howto_root_lvm_dmcrypt.php.

6. Using LUKS extension

6.1. Introduction

LUKS stands for Linux Unified Key Setup and is a standard for hard disk encryption.

Some interesting features are:

- multiple passords support