Encrypt your hard drives on Linux by dm-crypt and LUKS


Forrest Sheng Bao <http://forrest.bao.googlepages.com >

dm-crypt, an encryption on a mapping device was introduced into stable Linux kernel since kernel version 2.6.4. Encryption on a mapping device means data are firstly written into a mapping device, which is virtual and mapped to a real physical devices. In this manner, you can encrypt the entire partition, including the file system journals. dm-crypt also has a good extension, LUKS, Linux Unified Key Setup.

In this article, I will introduce two options. The first one doesn't use LUKS and is suitable for internal hard drives. The second one uses LUKS and is suitable for removable storage, such as USB memory stick.

The environment is Ubuntu 8.10 x86. But I think it should also work for other Linux distributions.

Step 1: Install required packages:
forrest@rainbow:~$ sudo apt-get install cryptsetup

Step 2: load modules:
forrest@rainbow:~$ sudo modprobe dm_mod
forrest@rainbow:~$ sudo modprobe dm_crypt

Now check that /dev/mapper exists:
forrest@rainbow:~$ sudo ls -l /dev/mapper/control
crw-rw---- 1 root root 10, 62 2007-09-08 21:15 /dev/mapper/control

Check that AES is supported:
forrest@rainbow:~$ sudo grep aes /proc/crypto
name : aes
driver : aes-generic
module : aes

Check that the cyrpt target is supported:
forrest@rainbow:~$ sudo dmsetup targets
crypt v1.3.0
striped v1.0.2
linear v1.0.2
error v1.0.1

Before you move forward, I wanna warn you that
DO NOT perform following operations on a device or a partition that is already mounted.

Now we will have a fork. One is non-LUKS option, suitable for internal hard drive and the other is LUKS option, suitable for portable devices.

Option 1: non-LUKS option, suitable for internal hard drive:
Step 3: creating the mapping between encrypted device (/dev/mapper/forrest) and real physical device (/dev/sda8):
forrest@rainbow:~$ cryptsetup -y create forrest /dev/sda8
Enter passphrase:
Verify passphrase:

Confirm it works:
forrest@rainbow:~$ sudo dmsetup ls
forrest (254, 0)
forrest@rainbow:~$ ls -l /dev/mapper/
total 0
crw-rw---- 1 root root 10, 63 2007-09-08 22:50 control
brw-rw---- 1 root disk 254, 0 2007-09-08 22:51 forrest

Step 4: Create file systems on the encrypted device:
Attention, not on the real physical devices but on the encrypted device.
DO IT JUST ONCE! DO NOT DO IT EVERY TIME YOU MOUNT/READ/WRITE AN ENCRYPTED PARTITION! YOU WILL LOST ALL YOUR DATA!
forrest@rainbow:~$ sudo mkfs.ext3 -m 1 /dev/mapper/forrest -L FORREST

I used some ext3 file system options.

Step 5: Mount the encrypted device:
forrest@rainbow:~$ sudo mkdir /forrest
forrest@rainbow:~$ sudo mount /dev/mapper/forrest /forrest

Step 6: Make it writable to myself:
forrest@rainbow:~$ sudo chown forrest:forrest /backup

Verify it works:
forrest@rainbow:~$ grep forrest /proc/mounts
/dev/mapper/forrest /forrest ext3 rw,data=ordered 0 0

Step 7: To umount gracefully,
sudo umount /forrest
sudo cryptsetup remove /dev/mapper/forrest

DONE!

Note 1: Next time, if you wanna manually mount this partition, you just need to run these two command:
sudo cryptsetup create forrest /dev/sda8
mount /dev/mapper/forrest /forrest

Note 2: You can also make it to be mounted when the computer boots.
Make /etc/crypttab like this:
forrest /dev/sda8 none cipher=aes

Then insert this line into /etc/fstab:
/dev/mapper/forrest /forrest ext3 defaults 0 1

When you start your computer, you will see a prompt to enter the passphrase. But I don't know why the passphrase are displayed.

END of Option 1.

Option 2: LUKS option, suitable for portable devices, such as USB drive:

Step 3: Setup LUKS:
forrest@rainbow:~$ sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/hdd1
WARNING!
========
This will overwrite data on /dev/hdd1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

Step 4: Open the encrypted device "/dev/mapper/backup" and map it to a real physical device "/dev/hdd1":
forrest@rainbow:~$ sudo cryptsetup luksOpen /dev/hdd1 backup
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

Confirm it works:
forrest@rainbow:~$ sudo dmsetup ls
backup (254, 1)
forrest (254, 0)
forrest@rainbow:~$ ls -l /dev/mapper/
total 0
brw-rw---- 1 root disk 254, 1 2007-09-09 16:36 backup
crw-rw---- 1 root root 10, 63 2007-09-08 22:50 control
brw-rw---- 1 root disk 254, 0 2007-09-08 22:51 forrest


Step 5: Create file systems on the encrypted device. Attention, not on the real physical devices but on the encrypted device.
DO IT JUST ONCE! DO NOT DO IT EVERY TIME YOU MOUNT/READ/WRITE AN ENCRYPTED PARTITION! YOU WILL LOST ALL YOUR DATA!
forrest@rainbow:~$ sudo mkfs.ext3 -m 1 /dev/mapper/backup -L BAKCUP.SG

I used some ext3 file system options.

Step 6: Mount the encrypted device (/dev/mapper/backup) to a mount point (/backup).
forrest@rainbow:~$ sudo mkdir /backup
forrest@rainbow:~$ sudo mount /dev/mapper/backup /backup/

Step 7: Make it writable to myself:
forrest@rainbow:~$ sudo chown forrest:forrest /backup

Verify it works:
forrest@rainbow:~$ grep backup /proc/mounts
/dev/mapper/backup /backup ext3 rw,data=ordered 0 0

Step 8: To umount gracefully:
forrest@rainbow:~$ sudo umount /backup
forrest@rainbow:~$ sudo cryptsetup luksClose backup

DONE!

Note 1: Next time, if you wanna mount this partition manually, just do luksopen and mount operations:
sudo cryptsetup luksOpen /dev/hdd1 backup
sudo mount /dev/mapper/backup /backup/

END of Option 2.



References:
  1. dm-crypt Wiki: HOWTO, http://www.saout.de/tikiwiki/tiki-print.php?page=HOWTO
  2. Encrypted Device Using LUKS, dm-crypt Wiki, http://www.saout.de/tikiwiki/tiki-print.php?page=EncryptedDeviceUsingLUKS
  3. HOWTO: Disk encryption with dm-crypt/LUKS and Debian, Uwe Hermann's blog, http://www.hermann-uwe.de/blog/howto-disk-encryption-with-dm-crypt-luks-and-debian
  4. LUKS homepage, http://luks.endorphin.org/
  5. dm-crypt homepage, http://www.saout.de/misc/dm-crypt/
  6. Encrypting partitions using dm-crypt and the 2.6 series kernel, Linux.com, http://www.linux.com/articles/36596
Figure 1: You will see a process called "kcryptd" if you copy and write files.

No comments: