dm-crypt, an encryption on a mapping device was introduced into stable Linux kernel since kernel version 2.6.4. Encryption on a mapping device means data are firstly written into a mapping device, which is virtual and mapped to a real physical devices. In this manner, you can encrypt the entire partition, including the file system journals. dm-crypt also has a good extension, LUKS, Linux Unified Key Setup.
In this article, I will introduce two options. The first one doesn't use LUKS and is suitable for internal hard drives. The second one uses LUKS and is suitable for removable storage, such as USB memory stick.
The environment is Ubuntu 8.10 x86. But I think it should also work for other Linux distributions.
Step 1: Install required packages:
$ sudo apt-get install cryptsetup
Step 2: load modules:
$ sudo modprobe dm_mod $ sudo modprobe dm_crypt
Now check that
/dev/mapper exists:$ sudo ls -l /dev/mapper/control crw-rw---- 1 root root 10, 62 2007-09-08 21:15 /dev/mapper/control
Check that AES is supported:
$ sudo grep aes /proc/crypto name : aes driver : aes-generic module : aes
Check that the cyrpt target is supported:
$ sudo dmsetup targets crypt v1.3.0 striped v1.0.2 linear v1.0.2 error v1.0.1
Before you move forward, I wanna warn you that
DO NOT perform following operations on a device or a partition that is already mounted.
Now we will have a fork. One is non-LUKS option, suitable for internal hard drive and the other is LUKS option, suitable for portable devices.
Option 1: non-LUKS option, suitable for internal hard drive:
Step 3: creating the mapping between encrypted device (
/dev/mapper/forrest) and real physical device (/dev/sda8):$ cryptsetup -y create forrest /dev/sda8 Enter passphrase: Verify passphrase:
Confirm it works:
$ sudo dmsetup ls forrest (254, 0) $ ls -l /dev/mapper/ total 0 crw-rw---- 1 root root 10, 63 2007-09-08 22:50 control brw-rw---- 1 root disk 254, 0 2007-09-08 22:51 forrest
Step 4: Create file systems on the encrypted device:
Attention, not on the real physical devices but on the encrypted device.
DO IT JUST ONCE! DO NOT DO IT EVERY TIME YOU MOUNT/READ/WRITE AN ENCRYPTED PARTITION! YOU WILL LOST ALL YOUR DATA!
$ sudo mkfs.ext3 -m 1 /dev/mapper/forrest -L FORREST
I used some ext3 file system options.
Step 5: Mount the encrypted device:
$ sudo mkdir /forrest $ sudo mount /dev/mapper/forrest /forrest
Step 6: Make it writable to myself:
$ sudo chown forrest:forrest /backup
Verify it works:
$ grep forrest /proc/mounts /dev/mapper/forrest /forrest ext3 rw,data=ordered 0 0
Step 7: To umount gracefully,
sudo umount /forrest sudo cryptsetup remove /dev/mapper/forrest
DONE!
Note 1: Next time, if you wanna manually mount this partition, you just need to run these two command:
sudo cryptsetup create forrest /dev/sda8 mount /dev/mapper/forrest /forrest
Note 2: You can also make it to be mounted when the computer boots.
Make /etc/crypttab like this:
forrest /dev/sda8 none cipher=aes
Then insert this line into /etc/fstab:
/dev/mapper/forrest /forrest ext3 defaults 0 1
When you start your computer, you will see a prompt to enter the passphrase. But I don't know why the passphrase are displayed.
END of Option 1.
Option 2: LUKS option, suitable for portable devices, such as USB drive:
Step 3: Setup LUKS:
$ sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/hdd1 WARNING! ======== This will overwrite data on /dev/hdd1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
Step 4: Open the encrypted device "/dev/mapper/backup" and map it to a real physical device "/dev/hdd1":
$ sudo cryptsetup luksOpen /dev/hdd1 backup Enter LUKS passphrase: key slot 0 unlocked. Command successful.
Confirm it works:
$ sudo dmsetup ls backup (254, 1) forrest (254, 0) $ ls -l /dev/mapper/ total 0 brw-rw---- 1 root disk 254, 1 2007-09-09 16:36 backup crw-rw---- 1 root root 10, 63 2007-09-08 22:50 control brw-rw---- 1 root disk 254, 0 2007-09-08 22:51 forrest
Step 5: Create file systems on the encrypted device. Attention, not on the real physical devices but on the encrypted device.
DO IT JUST ONCE! DO NOT DO IT EVERY TIME YOU MOUNT/READ/WRITE AN ENCRYPTED PARTITION! YOU WILL LOST ALL YOUR DATA!
$ sudo mkfs.ext3 -m 1 /dev/mapper/backup -L BAKCUP.SG
I used some ext3 file system options.
Step 6: Mount the encrypted device (/dev/mapper/backup) to a mount point (/backup).
$ sudo mkdir /backup $ sudo mount /dev/mapper/backup /backup/
Step 7: Make it writable to myself:
$ sudo chown forrest:forrest /backup
Verify it works:
$ grep backup /proc/mounts /dev/mapper/backup /backup ext3 rw,data=ordered 0 0
Step 8: To umount gracefully:
$ sudo umount /backup $ sudo cryptsetup luksClose backup
DONE!
Note 1: Next time, if you wanna mount this partition manually, just do luksopen and mount operations:
sudo cryptsetup luksOpen /dev/hdd1 backup sudo mount /dev/mapper/backup /backup/
END of Option 2.
References:
- dm-crypt Wiki: HOWTO, http://www.saout.de/tikiwiki/tiki-print.php?page=HOWTO
- Encrypted Device Using LUKS, dm-crypt Wiki, http://www.saout.de/tikiwiki/tiki-print.php?page=EncryptedDeviceUsingLUKS
- HOWTO: Disk encryption with dm-crypt/LUKS and Debian, Uwe Hermann's blog, http://www.hermann-uwe.de/blog/howto-disk-encryption-with-dm-crypt-luks-and-debian
- LUKS homepage, http://luks.endorphin.org/
- dm-crypt homepage, http://www.saout.de/misc/dm-crypt/
- Encrypting partitions using dm-crypt and the 2.6 series kernel, Linux.com, http://www.linux.com/articles/36596
No comments:
Post a Comment