Posted by Anonymous on Wed 29 Nov 2006 at 11:17
This guide will walk you through the creation of an encrypted filesystem using LUKS. LUKS is the Linux Unified Key Setup and is a standard format for linux hard disk encryption. It has a lot of interesting features such as using a key on a removable disk, keeping multiple keys, and more. This is the technology used by the Debian Installer (since etch beta3) and is quickly becoming a standard in the linux world.
This guide is for anyone who wants to secure their data using an encrypted partition. While it is tailored to users of Debian, it should apply elsewhere in the linux world. This guide is intended to add an encrypted device to an existing install, if you are contemplating a fresh install, the Debian Installer will configure encrypted filesystems for you.
Ready? Then let's begin
This can be a partition on disk, a logical volume in LVM or some other block device. For this example, I created a 40 GB volume in LVM.
lvcreate -n crypto_test --size 40g asimov-vol
This utility provides an interface into the code in the linux kernel that handles encrypted block devices. It's packaged for Debian in both testing and unstable, stable has an older version and I don't know whether or not it will work in the same manner.
apt-get install cryptsetup
This initializes the partition for encryption and sets the initial key. People not using LVM will want a path like /dev/hdxY where hdxY is the partition on their hard drive that will be used for encryption.
# cryptsetup luksFormat /dev/mapper/asimov--vol-crypto_test WARNING! ======== This will overwrite data on /dev/mapper/asimov--vol-crypto_test irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
Congratulation! You now have an encrypted block device! However, it's not quite ready to use.
This opens the device (prompting for a passphrase) and maps it to a block device in /dev/mapper. This can be used like any other block device, and the encryption/decryption is transparent. The first path (/dev/mapper/asimov--vol-crypto_test) is the encrypted partition you set up earlier. The name (crypto_test) is the name of the volume, the block device will be mapped as /dev/mapper/"name".
# cryptsetup luksOpen /dev/mapper/asimov--vol-crypto_test crypto_test Enter LUKS passphrase: key slot 0 unlocked. Command successful.
This is just like setting up any other block device. I use ext3, others may prefer different formats.
/etc/crypttab is a list of encrypted devices that are mapped on boot. The format is "[map name] [path to device] [key file] [options]" Since we're using a passphrase, we don't have a key file.
Instead we'll use this:
crypto_test /dev/mapper/asimov--vol-crypto_test none luks
This is where the encrypted device will be mounted on your filesystem.
/etc/fstab tells the computer where to mount different devices on the filesystem. The format is "[source path] [mount path] [type of filesystem] [options] [mount options] [dump frequency] [fsck pass]" More information can be found by reading
man 5 fstab. You will want to add a line such as this:
/dev/mapper/crypto_test /mnt/crypto_test ext3 defaults 0 2
The initial ramdisk is used to jumpstart the boot process and load modules for the kernel that it can't load itself (such as drivers for block devices that contain the modules it uses). I'm not sure if this is needed or not, but I wanted to be on the safe side.
update-initramfs -u -k all
Now your encrypted filesystem is completely set up! Reboot the system and you will see it prompt you for your passphrase during the boot cycle. Once the password has entered, the encryption is completely transparent. If you want to use your encrypted filesystem before rebooting, simply type
Thanks to Sven MÃ¼ller for pointing me in the right direction.