EncryptedFilesystemHowto3
7068
Comment:
|
7315
|
Deletions are marked like this. | Additions are marked like this. |
Line 60: | Line 60: |
Note: if you get errors that the kernel may not use dm-crypt, try {{{ modprobe dm-crypt }}} if that helps, you may also want to use dm-crypt to /etc/modules. |
|
Line 70: | Line 76: |
device: /dev/.static/dev/sda6 | device: /dev/.static/dev/hda2 |
Line 111: | Line 117: |
# sudo dmsetup ls home (254, 0) # ls -l /dev/mapper total 0 brw------- 1 root root 254, 0 Jun 13 22:34 home |
# sudo cryptsetup status home /dev/mapper/home is active: cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/.static/dev/hda3 offset: 2056 sectors size: 20962706 sectors mode: read/write |
Line 242: | Line 251: |
: cryptmount http://sourceforge.net/projects/cryptmount/ |
* [http://sourceforge.net/projects/cryptmount/ cryptmount] |
Line 250: | Line 257: |
: LUKS on dm-crypt http://luks.endorphin.org/dm-crypt : dm-crypt http://www.saout.de/misc/dm-crypt/ : dm-crypt wiki http://www.saout.de/tikiwiki/tiki-index.php : dm-crypt mailing list http://news.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt : Encrypted Device Using LUKS http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS : How to configure an encrypted swap partition on Debian systems {{{/usr/share/doc/cryptsetup/CryptoSwap.HowTo}}} : Encrypted filesystem howto (Ubuntu) https://wiki.ubuntu.com/EncryptedFilesystemHowto : Encrypted filesystem howto 2 (Ubuntu) https://wiki.ubuntu.com/EncryptedFilesystemHowto2 : dmcrypt (Debian) http://deb.riseup.net/storage/encryption/dmcrypt/ : Encrypt devices using dm-crypt and LUKS (Fedora Core) http://www.raoul.shacknet.nu/2005/11/10/encrypt-devices-using-dm-crypt-and-luks/ : SECURITY System Encryption DM-Crypt with LUKS (Gentoo) http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS : SECURITY Encrypting Root Filesystem with DM-Crypt with LUKS (Gentoo) http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS : SECURITY Encrypting Root Filesystem with DM-Crypt (Gentoo) http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt |
* [http://luks.endorphin.org/dm-crypt LUKS on dm-crypt] * [http://www.saout.de/misc/dm-crypt/ dm-crypt] * [http://www.saout.de/tikiwiki/tiki-index.php dm-crypt wiki] * [http://news.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt dm-crypt mailing list] * [http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS Encrypted Device Using LUKS] * {{{/usr/share/doc/cryptsetup/CryptoSwap.HowTo}}} How to configure an encrypted swap partition on Debian systems * [https://wiki.ubuntu.com/EncryptedFilesystemHowto Encrypted filesystem howto (Ubuntu)] * [https://wiki.ubuntu.com/EncryptedFilesystemHowto2 Encrypted filesystem howto 2 (Ubuntu)] * [http://deb.riseup.net/storage/encryption/dmcrypt/ dmcrypt (Debian)] * [http://www.raoul.shacknet.nu/2005/11/10/encrypt-devices-using-dm-crypt-and-luks/ Encrypt devices using dm-crypt and LUKS (Fedora Core)] * [http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS SECURITY System Encryption DM-Crypt with LUKS (Gentoo)] * [http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS SECURITY Encrypting Root Filesystem with DM-Crypt with LUKS (Gentoo)] * [http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt SECURITY Encrypting Root Filesystem with DM-Crypt (Gentoo)] |
Line 302: | Line 272: |
CategoryCleanup | CategoryCleanup CategoryDocumentation |
Encrypted Swap and Home with LUKS (on Ubuntu 6.06 and 5.10)
by Stefano Spinucci virgo977virgo at <googlemail> dot com
introduction
WARNING: encrypting a partition is a destructive operation; then, partitions to be encrypted must be empty, because all data on them will be erased.
NOTE#1: DM-Crypt works by transparently translating (in the kernel) between a physical on-disk partition (which is encrypted) and a logical partition which you can then mount and use as normal; the important thing to mention is that whenever you operate on your partition, you must do so by using /dev/mapper/home instead of /dev/hda3.
NOTE#2: in this tutorial encrypted swap will be in in '/dev/hda2' and encrypted home will be in '/dev/hda3'; replace '/dev/hda2' with your swap partition and '/dev/hda3' with your home partition.
install cryptsetup
enable 'community maintained' (universe) repository from the Synaptic package manager or modifying the file /etc/apt/sources.list (apt sources list).
install cryptsetup:
# apt-get install cryptsetup
encrypted swap
before setting the encrypted swap, the file /etc/fstab should have a swap entry like this:
# <file system> <mount point> <type> <options> <dump> <pass> /dev/hda2 none swap sw 0 0
now just replace in /etc/fstab /dev/hda2 with the new device name /dev/mapper/cswap:
# <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/cswap none swap sw 0 0
after that, add an entry in /etc/crypttab:
# <target device> <source device> <key file> <options> cswap /dev/hda2 /dev/random swap
Note: if you get errors that the kernel may not use dm-crypt, try
modprobe dm-crypt
if that helps, you may also want to use dm-crypt to /etc/modules.
reboot, and that's it! the encrypted swap device is done; confirm it worked:
# cat /proc/swaps Filename Type Size Used Priority /dev/mapper/cswap partition 3148700 0 -1 # sudo cryptsetup status cswap /dev/mapper/cswap is active: cipher: aes-cbc-plain keysize: 256 bits device: /dev/.static/dev/hda2 offset: 0 sectors size: 6297417 sectors mode: read/write
read the crypttab(5) manpage for more information
encrypted home
unmount (if mounted) /dev/hda3
sudo umount /dev/hda3
check the partition for errors (and wait several minutes...):
# sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/hda3
fill the disk with random data (and wait many more minutes...); /dev/urandom won't be as random as /dev/random, but it is the best practical solution available:
# sudo dd if=/dev/urandom of=/dev/hda3
create a LUKS partition:
# sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/hda3
set up the device mapper:
# sudo cryptsetup luksOpen /dev/hda3 home
confirm it worked:
# sudo cryptsetup status home /dev/mapper/home is active: cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/.static/dev/hda3 offset: 2056 sectors size: 20962706 sectors mode: read/write
create the filesystem (e.g. ext3):
# sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/home
temporary mount, to copy data from old home:
# sudo mount -t ext3 /dev/mapper/home /mnt
copy data from old home:
# sudo cp -axv /home/* /mnt/
unmount the temporary mount:
sudo umount /mnt
permanent mounting
Ubuntu 6.06
insert in /etc/fstab :
# <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/home /home ext3 defaults 1 2
after that, add an entry in /etc/crypttab:
# <target device> <source device> <key file> <options> home /dev/hda3 none luks
reboot, and the encrypted home is done.
Ubuntu 5.10
because 'crypttab' in Ubuntu 5.10 doesn't support LUKS encrypted partitions, automatic mounting of home with Ubuntu 5.10 is a bit more difficult.
create a file named 'cryptinit' in /etc/init.d/ with the following content:
# if this script is executed when home is opened, tries to close it; # otherwise, tries to open it, for three times, then continue without # opening it if [ -b /dev/mapper/home ]; then /sbin/cryptsetup luksClose home else i=3 while [ $i -gt 0 ]; do let "i -= 1" /sbin/cryptsetup luksOpen /dev/hda3 home && i=0 done fi
make 'cryptinit' executable
sudo chmod 755 /etc/init.d/cryptinit
then, create a symlink to 'cryptinit' in /etc/rcS.d
# cd /etc/rcS.d # sudo ln -s ../init.d/cryptinit S28cryptinit
insert in /etc/fstab :
# <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/home /home ext3 defaults 1 2
reboot, and the encrypted home is done.
manual mounting and unmounting
if you have encrypted other partitions than home and you don't want to unlock those partitions on boot, then you need to manually mount and unmount them.
mounting
set up the device mapper:
# cryptsetup luksOpen /dev/hda4 data
mounting:
# mount /dev/mapper/data /media/data
unmounting
umounting:
# umount /media/data
delete the device mapper:
# cryptsetup luksClose data
tools
[http://sourceforge.net/projects/cryptmount/ cryptmount]
references
[http://luks.endorphin.org/dm-crypt LUKS on dm-crypt]
[http://www.saout.de/misc/dm-crypt/ dm-crypt]
[http://www.saout.de/tikiwiki/tiki-index.php dm-crypt wiki]
[http://news.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt dm-crypt mailing list]
[http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS Encrypted Device Using LUKS]
/usr/share/doc/cryptsetup/CryptoSwap.HowTo How to configure an encrypted swap partition on Debian systems
[https://wiki.ubuntu.com/EncryptedFilesystemHowto Encrypted filesystem howto (Ubuntu)]
[https://wiki.ubuntu.com/EncryptedFilesystemHowto2 Encrypted filesystem howto 2 (Ubuntu)]
[http://deb.riseup.net/storage/encryption/dmcrypt/ dmcrypt (Debian)]
[http://www.raoul.shacknet.nu/2005/11/10/encrypt-devices-using-dm-crypt-and-luks/ Encrypt devices using dm-crypt and LUKS (Fedora Core)]
[http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS SECURITY System Encryption DM-Crypt with LUKS (Gentoo)]
[http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS SECURITY Encrypting Root Filesystem with DM-Crypt with LUKS (Gentoo)]
[http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt SECURITY Encrypting Root Filesystem with DM-Crypt (Gentoo)]
EncryptedFilesystemHowto3 (last edited 2008-08-06 16:19:41 by localhost)