EncryptedFilesystemHowto3

Differences between revisions 4 and 15 (spanning 11 versions)
Revision 4 as of 2006-06-04 20:41:22
Size: 7149
Editor: S0106000fb085cc63
Comment: add cat doc
Revision 15 as of 2008-08-06 16:19:41
Size: 69
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Encrypted Swap and Home with LUKS (on Ubuntu 6.06 and 5.10) =

by Stefano Spinucci virgo977virgo at <googlemail> dot com



== introduction ==

'''WARNING''': encrypting a partition is a destructive operation; then,
partitions to be encrypted must be empty, because all data on them
will be erased.

'''NOTE#1''': DM-Crypt works by transparently translating (in the kernel)
between a physical on-disk partition (which is encrypted) and a logical
partition which you can then mount and use as normal; the important thing
to mention is that whenever you operate on your partition, you must do so
by using /dev/mapper/home instead of /dev/hda3.

'''NOTE#2''': in this tutorial encrypted swap will be in in '/dev/hda2'
and encrypted home will be in '/dev/hda3'; replace '/dev/hda2' with your
swap partition and '/dev/hda3' with your home partition.



== install cryptsetup ==

enable 'community maintained' (universe) repository from the Synaptic
package manager or modifying the file /etc/apt/sources.list (apt sources
list).

install cryptsetup:
{{{
# apt-get install cryptsetup
}}}



== encrypted swap ==

before setting the encrypted swap, the file /etc/fstab should have a swap
entry like this:
{{{
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/hda2 none swap sw 0 0
}}}

now just replace in /etc/fstab /dev/hda2 with the new device name
/dev/mapper/cswap:
{{{
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/cswap none swap sw 0 0
}}}

after that, add an entry in /etc/crypttab:
{{{
# <target device> <source device> <key file> <options>
cswap /dev/hda2 /dev/random swap
}}}

reboot, and that's it! the encrypted swap device is done; confirm it worked:
{{{
# cat /proc/swaps
Filename Type Size Used Priority
/dev/mapper/cswap partition 3148700 0 -1

# sudo cryptsetup status cswap
/dev/mapper/cswap is active:
  cipher: aes-cbc-plain
  keysize: 256 bits
  device: /dev/.static/dev/hda2
  offset: 0 sectors
  size: 6297417 sectors
  mode: read/write
}}}

read the crypttab(5) manpage for more information



== encrypted home ==

unmount (if mounted) /dev/hda3
{{{
sudo umount /dev/hda3
}}}

check the partition for errors (and wait several minutes...):
{{{
# sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/hda3
}}}

fill the disk with random data (and wait many more minutes...);
/dev/urandom won't be as random as /dev/random, but it is the best
practical solution available:
{{{
# sudo dd if=/dev/urandom of=/dev/hda3
}}}

create a LUKS partition:
{{{
# sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/hda3
}}}

set up the device mapper:
{{{
# sudo cryptsetup luksOpen /dev/hda3 home
}}}

confirm it worked:
{{{
# sudo cryptsetup status home
/dev/mapper/home is active:
  cipher: aes-cbc-essiv:sha256
  keysize: 256 bits
  device: /dev/.static/dev/hda3
  offset: 2056 sectors
  size: 20962706 sectors
  mode: read/write
}}}

create the filesystem (e.g. ext3):
{{{
# sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/home
}}}

temporary mount, to copy data from old home:
{{{
# sudo mount -t ext3 /dev/mapper/home /mnt
}}}

copy data from old home:
{{{
# sudo cp -axv /home/* /mnt/
}}}

unmount the temporary mount:
{{{
sudo umount /mnt
}}}



=== permanent mounting ===

==== Ubuntu 6.06 ====

insert in /etc/fstab :
{{{
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/home /home ext3 defaults 1 2
}}}

after that, add an entry in /etc/crypttab:
{{{
# <target device> <source device> <key file> <options>
home /dev/hda3 none luks
}}}

reboot, and the encrypted home is done.



==== Ubuntu 5.10 ====

because 'crypttab' in Ubuntu 5.10 doesn't support LUKS encrypted
partitions, automatic mounting of home with Ubuntu 5.10 is a bit more
difficult.

create a file named 'cryptinit' in /etc/init.d/ with the following content:
{{{
#! /bin/sh
# if this script is executed when home is opened, tries to close it;
# otherwise, tries to open it, for three times, then continue without
# opening it
if [ -b /dev/mapper/home ]; then
    /sbin/cryptsetup luksClose home
else
    i=3
    while [ $i -gt 0 ]; do
        let "i -= 1"
        /sbin/cryptsetup luksOpen /dev/hda3 home && i=0
    done
fi
}}}

make 'cryptinit' executable
{{{
sudo chmod 755 /etc/init.d/cryptinit
}}}

then, create a symlink to 'cryptinit' in /etc/rcS.d
{{{
# cd /etc/rcS.d
# sudo ln -s ../init.d/cryptinit S28cryptinit
}}}

insert in /etc/fstab :
{{{
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/home /home ext3 defaults 1 2
}}}

reboot, and the encrypted home is done.



=== manual mounting and unmounting ===

if you have encrypted other partitions than home and you don't want to
unlock those partitions on boot, then you need to manually mount and
unmount them.



==== mounting ====

set up the device mapper:
{{{
# cryptsetup luksOpen /dev/hda4 data
}}}

mounting:
{{{
# mount /dev/mapper/data /media/data
}}}



==== unmounting ====

umounting:
{{{
# umount /media/data
}}}

delete the device mapper:
{{{
# cryptsetup luksClose data
}}}



== tools ==

 * [http://sourceforge.net/projects/cryptmount/ cryptmount]



== references ==

 * [http://luks.endorphin.org/dm-crypt LUKS on dm-crypt]
 * [http://www.saout.de/misc/dm-crypt/ dm-crypt]
 * [http://www.saout.de/tikiwiki/tiki-index.php dm-crypt wiki]
 * [http://news.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt dm-crypt mailing list]
 * [http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS Encrypted Device Using LUKS]
 * {{{/usr/share/doc/cryptsetup/CryptoSwap.HowTo}}} How to configure an encrypted swap partition on Debian systems
 * [https://wiki.ubuntu.com/EncryptedFilesystemHowto Encrypted filesystem howto (Ubuntu)]
 * [https://wiki.ubuntu.com/EncryptedFilesystemHowto2 Encrypted filesystem howto 2 (Ubuntu)]
 * [http://deb.riseup.net/storage/encryption/dmcrypt/ dmcrypt (Debian)]
 * [http://www.raoul.shacknet.nu/2005/11/10/encrypt-devices-using-dm-crypt-and-luks/ Encrypt devices using dm-crypt and LUKS (Fedora Core)]
 * [http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS SECURITY System Encryption DM-Crypt with LUKS (Gentoo)]
 * [http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS SECURITY Encrypting Root Filesystem with DM-Crypt with LUKS (Gentoo)]
 * [http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt SECURITY Encrypting Root Filesystem with DM-Crypt (Gentoo)]
  
----
CategoryCleanup CategoryDocumentation
#REFRESH 0 http://help.ubuntu.com/community/EncryptedFilesystemHowto3

EncryptedFilesystemHowto3 (last edited 2008-08-06 16:19:41 by localhost)