Emidio Planamente 's Homepage

Home GNU/Linux Programming Technology Sport Others Contact

Search

  Google linux


Debian

  Apt-get
  Debian Anatomy
  Debian Backports
  Debian Help
  Debian Planet
  Debian Swiss
  History of Debian
  Getdeb
  Kernel
  Kernel 2.6
  Packages
  Refcard for newbie
  Reference book
  SATA raid
  Weekly News


Official Docs

  Distrowatch
  Firewire
  Gimp
  Gimp Photo Archive
  Linuxdoc
  Linuxdoc Reference
  Linux Focus
  Linux From Scratch
  Linux Hacks
  Linux Hardware
  Linux Printing
  MySQL
  O'Reilly
  Rute
  Source Forge
  USB guide


Installation

  Instalinux
  Preseed


Laptop

  Linux on Laptops
  Linux Toshiba
  Tux Mobil


Live-CDs

  Create it Your self
  Knoppix
  Kororaa XGL 3


Pictures

  Bay13
  Gnomelook
  Kuznetsov


Security

  GNU/Linux
  PortsDB


Linux based product

  Dreambox


Free web service

  S5 presents


Against Micro$oft

  Combatti Micro$oft
  Microsuck


Free Site Counter
HTML validator CSS validator

 

dm-crypt howto


1. Introduction

2. Installation

3. Commands

4. Using dm-crypt with LVM

5. Using dm-crypt for root partition

6. Using LUKS extension

7. Related documents

8. About


1. Introduction


This document is based on the official dm-crypt homepage and briefly explains how to create a crypted filesystem using dm-crypt.


1.1. What is dm-crypt


Device Mapper crypt is a recent infrastructure that uses the Linux 2.6 cryptoapi. The device is crypted with a key and protected with a passphrase. Without them, it is not possible to access the data.


The big advantages of using dm-crypt are:


- better code of cryptoloop

- flexible configuration interface

- imperceptible performance lost

- the LUKS (Linux Unified Key Setup) extension


2. Installation


2.1. Kernel-space


To work with dm-crypt, the kernel must support the following elements:


  CONFIG_BLK_DEV_DM (Multi-device support (RAID and LVM))

  CONFIG_DM_CRYPT (Multi-device support (RAID and LVM))

  CONFIG_CRYPTO_AES_586 (Cryptographic options)


2.2. Kernel-space issue with USB keyboard


2.2.1. Problem description


During the system start up, the user is asked for the passphrase(s). If you have a USB keyboard and the USB driver is not available yet, there is no way to enter the necessary passphrase(s).


This problem has been solved by adding a timeout. In this way, if no password can be entered, the startup process will still continue sooner or later.


2.2.2. Problem solution


A safe solution is to build all the needed drivers directly in the kernel (not as module). I now there are other solutions, but I think it is important to guarantee as soon as possible that the input device will work properly. What could you do when something would go wrong and the keyboard would not work? Whit this solution, the keyboard can be used to try to solve the problem.


Here the elements that have to be compiled (built-in and not as module!) in the kernel:


  CONFIG_INPUT

  CONFIG_INPUT_KEYBOARD

  CONFIG_USB

  CONFIG_USB_EHCI_HCD

  CONFIG_USB_OHCI_HCD

  CONFIG_USB_UHCI_HCD

  CONFIG_USB_HID

  CONFIG_USB_HIDINPUT

  CONFIG_USB_HIDDEV


2.3. User-space


There is package providing all the needed user-space applications. To install it execute:


  apt-get install cryptsetup


Additionally, to create a key inside a file install:


  apt-get install hashalot


3. Commands


3.1. Creating a crypted partition


In order to create a crypted partition, it must be created a normal partition which will be be associated to the crypted device.


3.1.1. Creating not crypted partition


The partition can be a normal partition (e.g. /dev/hda2) or a LVM partition (e.g.: /dev/vg0/lv0)


For normal partition:


  cfdisk /dev/hda


For LVM (depracated, see "Using dm-crypt with LVM"):


  lvcreate -L 1G -n lvmcrypted vg


3.1.2. Creating the crypted device


For normal partition:


  cryptsetup -y create crypted /dev/hda2


The crypted device is called "crypted" and has been associated to /dev/hda2.


For LVM (depracated, see "Using dm-crypt with LVM"):


  cryptsetup -y create crypted /dev/mapper/vg-lvmcrypted


The crypted device is called "crypted" and has been associated to /dev/mapper/vg-lvmcrypted.


3.1.3. Creating filesystem on the crypted device


Create the filesystem as normaly:


  mkfs.reiserfs /dev/mapper/crypted


Note that the filesystem has been created on the associated crypted device /dev/mapper/crypted and not on the not crypted partition /dev/hda2.


3.1.4. Updating /etc/crypttab


To make the crypted device available to the system also after a reboot, the crypttab file must be updated.


For normal partition, add a line like the following:


  crypted /dev/hda2


For normal partition using the LUKS extension, add a line like the following:


  crypted /dev/hda2 none luks


For LVM partition, add a line like the following (depracated, see "Using dm-crypt with LVM"):


  crypted /dev/vg/lvmcrypted


3.1.5. Updating /etc/fstab


To mount the crypted partitions after each boot, a mount point must be created and the fstab file must be updated.


Create the mount point:


  mkdir /mnt/crypted


Add a line like the following in /etc/fstab:


  /dev/mapper/crypted /mnt/crypted reiserfs defaults


Here, there isn't any difference between normal partition and LVM partitions, because in both cases the access to the data is done via the crypted device only.


3.1.6. Mounting crypted partition


Now, it's possible the mount the partition:


  mount /mnt/crypted


3.2. Removing a crypted partition


3.2.1. Unmounting crypted partition


In order to remove a crypted partition, it must be first unmounted:


  umount /mnt/crypted


3.2.2. Removing the crypted device


Now it's possible to remove the crypted device:


  cryptsetup remove crypted


3.2.3. Cleaning up


Don't forget to udpate the /etc/fstab and /etc/crypttab files, and to remove the unused mountpoint and partition.


3.3. Creating a crypted swap


Since data can be temporary copied to the swap, it's a good idea to crypt also this last.


Also here, it must be created a normal partition and then associated to the crypted device.


3.3.1. Creating not crypted partition


The partition can be a normal partition (e.g. /dev/hda3) or a LVM partition (e.g.: /dev/vg0/lv1)


For normal partition:


  cfdisk /dev/hda


For LVM (depracated, see "Using dm-crypt with LVM"):


  lvcreate -L 1G -n lvmswap vg


3.3.2. Creating the crypted device


For normal partition:


  cryptsetup -y create cryptedswap /dev/hda3


For LVM (depracated, see "Using dm-crypt with LVM"):


  cryptsetup -y create cryptedswap /dev/mapper/vg-lvmswap


3.3.3. Creating filesystem


Create a swap filesystem as normally:


  mkswap /dev/mapper/cryptswap


Note that also here the filesystem has been created on the associated crypted device /dev/mapper/cryptswapt and not on the not crypted partition /dev/hda3.


3.3.4. Updating /etc/crypttab


To make also this crypted device available to the system after a reboot, the crypttab file must be updated.


For normal partition, add a line like the following:


  cryptswap /dev/hda2 /dev/random swap


For LVM partition, add a line like the following (depracated, see "Using dm-crypt with LVM"):


  cryptedswap /dev/vg/swap /dev/random swap


Using /dev/random as key, will create a new random key at each boot and you won't be prompted for a password each time.


3.3.5. Updating /etc/fstab


To mount the crypted swap after each boot, the fstab file must be updated.


Add a line like the following in /etc/fstab:


  /dev/mapper/cryptswap none swap sw,pri=1


Also here, there isn't any difference between normal partition and LVM partitions, because in both cases the access to the data is done via the crypted device.


3.3.6. Activating swap


Activate all the swap partitions, just by calling:


  swapon -a


4. Using dm-crypt with LVM


4.1. Possibilities


There are the following possibilities for using dm-crypt with LVM:


1) dm-crypt over LVM

2) LVM over dm-crypt


The first one, creates a LVM partition and then creates a dm-crypt device linked to the LVM partition.

With this solution, you need a dm-crypt device for each LVM partition, which means entering the passphrase for each crypted partition.

This solution has been reported to work, but I haven't tryed it.


The second one, creates a dm-crypt partition and then creates one or more LVM partitions.

With this solution, you need only one dm-crypt device for more LVs, which means entering the passphrase only once.

This is the only solution described in my document.


4.2. Enabling LVM over dm-crypt


It could be, that the system is not configured to allow to create a LVM partition on a device mapper. This would mean, it's not possibile to create a LVM partition on a dm-crypt device.


To enable LVM over dm-crypt, just add such a line in your /etc/lvm/lvm.conf:


  types = [ "device-mapper", 16 ]


If this file is missing, you can create one with the following command:


  lvm dumpconfig > /etc/lvm/lvm.conf


5. Using dm-crypt for root partition


I have written a separate howto that describes how to install the whole OS in a crypted partition.


See http://emidio.planamente.ch/pages/linux_howto_root_lvm_dmcrypt.php.


6. Using LUKS extension


6.1. Introduction


LUKS stands for Linux Unified Key Setup and is a standard for hard disk encryption.


Some interesting features are:


- multiple passords support

- password revocation


6.2. Creating LUKS device using a passphrase


Create encrypted device "crypted":


  cryptsetup LUKSFormat /dev/hda2


Open encrypted device:


  cryptsetup luksOpen /dev/hda2 crypted


6.2.1. Creating filesystem


  mkreiserfs /dev/mapper/crypted


6.2.2. Mounting the crypted device


  mount /dev/mapper/crypted /mnt/


6.3. Closing crypted device


  cryptsetup luksClose crypted


6.4. Creating LUKS device using a key file


  dd if=/dev/urandom of=keyfile bs=1k count=2

  cryptsetup luksFormat /dev/hda2 keyfile


6.5. Opening crypted device with keyfile


  cryptsetup -d keyfile luksOpen /dev/hda2 crypted


6.6. Adding key


Adding passphrase:


  cryptsetup luksOpen /dev/hda2 crypted

  cryptsetup luksAddKey /dev/hda2

  cryptsetup luksClose crypted


Adding keyfile:


  cryptsetup luksOpen /dev/hda2 crypted

  cryptsetup luksAddKey /dev/hda2  keyfile

  cryptsetup luksClose crypted


6.7. Deleting key


  cryptsetup luksDelKey /dev/hda2 pippo


6.8. Dumping LUKS header


  cryptsetup luksDump /dev/hda2


7. Related documents


7.1. dm-crypt homepage


http://www.saout.de/misc/dm-crypt


7.2. dm-crypt wiki


http://www.saout.de/tikiwiki/tiki-index.php


7.3. dm-crypt howto for Debian


http://www.saout.de/tikiwiki/tiki-index.php?page=HOWTO


7.4. dm-crypt howto for LVM


http://www.saout.de/tikiwiki/tiki-index.php?page=LVM2+over+dmcrypt


8. About


8.1. Author


Emidio Planamente <eplanamente@gmx.ch>


8.2. History


Version 1

  First public release



Emidio Planamente

Last modified on 2008-05-11