How to set up an encrypted filesystem in several easy steps

Posted by Anonymous on Wed 29 Nov 2006 at 11:17

There's been a lot of talk lately about encrypted partitions, and Debian is proud to offer a feature to easily create them in the etch installer since beta3. But what about existing systems? This guide walks you through setting up an encrypted partition using cryptsetup and LUKS.

Introduction

This guide will walk you through the creation of an encrypted filesystem using LUKS. LUKS is the Linux Unified Key Setup and is a standard format for linux hard disk encryption. It has a lot of interesting features such as using a key on a removable disk, keeping multiple keys, and more. This is the technology used by the Debian Installer (since etch beta3) and is quickly becoming a standard in the linux world.

Who this guide is for

This guide is for anyone who wants to secure their data using an encrypted partition. While it is tailored to users of Debian, it should apply elsewhere in the linux world. This guide is intended to add an encrypted device to an existing install, if you are contemplating a fresh install, the Debian Installer will configure encrypted filesystems for you.

Ready? Then let's begin

Prepare the partition (or other block device) to be used

This can be a partition on disk, a logical volume in LVM or some other block device. For this example, I created a 40 GB volume in LVM.

  • For a physical partition, you would need to have an entire partition available on disk. Instructions for this can be found from many other sources
  • For LVM, create a partition like this
    lvcreate -n crypto_test --size 40g asimov-vol

Install cryptsetup

This utility provides an interface into the code in the linux kernel that handles encrypted block devices. It's packaged for Debian in both testing and unstable, stable has an older version and I don't know whether or not it will work in the same manner.
apt-get install cryptsetup

Set up encryption on the partition

This initializes the partition for encryption and sets the initial key. People not using LVM will want a path like /dev/hdxY where hdxY is the partition on their hard drive that will be used for encryption.

Important! This command will wipe out anything on that partition

# cryptsetup luksFormat /dev/mapper/asimov--vol-crypto_test

WARNING!
========
This will overwrite data on /dev/mapper/asimov--vol-crypto_test irrevocably. 
Are you sure? 
(Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

Congratulation! You now have an encrypted block device! However, it's not quite ready to use.

Open and map the device

This opens the device (prompting for a passphrase) and maps it to a block device in /dev/mapper. This can be used like any other block device, and the encryption/decryption is transparent. The first path (/dev/mapper/asimov--vol-crypto_test) is the encrypted partition you set up earlier. The name (crypto_test) is the name of the volume, the block device will be mapped as /dev/mapper/"name".

# cryptsetup luksOpen /dev/mapper/asimov--vol-crypto_test crypto_test
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

Create the filesystem of your choice on the device

This is just like setting up any other block device. I use ext3, others may prefer different formats.
mkfs.ext3 /dev/mapper/crypto-test

Add the definition to /etc/crypttab

/etc/crypttab is a list of encrypted devices that are mapped on boot. The format is "[map name] [path to device] [key file] [options]" Since we're using a passphrase, we don't have a key file.

Instead we'll use this:

crypto_test /dev/mapper/asimov--vol-crypto_test none luks

Create a mount point

This is where the encrypted device will be mounted on your filesystem.
mkdir /mnt/crypto_test

Add the device to /etc/fstab

/etc/fstab tells the computer where to mount different devices on the filesystem. The format is "[source path] [mount path] [type of filesystem] [options] [mount options] [dump frequency] [fsck pass]" More information can be found by reading man 5 fstab. You will want to add a line such as this:

/dev/mapper/crypto_test /mnt/crypto_test ext3 defaults 0 2 

Update the initial ramdisk.

The initial ramdisk is used to jumpstart the boot process and load modules for the kernel that it can't load itself (such as drivers for block devices that contain the modules it uses). I'm not sure if this is needed or not, but I wanted to be on the safe side.
update-initramfs -u -k all

Congratulations

Now your encrypted filesystem is completely set up! Reboot the system and you will see it prompt you for your passphrase during the boot cycle. Once the password has entered, the encryption is completely transparent. If you want to use your encrypted filesystem before rebooting, simply type mount /path/to/mountpoint.

Credits

Copyright (c) 2006 by Benjamin Seidenberg .
Permission to use, modify and redistribute this guide freely is granted, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Document.

Thanks to Sven Müller for pointing me in the right direction.

 

 


Posted by mvanbaak (80.126.xx.xx) on Wed 29 Nov 2006 at 17:23
If you are paranoid and want it harder to detect where the data is you might want to do:
# dd if=/dev/urandom of=/dev/mapper/your_lvm_partition
or for partitions without lvm
# dd if=/dev/urandom of=/dev/hd<disk><partitionnr>

That way the whole device will be filled with random data and someone who gets your disk cannot guess where the keys are etc.

Note that it can take hours or even days depending on the size of the partition you want to use. This took 2 days and 3 hours on my 120 GB laptop HD (only /boot is non-encrypted)

[ Parent | Reply to this comment ]

Posted by freelsjd (69.241.xx.xx) on Wed 6 Dec 2006 at 19:49
I tried this and could not get it to work past the first step: "cryptsetup luksFormat /deb/hdb9" (note: I am not using lvm, but straight 4-GB partitions). Cryptsetup came back with the following error message:

Failed to setup dm-crypt key mapping.
Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/hdb9 contains at least 133 sectors.
Failed to write to key storage.

I tried enabling most all the encryption options in my custom kernel. Question: what options are required ? Also, what else could cause this error ?

[ Parent | Reply to this comment ]

Posted by Anonymous (213.185.xx.xx) on Wed 20 Dec 2006 at 21:27
maybe your partition is mounted ?

[ Parent | Reply to this comment ]

Posted by Anonymous (162.39.xx.xx) on Sun 24 Dec 2006 at 01:59
It sounds to me like you're not doing this as root.

-- Benjamin

[ Parent | Reply to this comment ]

Posted by Anonymous (87.105.xx.xx) on Sun 24 Dec 2006 at 08:54
Also check whether module dm-crypt is loaded.

[ Parent | Reply to this comment ]

Posted by Anonymous (85.224.xx.xx) on Sun 11 Feb 2007 at 11:11
i got exactly the same error, and was quite lost for a while, but that did it! just run modprobe dm-crypt.

[ Parent | Reply to this comment ]

Posted by Anonymous (212.201.xx.xx) on Sun 24 Jun 2007 at 23:16
Another interesting part might be to set up luks-encrypted swap working with uswsusp. As it didn't seem to be obvious I wrote down some thoughts at http://subdivi.de/~helmut/luks-uswsusp.html. Hope it helps.

[ Parent | Reply to this comment ]

Posted by horvathz (86.101.xx.xx) on Thu 30 Aug 2007 at 09:46
Hi,

this article for me was really useful.
Only one question I have:
how safe, how strong this encryption is? I mean encrypted with passphrase, comparing with key-encrypted filesystems?

Tanx in advance

HoZo

[ Parent | Reply to this comment ]

Posted by Anonymous (71.222.xx.xx) on Sat 17 May 2008 at 05:26
It should be noted somewhere that the options --cipher and --key-size can be used with luksFormat to change the respective options. I'm not sure what the defaults are, but i dont see why anyone would fallow a tutorial on drive encryption without knowing what they are using. Maybe the default is the lowest level of encryption possible or none at all. I know this isnt really the case, but it should be mentioned what the actual defaults are so users can decide if they are sufficient (or too much) for what they want. On slower machines a smaller key size might be beneficial while still maintaining good security. Perhaps different ciphers have better speed, or options...ect.

Aside from that, this is a very clear tutorial.

[ Parent | Reply to this comment ]

Posted by Anonymous (203.202.xx.xx) on Thu 5 Jun 2008 at 00:17
Is it possible to grow a LV if it has been LUKS'd?

McPop.

[ Parent | Reply to this comment ]

Posted by Anonymous (195.70.xx.xx) on Wed 11 Jun 2008 at 00:42
Thank you for this article, it was very userful!

Greetings:
kakaopor

[ Parent | Reply to this comment ]

Posted by Anonymous (78.80.xx.xx) on Fri 24 Dec 2010 at 23:21
Thanks a lot. This article really helped me. It worked well with Lenny.
It was only necessary to reboot after installing cryptsetup and there was no need to update initramfs manually.

[ Parent | Reply to this comment ]

Posted by Anonymous (220.255.xx.xx) on Sat 19 Mar 2011 at 07:57
I know this may a bit late but anyway, appreciate if someone could help on the following:

- not wanting to auto-mount the encrypted partition on bootup,
> do not add the encrypted partition into crypttab, correct?

- upon boot up without auto-mount
> how can I mount the encrypted-partition manually?

Appreciate your advise.

[ Parent | Reply to this comment ]

Posted by Anonymous (80.171.xx.xx) on Thu 8 Nov 2012 at 22:56
the note about the /etc/crypttab is WRONG! name dev options .... for /etc/crypttab

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 340 votes ~ 1 comments )