How to set up an encrypted filesystem in several easy steps
Posted by Anonymous on Wed 29 Nov 2006 at 11:17
This guide will walk you through the creation of an encrypted filesystem using LUKS. LUKS is the Linux Unified Key Setup and is a standard format for linux hard disk encryption. It has a lot of interesting features such as using a key on a removable disk, keeping multiple keys, and more. This is the technology used by the Debian Installer (since etch beta3) and is quickly becoming a standard in the linux world.
Who this guide is for
This guide is for anyone who wants to secure their data using an encrypted partition. While it is tailored to users of Debian, it should apply elsewhere in the linux world. This guide is intended to add an encrypted device to an existing install, if you are contemplating a fresh install, the Debian Installer will configure encrypted filesystems for you.
Ready? Then let's begin
Prepare the partition (or other block device) to be used
This can be a partition on disk, a logical volume in LVM or some other block device. For this example, I created a 40 GB volume in LVM.
- For a physical partition, you would need to have an entire partition available on disk. Instructions for this can be found from many other sources
- For LVM, create a partition like this
lvcreate -n crypto_test --size 40g asimov-vol
This utility provides an interface into the code in the linux kernel that handles encrypted block devices. It's packaged for Debian in both testing and unstable, stable has an older version and I don't know whether or not it will work in the same manner.
apt-get install cryptsetup
Set up encryption on the partition
This initializes the partition for encryption and sets the initial key. People not using LVM will want a path like /dev/hdxY where hdxY is the partition on their hard drive that will be used for encryption.
Important! This command will wipe out anything on that partition
# cryptsetup luksFormat /dev/mapper/asimov--vol-crypto_test WARNING! ======== This will overwrite data on /dev/mapper/asimov--vol-crypto_test irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
Congratulation! You now have an encrypted block device! However, it's not quite ready to use.
Open and map the device
This opens the device (prompting for a passphrase) and maps it to a block device in /dev/mapper. This can be used like any other block device, and the encryption/decryption is transparent. The first path (/dev/mapper/asimov--vol-crypto_test) is the encrypted partition you set up earlier. The name (crypto_test) is the name of the volume, the block device will be mapped as /dev/mapper/"name".
# cryptsetup luksOpen /dev/mapper/asimov--vol-crypto_test crypto_test Enter LUKS passphrase: key slot 0 unlocked. Command successful.
Create the filesystem of your choice on the device
This is just like setting up any other block device. I use ext3, others may prefer different formats.
Add the definition to /etc/crypttab
/etc/crypttab is a list of encrypted devices that are mapped on boot. The format is "[map name] [path to device] [key file] [options]" Since we're using a passphrase, we don't have a key file.
Instead we'll use this:
crypto_test /dev/mapper/asimov--vol-crypto_test none luks
Create a mount point
This is where the encrypted device will be mounted on your filesystem.
Add the device to /etc/fstab
/etc/fstab tells the computer where to mount different devices on the filesystem. The format is
"[source path] [mount path] [type of filesystem] [options] [mount options] [dump frequency] [fsck pass]" More information can be found by reading
man 5 fstab. You will want to add a line such as this:
/dev/mapper/crypto_test /mnt/crypto_test ext3 defaults 0 2
Update the initial ramdisk.
The initial ramdisk is used to jumpstart the boot process and load modules for the kernel that it can't load itself (such as drivers for block devices that contain the modules it uses). I'm not sure if this is needed or not, but I wanted to be on the safe side.
update-initramfs -u -k all
Now your encrypted filesystem is completely set up! Reboot the system and you will see it prompt you for your passphrase during the boot cycle. Once the password has entered, the encryption is completely transparent. If you want to use your encrypted filesystem before rebooting, simply type
CreditsCopyright (c) 2006 by Benjamin Seidenberg
Permission to use, modify and redistribute this guide freely is granted, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Document.
Thanks to Sven MÃ¼ller for pointing me in the right direction.