Encrypted partition with Debian Sarge, dmcrypt
just a brief tutorial...
you must chose:
Configure the kernel
# make menuconfigThese must be in the kernel e not as modules
CONFIG_MD=Y under device drivers / multi-device support
CONFIG_BLK_DEV_DM=y device mapper support
CONFIG_DM_CRYPT=y crypt target support
in Cryptographic options
find algos to use and put the in the kernel
# cat /proc/cryptowill show you availables algos:
[...] name : des3_ede module : kernel type : cipher blocksize : 8 min keysize : 24 max keysize : 24 name : blowfish module : kernel type : cipher blocksize : 8 min keysize : 4 max keysize : 56 [...]
Now you MUST fill up your device with goor random data:
# dd if=/dev/urandom of=/dev/hda11 bs=1MPLEASE: double check the of=partition !!!
wait until you se the "device full" error
use cryptsetup to setup in /dev/mapper the encrypted device that you'll mount in your main file system
# cryptsetup -c aes -h sha512 -s 256 -y create cdisk /dev/hda11cypher aes with 256 bit key, digest sha512, device name cdisk, -y swith will ask you two time a password (-y is needed only the very first time)
Note 1: password can't be changed without loose data
Note 2: really a password change is possible with a patch... non tested, sorry
create a fs on the mapped device
# mke2fs /dev/mapper/cdiskcreate a new mount point, like /crypto and mount the so mapped device
# mkdir /crypto
# mount /dev/mapper/cdisk /cryptouse "-o sync" if you want to be sure that all data is written immediatly on the disk, slow but extremely safe.
umount and remove the mapped device
# umount /dev/mapper/cdisk
# cryptsetup remove cdisknow you want all you encrypted data back:
#cryptsetup -c aes -h sha512 -s 256 create cdisk /dev/hda11...password
# mount -o sync /dev/mapper/cdisk /cryptoNow your date is there in /crypto
NOTE: at the second run cryptsetup asks for the password and maps the device to make it available for mounting.
It's also possible to have all the encrypted devices mounted at boot, just edit these files:
$ cat /etc/crypttab #
Now you will be asked for a password in the boot
you can also encrypt swap and /tmp and using
/dev/urandom as password becouse all that data do not
need to survive a reboot but can be stolen.
$Id: crypto.html,v 1.1 2006/10/03 11:15:49 pit Exp pit $