Gentoo encryption with dm-crypt and luks

By: John McFarlane <john.mcfarlane@rockfloat.com>
Abstract:
This document is not finished!

This howto describes how to install and use dm-crypt and luks to encrypt either a mounted file, or a mounted partition. This encryption is very secure, supports multiple passphrases, and before long will be portable to win32 via TrueCrypt. This howto does not explain how to encrypt your entire operating system using dm-crypt and luks, for that see here.



top

1. Background

There are various types of encryption. Some types are used to secure sensitive information like credit card numbers on websites. Other types are used to secure private files or ensure you know who a file was created by.
I'm finished with this step

top

2. Prepare your kernel

Here are the things you need in your kernel: 

Device Drivers  --->
  Block devices  --->
    <*> Loopback device support
    <*>    Cryptoloop Support
  Multi-device support (RAID and LVM)  --->
    <M>   Device mapper support
    <M>   Crypt target support
Cryptographic options  --->
    <M>   SHA256 digest algorithm
    <M>   AES cipher algorithms (i586)
You also need to add a few modules to your system startup: 

root# cd /etc/modules.autoload.d
root# echo aes >> kernel-2.6
root# echo dm_mod >> kernel-2.6
root# echo dm_crypt >> kernel-2.6
root# modules-update
I'm finished with this step

top

3. Install required packages

First off you need to install the software required. 

root# emerge -a cryptsetup-luks
I'm finished with this step

top

4. Prepare something for encryption

You have two choices on what you want to encrypt. Choose one of the following (where VOLNAME is a name of your choosing):
  1. File based encryption: 
    
user# dd if=/dev/urandom of=testfile.dm bs=10M count=10  #100M
root# losetup /dev/loop/0 testfile.dm

root# cryptsetup -y -s 256 luksFormat /dev/loop/0
# It will ask for a passphrase, enter something [strong] you will remember
root# cryptsetup luksOpen /dev/loop/0 VOLNAME
  2. Partition based encryption. For the next few commands replace sda77 with a partition you want to encrypt: 
    
root# cryptsetup -y -s 256 luksFormat /dev/sda77
# It will ask for a passphrase, enter something [strong] you will remember
root# cryptsetup luksOpen /dev/sda77 VOLNAME
Now we need to create a filesystem on the encrypted device we just opened: 

root# mke2fs -j -O dir_index /dev/mapper/VOLNAME  #Assuming you want ext3
I'm finished with this step

top

5. Mount and use the encrypted volume

Now it's time to mount your encrypted volume: 

user# mount /dev/mapper/VOLNAME /home/foo/bar
At this point you can write files, make directories... do anything you would normally to inside a directory. The only difference is that it's encrypted. *feel the love*
I'm finished with this step

top

6. Unmount and close the volume

To properly unmount the device you must both umount it, and close it: 

# First make sure no users are accesing the encrypted volume
root# umount /home/foo/bar  # Use the lazy switch if needed
root# cryptsetup luksClose /dev/mapper/VOLNAME
I'm finished with this step

top

7. Complete usage for FOO encrypted device

Here are all the commands you need once you have an existing device (weather file or partition) that's setup for encryption: 

root# cryptsetup luksOpen /dev/FOO-DEVICE VOLNAME
root# mount /dev/mapper/VOLNAME /SOME-MOUNT-POINT

# do stuff...

root# umount /SOME-MOUNT-POINT
root# cryptsetup luksClose /dev/mapper/VOLNAME
I'm finished with this step

top

8. Permissions and how they work

All of the device setup, opening, and mounting needs to be done by root. But once mounted, all of the usual file system permissions exist. This means that if you create a directory owned by Kirby, the ownership survives unmount and remounting.
I'm finished with this step


This document was originally created on 04/08/2007


Conventions and tips for this howto document:
  1. Though this howto is Gentoo specific, it will work on most distros

Disclaimer:
This page is not endorsed by gentoo.org or any other cool cats. Any information provided in this document is to be used at your own risk.