Asashi Dot Net Logo

Encrypted partition with Debian Sarge, dmcrypt

just a brief tutorial...

you'll need:
1 kernel > 2.6.11 --- better crypt code and safer
2 cryptosetup, hashalot (use apt-get)
3 a free partition

you must chose:
1 cipher
2 digest algo
3 password... 16-20 chars !!
4 partition to encrypt

Configure the kernel

# make menuconfig
These must be in the kernel e not as modules
CONFIG_MD=Y under device drivers / multi-device support
CONFIG_BLK_DEV_DM=y device mapper support
CONFIG_DM_CRYPT=y crypt target support

in Cryptographic options
find algos to use and put the in the kernel
# cat /proc/crypto
will show you availables algos:
name         : des3_ede
module       : kernel
type         : cipher
blocksize    : 8
min keysize  : 24
max keysize  : 24

name         : blowfish
module       : kernel
type         : cipher
blocksize    : 8
min keysize  : 4
max keysize  : 56

Now you MUST fill up your device with goor random data:
# dd if=/dev/urandom of=/dev/hda11 bs=1M
PLEASE: double check the of=partition !!!
wait until you se the "device full" error

use cryptsetup to setup in /dev/mapper the encrypted device that you'll mount in your main file system
# cryptsetup -c aes -h sha512 -s 256 -y create cdisk /dev/hda11
cypher aes with 256 bit key, digest sha512, device name cdisk, -y swith will ask you two time a password (-y is needed only the very first time)
Note 1: password can't be changed without loose data
Note 2: really a password change is possible with a patch... non tested, sorry
create a fs on the mapped device
# mke2fs /dev/mapper/cdisk
create a new mount point, like /crypto and mount the so mapped device
# mkdir /crypto
# mount /dev/mapper/cdisk /crypto
use "-o sync" if you want to be sure that all data is written immediatly on the disk, slow but extremely safe.
play with...
umount and remove the mapped device
# umount /dev/mapper/cdisk
# cryptsetup remove cdisk
now you want all you encrypted data back:
#cryptsetup -c aes -h sha512 -s 256 create cdisk /dev/hda11
# mount -o sync /dev/mapper/cdisk /crypto
Now your date is there in /crypto

NOTE: at the second run cryptsetup asks for the password and maps the device to make it available for mounting.
It's also possible to have all the encrypted devices mounted at boot, just edit these files:
$ cat /etc/crypttab 
cdisk  /dev/hda11  none  cipher=aes,size=256,hash=sha512

$ cat /etc/fstab    
/dev/mapper/cdisk  /crypto  ext2  rw,suid,noexec  0  0

Now you will be asked for a password in the boot sequence.
with /etc/crypttab you can activate all cryto disk in a single step:

/etc/init.d/cryptdisks start/stop

you can also encrypt swap and /tmp and using /dev/urandom as password becouse all that data do not need to survive a reboot but can be stolen.
/var/tmp should survive a reboot, but as of FHS is the sysadmin could wipe data on that directory anytime.

$Id: crypto.html,v 1.1 2006/10/03 11:15:49 pit Exp pit $