This short HOWTO shows how to create an encrypted data partition using DM-CRYPT on Debian Etch.

In this example a Linux MD software RAID partition is encrypted and mounted at /home.

See the MD HOWTO if you need to create your RAID array, or use the Debian Instaler.

A LUKS format partition is used to allow multiple keys to be used.

Run the following commands to first load the aes module and then install the user space tools:

modprobe aes
aptitude install dmsetup cryptsetup

To create a dm-crypt partition (using LUKS for key management):

cryptsetup luksFormat /dev/md2

To open a dm-crypt partition (where crypthome is the name of the device mapper target to be created):

cryptsetup luksOpen /dev/md2 crypthome

To list and show the status of dm-crypt partitions:

dmsetup ls
cryptsetup status crypthome

To close a dm-crypt partition:

cryptsetup luksClose /dev/mapper/crypthome

To create a key:

cryptsetup luksAddKey /dev/md2

To delete a key you will need to know the number identifying the key. You can get that by opening the partition and entering the password. The message show should indicate the number. Then you can use the following command (where 1 is the number of the key to delete):

cryptsetup luksDelKey /dev/md2 1

To automatically mount a dm-crypt partition at boot list the partition in /etc/crypttab:

crypthome          /dev/md2                none            luks,tries=3,timeout=60

You will be prompted for the password at boot. In this example we have set a maximum of 3 attempts per reboot, and an automatic timeout on password entry after 60 seconds. That's important if you access your system over a network and don't have physical access.

If you've created one big encrypted partition then at this stage you may want to install LVM on top of it. LVM would allow you to further sub-divide it in to several smaller partitions, and to easily grow and manage those partitions. See the LVM2 HOWTO for details, or proceed to format it with an ext3 file system directly as shown in the example below.

To format the encrypted partition with the ext3 file system (or any other):

mkfs.ext3 /dev/mapper/crypthome

To mount your encrypted partition at /home (assuming your existing /home is empty):

mount /dev/mapper/crypthome /home

To automatically mount your partition at boot list it in /etc/fstab:

/dev/mapper/crypthome    /home   ext3    rw,noatime      0       0

http://feraga.com/library/howto_use_cryptsetup_with_luks_support_0

This short HOWTO describes how to encrypt your swap with DM-CRYPT on Debian.

First deactivate any existing swap:

swapoff -a

Your /etc/fstab file should have a swap entry like this:

# <file system> <mount point>   <type>  <options>     <dump>  <pass>
/dev/hda1        none           swap    sw            0       0

Now just replace /dev/hda1 (or whatever partition your swap is on) with /dev/mapper/cryptswap where we will create the device mapper target for our encrypted swap:

# <file system> <mount point>   <type>  <options>     <dump>  <pass>
/dev/mapper/cryptswap  none         swap    sw            0       0

To have the device mapper target for your encrypted swap created automatically at boot, list your original swap partition in /etc/crypttab:

# <target name> <source device> <key file>      <options>
cswap           /dev/hda1       /dev/urandom    swap,cipher=aes-cbc-plain,size=128,hash=ripemd160

To manually mount your encrypted swap partition:

/etc/init.d/cryptdisks restart

To reactivate your swap:

swapon -a

Further Reference

crypttab(5) manpage

See: http://deb.riseup.net/storage/encryption/dmcrypt/

Create and open an encrypted partition (without using LUKS):

# cryptsetup -y create crypt /dev/md3

Show status:

dmsetup ls
cryptsetup status crypt

Close an encrypted partition:

# cryptsetup remove crypt