This is an old revision of the document!
Table of Contents
encryption
harddisks usbkeys
dm-crypt & luks
#crypt device, you can either use blowfish twofish or any other as you like #but you need to load the proper kernel module, here I used aes-i586 #and on my laptop blowfish cryptsetup -y -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/"device_name" #open device cryptsetup luksOpen /dev/"device_name" "crypt_name" #make filesystem mkfs.ext4 /dev/mapper/"crypt_name" #mount and fill with random data (fast way) mount /dev/mapper/"crypt_name" /mnt/ randfs /mnt/random.file #fill with random data and check partition #(secure way, to be executed before mkfs or lvm setup) badblocks -c 10240 -s -w -t random -v /dev/"device_name" #umount and close crypt umount /mnt/ cryptsetup luksClose "crypt_name"
/etc/crypttab
on boot: the first device asks for password, the second looks for the keyfile at /mnt/keys/
# <target name> <source device> <key file> <options> "crypt_name" /dev/"device_name" none luks,cipher=aes-cbc-essiv:sha256 "crypt_name" /dev/"device_name" /mnt/keys/"crypt_name".key luks,cipher=aes-cbc-essiv:sha256
links
loop-aes with 100MB file
#load needed module modprobe cryptoloop #create file crypt.aes 100MB dd if=/dev/urandom of=./crypt.aes bs=2k count=50000 #setup loop, you will be prompted for passphrase losetup -e aes /dev/loop0 ./crypt.aes #make FS mkfs.ext3 /dev/loop0 #release loop losetup -d /dev/loop0 #make node mkdir /mnt/keys
/etc/fstab
/crypt.aes /mnt/keys ext3 noauto,encryption=aes 0 0
to make it available on boot you need to load the module with an entry in /etc/modules
the keys
head -c 256 /dev/random > /mnt/crypt.key cryptsetup luksAddkey /dev/"device_name" /mnt/crypt.key
settings
/etc/default/cryptdisks
# Run cryptdisks at startup ? CRYPTDISKS_ENABLE=Yes # Mountpoints to mount, before starting cryptsetup. This is useful for # keyfiles on removable media. Seperate mountpoints by space. CRYPTDISKS_MOUNT="/mnt/keys" # Default check script, see /lib/cryptsetup/checks/ # Takes effect, if the 'check' option is set in crypttab without a value CRYPTDISKS_CHECK=vol_id # Default precheck script, see # Takes effect, if the 'precheck' option is set in crypttab without a value CRYPTDISKS_PRECHECK= # Default timeout in seconds for password prompt # Takes effect, if the 'timeout' option is set in crypttab without a value CRYPTDISKS_TIMEOUT=180
Last modified: le 2009/01/10 21:59