====== Dm-crypt ======
This tutorial is about how to set up a crypted partition on linux using dmcrypt. \\
Of course, you can use either fisical partitions or files using a loopback device.
===== Loopback or partition? =====
A loopback means that you have a file that is on a partition that you then mount using a special device called a loopback. The loop device then acts as a normal block device transforming your file into just another hard disk :)
This is useful if for example you wish to store all your ssh keys safely but don't want to have to make another partition for it!
===== Configuring the kernel =====
You will need a kernel configuration similar to this in order of use dmcrypt:
You must first enable the device mapper (dm):
Device Drivers -->
[*] Multiple devices driver support (RAID and LVM)
<*> Device mapper support
<*> Crypt target support
Then you must enable the cipher (aes):
Cryptographic API -->
<*> AES cipher algorithims (i586)
If you're going to be using dmcrypt on a loopback file, not a partition:
Device Drivers --> Block Devices -->
<*> Loopback device support # Remember, cryptoloop is not dmcrypt
===== Installing needed tools =====
You need cryptsetup in order to create ciphered partition. The exact package name could change on different distros: \\
* **Gentoo:** sys-fs/cryptsetup
* **Debian:** cryptsetup
===== Creating ciphered file =====
==== ..on a partition ====
If you wish to use dmcrypt on a partition then read this, otherwise see below for information on using it with a loopback device.
First we create a device mapper device called 'mycrypt' on a partition, say /dev/hda7 (we will use that throughout the guide)
cryptsetup -y create mycrypt /dev/hda7
Has it worked?
dmsetup ls
It should display 'mycrypt'
Now create a filesystem (replace mke2fs with whatever your filesystem creation tool is):
mke2fs /dev/mapper/mycrypt
Now mount it:
mount /dev/mapper/mycrypt /mnt/point
Test it worked, congratulations!
To bring it down:
umount /mnt/point
cryptsetup remove mycrypt
==== ..on a file using loopback device ====
This is for using dmcrypt with a loopback device; see above for using it with a partition.
First, create our file:
touch protected
shred -n1 -s50M protected
This creates a file called 'protected' in your current directory of 50MB. By prefilling it with random data,
it's impossible to see afterwards how much has been used.
Now let's set a loopback device to use this file. First find the name of the first unused loop device :
losetup -f
Use this loop device to set a loopback (in this case /dev/loop0 is available)
losetup /dev/loop0 /path/to/protected
Now lets create an encrypted device mapper device using cryptsetup :
cryptsetup -y create mycrypt /dev/loop0
Check it worked:
dmsetup ls
You should see 'mycrypt' listed
Now create a filesystem (replace mke2fs with whatever your filesystem creation tool is) :
mke2fs /dev/mapper/mycrypt
Now mount it:
mount /dev/mapper/mycrypt /mount/point
Check it works for a while, and be happy, then continue reading :)
To unmount it:
umount /mount/point
cryptsetup remove mycrypt
losetup -d /dev/loop0
To automate this process you could write your own script (see below)
or try the tool [[http://www.freshmeat.net/projects/cryptmount|cryptmount]].
=== umount/mount Scripts ===
#!/bin/bash
losetup /dev/loop0 /Your/Container
sleep 1
cryptsetup create Container /dev/loop0
sleep 1
mount /dev/mapper/Container /mnt/Container
replace Container with your file, save it under /usr/bin/something and chmod +x /usr/bin/something
#!/bin/bash
umount /dev/mapper/Container
cryptsetup remove Container
losetup -d /dev/loop0
Replace ''Container'' with your file, save it under /usr/bin/somethingother and chmod +x /usr/bin/somethingother
===== Related Pages =====
* [[linux/sysadmin/luks|LUKS howto]]
===== See Also =====
* [[http://gentoo-wiki.com/SECURITY_dmcrypt|Gentoo-wiki dmcrypt page]]
* [[http://www.saout.de/tikiwiki/tiki-index.php|Wiki Site]]
* [[http://www.saout.de/misc/dm-crypt/|Home Site]]