Dm-crypt

This tutorial is about how to set up a crypted partition on linux using dmcrypt.
Of course, you can use either fisical partitions or files using a loopback device.

A loopback means that you have a file that is on a partition that you then mount using a special device called a loopback. The loop device then acts as a normal block device transforming your file into just another hard disk :)

This is useful if for example you wish to store all your ssh keys safely but don't want to have to make another partition for it!

You will need a kernel configuration similar to this in order of use dmcrypt:

You must first enable the device mapper (dm):

Device Drivers -->
 [*] Multiple devices driver support (RAID and LVM)
  <*> Device mapper support
  <*> Crypt target support

Then you must enable the cipher (aes):

 Cryptographic API -->
  <*> AES cipher algorithims (i586)

If you're going to be using dmcrypt on a loopback file, not a partition:

 Device Drivers --> Block Devices -->
 <*> Loopback device support # Remember, cryptoloop is not dmcrypt

You need cryptsetup in order to create ciphered partition. The exact package name could change on different distros:

• Gentoo: sys-fs/cryptsetup
• Debian: cryptsetup

If you wish to use dmcrypt on a partition then read this, otherwise see below for information on using it with a loopback device.

First we create a device mapper device called 'mycrypt' on a partition, say /dev/hda7 (we will use that throughout the guide)

cryptsetup -y create mycrypt /dev/hda7

Has it worked?

dmsetup ls

It should display 'mycrypt'

Now create a filesystem (replace mke2fs with whatever your filesystem creation tool is):

mke2fs /dev/mapper/mycrypt

Now mount it:

mount /dev/mapper/mycrypt /mnt/point

Test it worked, congratulations!

To bring it down:

umount /mnt/point
cryptsetup remove mycrypt

This is for using dmcrypt with a loopback device; see above for using it with a partition.

First, create our file:

touch protected
shred -n1 -s50M protected

This creates a file called 'protected' in your current directory of 50MB. By prefilling it with random data, it's impossible to see afterwards how much has been used.

Now let's set a loopback device to use this file. First find the name of the first unused loop device :

losetup -f

Use this loop device to set a loopback (in this case /dev/loop0 is available)

losetup /dev/loop0 /path/to/protected

Now lets create an encrypted device mapper device using cryptsetup :

cryptsetup -y create mycrypt /dev/loop0

Check it worked:

dmsetup ls

You should see 'mycrypt' listed

Now create a filesystem (replace mke2fs with whatever your filesystem creation tool is) :

mke2fs /dev/mapper/mycrypt

Now mount it:

mount /dev/mapper/mycrypt /mount/point

Check it works for a while, and be happy, then continue reading :)

To unmount it:

umount /mount/point
cryptsetup remove mycrypt
losetup -d /dev/loop0

To automate this process you could write your own script (see below) or try the tool cryptmount.

#!/bin/bash
losetup /dev/loop0 /Your/Container
sleep 1
cryptsetup create Container /dev/loop0
sleep 1
mount /dev/mapper/Container /mnt/Container

replace Container with your file, save it under /usr/bin/something and chmod +x /usr/bin/something

#!/bin/bash
umount /dev/mapper/Container
cryptsetup remove Container
losetup -d /dev/loop0

Replace Container with your file, save it under /usr/bin/somethingother and chmod +x /usr/bin/somethingother

• LUKS howto

• Gentoo-wiki dmcrypt page
• Wiki Site
• Home Site