1. From the website
  2. set up kernel
  3. install user space tools
    1. dmsetup
    2. cryptsetup
    3. next steps
  4. encrypted partitions
    1. creating the encrypted partition
    2. real world usage
      1. on boot way
      2. manually
    3. dmcrypt home partitions
  5. encrypted loopback
    1. setup
    2. creating the loopback
    3. encrypt the loopback
  6. lvm2 over dmcrypt

dmcrypt

This is instructions for using dm-crypt. Dm-crypt is faster than cryptloop and easier than loop-aes. See elsewhere for cryptloop (obsolete) or loop-aes (more secure, faster).

From the website

Device-mapper is a new infrastructure in the Linux 2.6 kernel that provides a generic way to create virtual layers of block devices that can do different things on top of real block devices like striping, concatenation, mirroring, snapshotting, etc... The device-mapper is used by the LVM2 and EVMS 2.x tools. dm-crypt is such a device-mapper target that provides transparent encryption of block devices using the new Linux 2.6 cryptoapi. Writes to this device will be encrypted and reads decrypted. You can mount your filesystem on it as usual. But without the key you can't access your data. It does basically the same as cryptoloop only that it's a much cleaner code and better suits the need of a block device and has a more flexible configuration interface. The on-disk format is also compatible.
website: www.saout.de/misc/dm-crypt/
a dm-crypt wiki: www.saout.de/tikiwiki/
cipher speed comparisons: fp.gladman.plus.com/cryptography_technology/aesr2/

set up kernel

The stock debian 2.6 kernel-images seem to work fine. If you are compiling your own, these are what you must choose:

  • Code maturity level options --->
    • on: Prompt for development and/or incomplete code/drivers
  • General setup --->
    • on: Support for hot-pluggable devices
  • Device Drivers > Multi-device support (RAID and LVM).
    • on: Device mapper support
    • on: Crypt target support
  • Cryptographic options --->
    • on: AES cipher algorithms
The development driver prompts must be on, or you can't enable crypt target support for device mapper. Enabling support for hot-pluggable devices builds udev in the kernel, which makes things easier. If you enable udev, make sure you don't enable devfs.

After you are running the new kernel, test to make sure that the device mapper exists:
# ls -L /dev/mapper/control

If you don't have the mapper device, installing the dmsetup package will create it for you.

Also check that AES is supported (or whatever cipher we choose to use):
# cat /proc/crypto
should return:
  name         : aes
  module       : aes
  type         : cipher
  blocksize    : 16
  min keysize  : 16
  max keysize  : 32

If you are running crypto as modules, then you won't see anything when you cat /proc/crypto until the module gets loaded. cryptsetup should load the modules it needs when it is run. If you want to manually load a module, using the stock 2.6.7 debian kernel, you would do this:
# insmod /lib/modules/2.6.7-1-386/kernel/crypto/aes.ko
or just:
# modprobe aes

install user space tools

dmsetup

Install dmsetup, the linux kernel Device Mapper userspace library:

# apt-get install dmsetup

Installing this package will create the mapper devices if they don't already exist.

check that the crypt target is supported:
# dmsetup targets
crypt            v1.0.0
striped          v1.0.1
linear           v1.0.1
error            v1.0.1
(if using a module based kernel, it will be loaded when needed).

cryptsetup

cryptsetup is a tool to make it easier to use dm-crypt, so that you don't have to make dmsetup calls directly.
# apt-get install cryptsetup

next steps

now you must decide if you want to use a partition or a loop file as the underlying device used by device mapper.

encrypted partitions

This is instructions for using dm-crypt to create a filesystem in a partition. See below for how to do set up dm-crypt with a loopback file instead.

creating the encrypted partition

It is a three step process to create our encrypted partition:
  1. run cryptsetup on the partition, which creates a device mapper device with target 'crypt'.
  2. create the file system on our new device.
  3. mount our new device.
In our example, we will be turning the physical volume /dev/sda9 into the logical volume (encrypted) at /dev/mapper/maildir (ie label is 'maildir') and then mounting it at /var/maildir.

create logical volume (with cryptsetup binary):
# cryptsetup -y create maildir /dev/sda9

or create logical volume (with cryptsetup script which comes with hashalot package):
# cryptsetup -c aes -h ripemd160 -s 32 create maildir /dev/sda9

confirm it worked:
# dmsetup ls
maildir (254, 0)

create filesystem:
# mkfs.reiserfs /dev/mapper/maildir

mount filesystem:
# mount /dev/mapper/maildir /var/maildir

real world usage

Every time we restart, we need to re-run the cryptsetup command and enter the same password. If we enter the wrong password, the encrypted device created won't be mountable and we need to destroy it and try again. Don't worry: as long as we don't reformat the device created with the wrong password, no data will be lost.

There are two ways we can do all this: on boot, or by manually running a script

on boot way

You can edit fstab to have /dev/mapper/maildir mounted to /var/maildir. This will only work if cryptsetup is run before partitions are read from fstab.

/etc/init.d/cryptinit:
if [ -b /dev/mapper/home ]; then
  /usr/bin/cryptsetup remove home
fi
/usr/bin/cryptsetup create home /dev/sda9

# cd/etc/rcS.d
# ln -s ../init.d/cryptinit S08cryptinit

manually

just run this script to get the partition up:

if [ -b /dev/mapper/maildir ]; then
  /usr/bin/cryptsetup remove maildir
fi
/usr/bin/cryptsetup create maildir /dev/sda9
mount /dev/mapper/maildir /var/maildir

dmcrypt home partitions

to have pam mount your encrypted home partition automatically at login, make these changes:

apt-get install libpam-mount cryptsetup openssl

add this to the end of /etc/pam.d/common-auth
auth    optional        pam_mount.so use_first_pass

add this to the end of /etc/pam.d/common-session
session optional        pam_mount.so

(alternately, you can add "@include common-pammount" to the end of common-auth & common-session).

add this to /etc/security/pam_mount.conf:
volume elijah crypt - /dev/hda4 /home/elijah cipher=aes aes-256-ecb /home/elijah.key
(in this case, 'elijah' is the username).

create /home/elijah.key:
echo "my dmcrypt password" | openssl aes-256-ecb > /home/elijah.key
(this is not a good idea because then your password is in your history file!) This will prompt you for a password. you must enter your login password. This command will encrypt your dmcrypt password (used to mount the dmcrypt partition) with your login password. When you login, pam-mount uses your login password to decrypt the .key file, then uses the password in the .key file to mount your home directory.

Alternately, if the login password and the dmcrypt password are the same, your line in /etc/security/pam_mount.conf would look like this:
volume elijah crypt - /dev/hda4 /home/elijah cipher=aes - -

edit /etc/login.def:
CLOSE_SESSIONS yes
(otherwise your encrypted partition will not be umounted when you logout).

if running sarge or older, you need to add symlink /sbin/mount.crypt -> /usr/bin/mount.crypt so that mount -t crypt actually works (debian bug: #267285).

Your home can be a loopback file. Follow the normal loopback directions, and specify this in /etc/security/pam_mount.conf:
volume elijah crypt - /home/home.img /home/elijah loop,cipher=aes aes-256-ecb /home/home.key
The only difference from using a real partition is that our source device is the loopback file name, and we add 'loop' to our list of options.

encrypted loopback

This is instructions for using dm-crypt to create a filesystem in a loopback file, this means storing an encrypted filesystem in one individual file. This is useful if you cannot or do not want to encrypt your entire partition. See above for how to do an entire partition.

What if you already have a filesystem, such as your /home directory, that you realize later that you want to encrypt but you cannot destroy that filesystem and then recreate it. Or perhaps you just want to encrypt part of it, you can do this with a dm_crypt loopback encrypted file.

setup

Follow the same setup instructions as for partitions, but stop after installing cryptsetup.

creating the loopback

You must create a loopback file, this is just going to be a regular file on your filesystem made up of random data. Make the loopback file as large as you are going to want your encrypted loopback to be.

The following creates a 100 meg file of random data at the location /home/secret:
# dd if=/dev/urandom of=/home/secret bs=1M count=100

Set this loopback file as a loop device:
# losetup /dev/loop0 /home/secret

encrypt the loopback

It is a three step process to create our encrypted partition:
  1. run cryptsetup on the loopback file, which creates a device mapper device with target 'crypt'.
  2. create the file system on our new device.
  3. mount our new device.
In our example, we will be turning the file /home/secret into the encrypted device at /dev/mapper/mycrypt (ie. label is 'mycrypt') and then mounting it at /mnt/sekret:

create logical volume (with cryptsetup binary):
# cryptsetup -y create mycryprt /dev/loop0

confirm it worked:
# dmsetup ls
mycrypt (254, 0)

create filesystem:
# mkfs.ext3 /dev/mapper/mycrypt

mount filesystem:
# mount /dev/mapper/mycrypt /mnt/sekret

You can add something like the following to your /etc/fstab:

# /dev/mapper/mycrypt /mnt/sekret ext3 noauto,noatime 0 0

When you are finished with using your encrypted loopback filesystem you need to unmount it and remove the device you created in the devicemapper, if you don't do this, anyone can remount it without typing the passphrase!
# umount /mnt/sekret
# cryptsetup remove mycrypt

Create a simple script to set this up and mount it so you can easily do this:

#!/bin/sh

losetup /dev/loop0 /home/secret
cryptsetup create mycrypt /dev/loop0
mount /dev/mapper/mycrypt /mnt/sekret

lvm2 over dmcrypt

By default, lvm2 does not consider device-mapper block devices (such as a dm-crypt device) for use as physical volumes.

In order to use a dm-crypt device as an lvm2 pv, add this line to the devices block in /etc/lvm/lvm.conf:
types = [ "device-mapper", 16 ]

If /etc/lvm/lvm.conf does not exist, you can create one based on your current/default config like so:
# lvm dumpconfig > /etc/lvm/lvm.conf