{"id":24,"date":"2005-06-05T21:56:45","date_gmt":"2005-06-05T21:56:45","guid":{"rendered":"http:\/\/blog.bananasplit.info\/?p=24"},"modified":"2005-06-13T11:27:25","modified_gmt":"2005-06-13T11:27:25","slug":"encrypted-filesystems","status":"publish","type":"post","link":"https:\/\/blog.stmellion.org\/?p=24","title":{"rendered":"Encrypted Filesystems"},"content":{"rendered":"<p>There seems to be plenty of documentation out there on how to create an encrypted filesystem, although I didn&#8217;t find any of it really gave me the answers I wanted in easy steps from 1 to 10.  This is my attempt to provide some simple instructions based on Debian Sarge with a 2.6.x kernel.<\/p>\n<p>Firstly, note that the preferred method under 2.6.x is to use dm_crypt instead of the older cryptoloop method in kernel 2.4.x.  In my experience, all the modules are built as part of the default kernel, so compiling a custom kernel probably isn&#8217;t required.  The following guide includes steps for checking this.<\/p>\n<p><b>Install required packages<\/b><br \/>\n<i>apt-get install cryptsetup hashalot<\/i><\/p>\n<p><b>Check Device-Mapper exists:<\/b><br \/>\n<i>ls -L \/dev\/mapper\/control<\/i><br \/>\nIf not, add dm_mod to \/etc\/modules<\/p>\n<p><b>Check AES encryption is enabled:<\/b><br \/>\n<i>cat \/proc\/crypto<\/i><br \/>\nThis should return:<br \/>\nname         : aes<br \/>\nmodule       : aes_i586<br \/>\ntype         : cipher<br \/>\nblocksize    : 16<br \/>\nmin keysize  : 16<br \/>\nmax keysize  : 32<br \/>\nIf not, add aes to \/etc\/modules<\/p>\n<p><b>Check versions<\/b><br \/>\n<i>dmsetup targets<\/i><br \/>\nShould return:<br \/>\ncrypt            v1.1.0  (v1.0.0 is okay)<br \/>\nstriped          v1.0.2  (v1.01 is okay)<br \/>\nlinear           v1.0.1<br \/>\nerror            v1.0.1<\/p>\n<p><b>Setup the encrypted device<\/b><br \/>\n<i>cryptsetup -y create foo \/dev\/hda4<\/i><br \/>\nThis creates an encrypted device called foo using device hda4, (This could be an md device for RAID support)<br \/>\nThe -y switch causes the user to be prompted twice for the passphrase and verifies they are the same.<\/p>\n<p><b>Check it worked okay<\/b><br \/>\n<i>dmsetup ls<\/i><br \/>\nThis should return something like:<br \/>\nfoo (253, 0)<\/p>\n<p><b>Format the new device<\/b><br \/>\n<i>mkfs -t ext3 \/dev\/mapper\/foo<\/i><\/p>\n<p><b>Mount the new device<\/b><br \/>\n<i>mount \/dev\/mapper\/foo \/crypto<\/i><br \/>\nThis assumes you want the encrypted filesystem to be mounted in \/crypto.<\/p>\n<p><b>Make it permanent<\/b><br \/>\nEdit \/etc\/crypttab and insert the new crypto device<br \/>\n# &lt;target device&gt; &lt;source device&gt; &lt;key file&gt; &lt;options&gt;<br \/>\nfoo \/dev\/hda4<br \/>\n<b>WARNING: This will result in a passphrase prompt during the boot process.  If you haven&#8217;t got local access to the box, don&#8217;t do it!!<\/b><\/p>\n<p><b>Mount the device on boot<\/b><br \/>\nEdit the \/etc\/fstab file and insert the new mount point:<br \/>\n\/dev\/mapper\/foo       \/crypto     defaults                0       1<br \/>\nThis of course implies that you&#8217;ve done the above step and automated the mount.<\/p>\n<p><b>Non-automated mounting<\/b><br \/>\n<i>cryptsetup create foo \/dev\/hda4<\/i><br \/>\nPassword prompted for here<br \/>\n<i>mount \/dev\/mapper\/foo \/crypto<\/i><\/p>\n<p><b>Unmounting the crypto filesystem<\/b><br \/>\n<i>umount \/dev\/mapper\/foo<\/i><br \/>\n<i>cryptsetup remove foo<\/i><\/p>\n","protected":false},"excerpt":{"rendered":"<p>My efforts to load an encrypted filesystem under Debian Sarge using a 2.6 kernel<\/p>\n","protected":false},"author":24,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-24","post","type-post","status-publish","format-standard","hentry","category-debian","entry"],"_links":{"self":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts\/24","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/users\/24"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=24"}],"version-history":[{"count":0,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts\/24\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=24"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=24"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=24"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}