Encrypted Filesystems

There seems to be plenty of documentation out there on how to create an encrypted filesystem, although I didn’t find any of it really gave me the answers I wanted in easy steps from 1 to 10. This is my attempt to provide some simple instructions based on Debian Sarge with a 2.6.x kernel.

Firstly, note that the preferred method under 2.6.x is to use dm_crypt instead of the older cryptoloop method in kernel 2.4.x. In my experience, all the modules are built as part of the default kernel, so compiling a custom kernel probably isn’t required. The following guide includes steps for checking this.

Install required packages
apt-get install cryptsetup hashalot

Check Device-Mapper exists:
ls -L /dev/mapper/control
If not, add dm_mod to /etc/modules

Check AES encryption is enabled:
cat /proc/crypto
This should return:
name : aes
module : aes_i586
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
If not, add aes to /etc/modules

Check versions
dmsetup targets
Should return:
crypt v1.1.0 (v1.0.0 is okay)
striped v1.0.2 (v1.01 is okay)
linear v1.0.1
error v1.0.1

Setup the encrypted device
cryptsetup -y create foo /dev/hda4
This creates an encrypted device called foo using device hda4, (This could be an md device for RAID support)
The -y switch causes the user to be prompted twice for the passphrase and verifies they are the same.

Check it worked okay
dmsetup ls
This should return something like:
foo (253, 0)

Format the new device
mkfs -t ext3 /dev/mapper/foo

Mount the new device
mount /dev/mapper/foo /crypto
This assumes you want the encrypted filesystem to be mounted in /crypto.

Make it permanent
Edit /etc/crypttab and insert the new crypto device
# <target device> <source device> <key file> <options>
foo /dev/hda4
WARNING: This will result in a passphrase prompt during the boot process. If you haven’t got local access to the box, don’t do it!!

Mount the device on boot
Edit the /etc/fstab file and insert the new mount point:
/dev/mapper/foo /crypto defaults 0 1
This of course implies that you’ve done the above step and automated the mount.

Non-automated mounting
cryptsetup create foo /dev/hda4
Password prompted for here
mount /dev/mapper/foo /crypto

Unmounting the crypto filesystem
umount /dev/mapper/foo
cryptsetup remove foo

Leave a comment