256bit AES encryption
There are other techniques to encrypt your harddrive, however dm-crypt is the new infrastructure in the Linux 2.6 kernel that provides a generic way to create virtual layers of block devices. It provides the possibility of all the default cryptographic methods found in the kernel, including what I will use in this tutorial: Advanced Encryption Standard (AES).
Kernel Modules (>= 2.6.4)
In order to be able to use this, you of course have to have support built into your kernel.
Device Drivers --> Multi-device support (RAID and LVM) -->
[*] Multiple devices driver support (RAID and LVM)
<*> Device mapper support
<*> Crypt target support
Then you must enable the Encryption Standard cipher:
Cryptographic Options -->
<*> AES cipher algorithims (i586)
If you want to use dm-crypt with a file instead of a partition, you will need loopback support
Device Drivers --> Block Devices -->
<*> Loopback device support
Please note that “Cryptoloop Support” is not need, as it is the depreciated (old) method of using encryption.
Required software
You will need to install cryptsetup to be able to use dm-crypt, and to use extra password hashing hashalot (which I use in the examples below). Gentoo users can simply:
emerge cryptsetup hashalot
Using a partition for encryption
You will of course have to have a free partition to use before going any further. If you don’t, please either make one, or jump to the next section (if you are just testing) where you can use a file instead of device as your encrypted file system.
The tool cryptsetup has several options worth exploring before you create your partition. This is important, as you cannot change it afterwards.
cryptsetup -y -c aes -s 256 -h sha256 create mycrypt /dev/hdb1
This command (cryptsetup, with options) basically creates a block device (“mycrypt” in /dev/mapper), like a static key, based on your options and of course password. The options I have given here I will have to give every time I mount my drive in the future so to make it easier you could make a script with the command. Your password will always have to be entered though maintaining your security.
What I have done here above is used 256-bit AES encryption, hashing my password first through a 256bit SHA algorithm, and mapping it to /dev/hdb1 (being my encrypted partition. The -y option simply asks you twice for your password, so can be left out after you can actually set this all up (unless you prefer to always enter your password twice).
If this all went well, we should be able to see out new device (which we called “mycrypt”) with:
dmsetup ls
Now, basically anything we do to this device (including creating it’s new file system) will pass through this “key” devivice we created above. This means that those options, and your password will always have to be exact, else it will look like you have just corrupted data ~ being the exact point of good encryption!
Now we create our file system (I used reiserfs for this example, but you can use whatever you want) on this device (/dev/mapper/mycrypt):
mkreiserfs /dev/mapper/mycrypt
NOTE: We only need to create the file system once and not every time we mount the device ;-)
Mount the encrypted file system:
mount -t reiserfs /dev/mapper/mycrypt /mnt/encrypted
Here we have our encrypted partition mounted to /mnt/encrypted which will be able to be accessed just like any other mount system at this point ~ The “only” difference that this partition is using heavy encryption.
When you are finished using it simply umount it, and delete the device you created with all your options:
umount /mnt/encrypted
cryptsetup remove mycrypt
Using a file as a file system (loopback)
This explains how to use a file as an encrypted file system, mounted through a loopback device. First we need to create a new file which will be used as our file system. In the following example I will create a file (called here “encrypfs”) of exactly 250MB’s in our current working directory, filled initially with random data (junk):
dd if=/dev/urandom of=encryptfs bs=1M count=250
Now in order to use this file as a file system, we have to use a so-called loopback device to attach it to our /dev
losetup /dev/loop0 /path/to/encryptfs
We now will create our encrypted device (refer to previos excecise for explanation to what this means)
cryptsetup -y -c aes -s 256 -h sha256 create mycrypt /dev/loop0
If this all went well, we should be able to see out new device (which we called “mycrypt”) with:
dmsetup ls
Now we create our file system (I used reiserfs for this example, but you can use whatever you want) on this device (/dev/mapper/mycrypt):
mkreiserfs /dev/mapper/mycrypt
NOTE: We only need to create the file system once and not every time we mount the device ;-)
Mount the encrypted file system:
mount -t reiserfs /dev/mapper/mycrypt /mnt/encrypted
Here we have our encrypted partition mounted to /mnt/encrypted which will be able to be accessed just like any other mount system at this point ~ The “only” difference that this partition is using heavy encryption.
When you are finished using it simply umount it, and delete the device you created with all your options:
umount /mnt/encrypted
cryptsetup remove mycrypt
losetup -d /dev/loop0