Hackzine

Printer-friendly version

Dm-crypt

This tutorial is about how to set up a crypted partition on linux using dmcrypt.
Of course, you can use either fisical partitions or files using a loopback device.

Loopback or partition?

A loopback means that you have a file that is on a partition that you then mount using a special device called a loopback. The loop device then acts as a normal block device transforming your file into just another hard disk :)

This is useful if for example you wish to store all your ssh keys safely but don't want to have to make another partition for it!

Configuring the kernel

You will need a kernel configuration similar to this in order of use dmcrypt:

You must first enable the device mapper (dm):

1
2
3
4

Device Drivers -->;
 [*] Multiple devices driver support (RAID and LVM)
  <*>; Device mapper support
  <*>; Crypt target support

Then you must enable the cipher (aes):

1
2

 Cryptographic API -->;
  <*>; AES cipher algorithims (i586)

If you're going to be using dmcrypt on a loopback file, not a partition:

1
2

 Device Drivers -->; Block Devices -->;
 <*> Loopback device support # Remember, cryptoloop is not dmcrypt

Installing needed tools

You need cryptsetup in order to create ciphered partition. The exact package name may differ on various distros:

• Gentoo: sys-fs/cryptsetup
• Debian: cryptsetup

Creating ciphered file

..on a partition

If you wish to use dmcrypt on a partition then read this, otherwise see below for information on using it with a loopback device.

First we create a device mapper device called 'mycrypt' on a partition, say /dev/hda7 (we will use that throughout the guide)

1

cryptsetup -y create mycrypt /dev/hda7

Has it worked?

1

dmsetup ls

It should display 'mycrypt'

Now create a filesystem (replace mke2fs with whatever your filesystem creation tool is):

1
2
3
4
5
6
7

mke2fs /dev/mapper/mycrypt
<code>
 
<p>Now mount it:</p>
 
<code>
mount /dev/mapper/mycrypt /mnt/point

Test it worked, congratulations!

To bring it down:

1
2
3
4
5
6
7
8
9
10
11
12
13

umount /mnt/point
cryptsetup remove mycrypt
<code>
 
<h4>..on a file using loopback device</h4>
 
<p>This is for using dmcrypt with a loopback device; see above for using it with a partition.</p>
 
<p>First, create our file:</p>
 
<code>
touch protected
shred -n1 -s50M protected

This creates a file called 'protected' in your current directory of 50MB.
By prefilling it with random data, it's impossible to see afterwards how much has been used.

Now let's set a loopback device to use this file.
First find the name of the first unused loop device :

losetup -f

Use this loop device to set a loopback (in this case /dev/loop0 is available)

1

losetup /dev/loop0 /path/to/protected

Now lets create an encrypted device mapper device using cryptsetup:

1

cryptsetup -y create mycrypt /dev/loop0

Check it worked:

1

dmsetup ls

You should see 'mycrypt' listed

Now create a filesystem (replace mke2fs with whatever your filesystem creation tool is) :

1

mke2fs /dev/mapper/mycrypt

Now mount it:

1

mount /dev/mapper/mycrypt /mount/point

Check it works for a while, and be happy, then continue reading :)

To unmount it:

1
2
3

umount /mount/point
cryptsetup remove mycrypt
losetup -d /dev/loop0

To automate this process you could write your own script (see below) or try the tool cryptmount.
umount/mount Scripts

1
2
3
4
5
6

#!/bin/bash
losetup /dev/loop0 /Your/Container
sleep 1
cryptsetup create Container /dev/loop0
sleep 1
mount /dev/mapper/Container /mnt/Container

replace Container with your file, save it under /usr/bin/something and chmod +x /usr/bin/something

1
2
3
4

#!/bin/bash
umount /dev/mapper/Container
cryptsetup remove Container
losetup -d /dev/loop0

Replace Container with your file, save it under /usr/bin/somethingother and chmod +x /usr/bin/somethingother