[dm-crypt] Encrypt all partitions with dm-crypt

Arno Wagner arno at wagner.name
Wed Sep 5 15:01:25 CEST 2012


Hi,

On Wed, Sep 05, 2012 at 08:21:36AM +0400, Stayvoid wrote:
> Hello there,
> 
> Let's move back to the initial questions...
> 
> I'd like to use a plain version of dm-crypt because it doesn't
> store a header on a disk. (Yes, I know that LUKS is a recommended
> way, but I've already made my choice.)

That is fine. I am doing the same in some places.

> I haven't found any guides to the plain version that's why I
> decided to ask first.

That is because the plain version is actually simpler to use,
it just is missing most "enterprise" features.
 
> Here is what I'm going to do:
> (These notes are based on this guide [1].
> I'm using a LiveUSB.)
> 
> 1. Overwrite a hard disk:
> 
> # dd if=/dev/urandom of=/dev/sda bs=1M

That will be very slow. The way fastest method is to mapl
with plain dm-crypt and a random key (like the typical swap
set-up) and then overwrite with zeros.

You solution will work though, although if you do it with

  dd_rescue /dev/urandom /dev/sda

you get a progess indicator.

> 
> 2. Create partitions:
> 
> # fdisk /dev/sda
> 
> Here is my partition scheme:
> 
> Device    Boot    Start         End     Blocks  Id  System
> /dev/sda1          2048      206847     102400  83  Linux
> /dev/sda2        206848     2303999    1048576  82  Linux
> /dev/sda3       2304000   312581807  155138904  83  Linux 
>
> * /dev/sda1 -- /boot;
> * /dev/sda2 -- swap;
> * /dev/sda3 -- the rest.

Looks reasonable.
 
> When can I create the filesystems?
> Can I do it at this step?

No. Nothing is encrypted.You could create the boot
filesystem if that stays unencrypted.

> 3. Mapping partitions:
> 
> # cryptsetup -y -c aes-xts-plain -s 512 create swap /dev/sda2
> # cryptsetup -y -c aes-xts-plain -s 512 create main /dev/sda3
> 
> After this step the guide [1] suggests to unlock LUKS partitions:
> 
> # cryptsetup luksOpen /dev/<partitions name> <device-mapper name>
> 
> How to do it using the plain version of dm-crypt?
> Is it even necessary?

No. You just map it like you stated and then create the filesystem
on the mapped device. The luksFormat step does not happen.

So: 

mke2fs -j /dev/mapper/main
mkswap /dev/mapper/main

> 
> 4. Encrypting the swap partition with suspend-to-disk support:
> 
> How to do it using the plain version?

No idea. Suspend-to-disk is insecure unless done right and it
needs to be done right by your distro. Basically you
can put in "cryptsetup create" for any "cryptsetup luksOpen" and
swap the arguments.
"cryptsetup close" and "cryptsetup luskClose" are synonyms
AFAIK, i.e. both remove the mapping whether plain or LUKS.

Arno



 
> 
> What else should be done to finish the configuration?
> 
> [1] https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS
> 
> Thanks
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner,    Dr. sc. techn., Dipl. Inform.,   Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 


More information about the dm-crypt mailing list