[dm-crypt] Encrypt all partitions with dm-crypt

Matthew Monaco dgbaley27 at 0x01b.net
Wed Sep 26 11:24:11 CEST 2012


On 09/26/2012 02:23 AM, Stayvoid wrote:
>> You need to add "encrypt" to
>> the HOOKS setting in /etc/mkinitcpio.conf and run (as root)
>>
>> # mkinitcpio -p linux-libre
>>
>> This will add cryptsetup and the necessary modules to your initramfs.
> 
> It worked.
> 
>> You also MUST add root=/dev/mapper/ROOT cryptdevice=/dev/sdX#:ROOT to your
>> kernel command line (/boot/grub/menu.lst for grub-legacy,
>> /boot/grub/grub.cfg
>> for grub2). Where ROOT is whatever label you want and /dev/sdX# is your
>> encrypted block device. Furthermore, you need to set crypto= to your
>> specific
>> settings, but I don't remember the format off the top of my head.
> 
> I'd like to try mounting from a recovery shell.
> But there is no /media. Is it possible to add it?
> 

You can mount to wherever you like. Once you've mapped the block device to
/dev/mapper/NAME, you have a block device like any other.

> BTW, how to safely enable swap?
> Should I chroot into the system and decrypt / swapon there?
> 

The easiest thing is probably a swap file. However, you can also have a separate
swap partition which gets encrypted with a random key each boot. You define it
in /etc/crypttab.

swap  /dev/sdX# /dev/urandom swap

This maps /dev/sdX# to /dev/mapper/swap with a random password. The "swap" in
the forth column tells /etc/rc.sysinit to run mkswap on the device after it's
mapped.

>> Are you *sure* you don't want to use LUKS?
> 
> Yes.




More information about the dm-crypt mailing list