[dm-crypt] crypetsetup and GPT partitions

David Christensen dpchrist at holgerdanske.com
Fri Feb 10 09:15:01 CET 2017


On 02/08/17 04:33, Houtchen, Steven wrote:
> I am trying to use "crypsetup" setup ant "parted" together.
> I want to use "cryptsetup" to encrypt a whole solid state disk,
> and then use "parted" to create partitions on it with a GPT partition
> table.  I have be able to do the first task, but not the second.

I've never done that.


> Or vice versa. Create a few partitions, and then optionally
> encrypt each one individually. I have be able to do the first
> task, but not the second.

That's how I've done it.


> So my question is, is "cryptsetup" compatible with parted and
> GPT partition table? Or do  need to use something like "lvm2"
> to accomplish what I am trying to do?

I would suggest:

1.  Use the manufacturer tool to do a secure erase of the SSD (this 
could involve using a Microsoft Windows machine).

2.  Use parted to create a MBR partition table.

3.  Use parted to create one primary partition.  Consider 
under-provisioning.

4.  Use cryptsetup luksFormat to put a LUKS container into the partition.

5.  Use cryptsetup luksOpen to open the LUKS container.  Add entry to 
/etc/crypttab (Debian).

6.  Either create a filesystem on the mapped device and add entry to 
/etc/fstab (Debian), or feed the mapped device to LVM (it's been a while 
for me; you'll have to figure that out).


> I am using CentOS7 with
>
> [root at dts1 ~]# cryptsetup --version
> cryptsetup 1.6.7
> [root at dts1 ~]#
>
> [root at dts1 ~]# parted --version
> parted (GNU parted) 3.1
> Copyright (C) 2012 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Written by <http://git.debian.org/?p=parted/parted.git;a=blob_plain;f=AUTHORS>.
> [root at dts1 ~]#
>
>

On 02/08/17 05:44, Houtchen, Steven wrote:
> I did get the scenario to seemingly work where I encrypt the whole block device, and use
> parted to creates a partition on the device mapper device. I attached a file showing the
> command sequence..
>
> My questions here are:
>
> Is this a valid use case,

I dont' know.  If I did put a LUKS container on the raw disk and then 
partitioned the mapped deviced, I don't know how I would specify such in 
/etc/crypttab and /etc/fstab.  I'd have to hack up scripts to set it up 
on boot and tear it down on shutdown.


> and also, can I set the starting block on my partition
> On the device mapper device to be at 1 MB, or would that conflict
> with any of the Luks header info on the actual drive?

The available space of the LUKS mapped device is going to be smaller 
than the partition size.  On one of my 3 TB drives, it's about ~44 GB 
smaller (~1.6%).  The LUKS meta-data is going to be in there, including 
the header.


You should be able use all of the blocks in the mapped device however 
you please; if LUKS breaks, then your LUKS is broken.


David



More information about the dm-crypt mailing list