Distribution

First of all, make sure you're running unstable(sid), testing(etch) or stable(sarge).

Required Packages

Then install some required packages:

Dependencies should pull in packages dmsetup and possibly libdevmapper1.00. Packages libgcrypt7-dev and libcppopt-dev are for programming against the libraries. You don't need these just to use dm-setup.

Kernel

All packaged kernels for sarge, etch and sid work fine. Compiled current 2.6.x kernels are also known to work without issues.

For user-compiled kernels, select the following options:

Compile and install your new kernel, and reboot to activate it.

If you have configurated the kernel options above as modules or used a packaged kernel, load the modules: kernel/drivers/md and kernel/crypto.

Check that device mapper exists:


Check that AES is supported:


Check that the crypt target is supported: (Newer versions than these are also fine)

Creating the encrypted partition 3

It is a three step process to create our encrypted partition:

1. run cryptsetup on the partition, which creates a device mapper device with target 'crypt'.
2. create the file system on our new device.
3. mount our new device.

Imagine you want to encrypt /dev/hda9 and it is (to become) your home partition. (Options of the cryptsetup script can be found on this very homepage ;) 2)

Create the device mapper

Use cryptsetup to create the encrypted device (home), backed by the real device (/dev/hda9). "home" is just a name for the encrypted device; it will appear with that name under /dev/mapper.

If you get: "Command failed: No such file or directory", you mistyped the 2nd password.

Alternatively, you could not rely on the defaults, but supply all arguments yourself:


If you want to encrypt /dev/hda3 and it is going to contain data, the command would read:

You get the idea.

Confirm it worked:

You now have a "virtual" block device called /dev/mapper/home, which is mapped (through the crypt target) to /dev/hda9.

Create filesystem (only to be done once)

or:
mkfs -t ext3 /dev/mapper/data
mkfs -t ext2 /dev/mapper/home
whatever suits you.

Mount filesystem

Make sure the directory where you want to mount the virtual block device exists, for example /mnt/home. Then mount it:

or:
mount -t ext3 /dev/mapper/data /data
To verify that it worked:

Make It Permanent

If everythings works fine, it's time to make things permanent - the Debian way.
In /etc/crypttab insert (without a leading empty line):

...or: data /dev/hda3
See crypttab man page for details.

In /etc/fstab insert:


...or: /dev/mapper/data /data ext3 defaults 0 1

this way the boot process will hang waiting for a password (the noauto option anyway will not mount the partition at boot time), if you don't want to interrupt boot process you can modify /etc/default/cryptdisks this way:



and then run as root



to create the devices when you want (also use defaults,noauto as said)

/etc/init.d/cryptdisks creates the /dev/mapper/home file; then /etc/fstab mounts that.

Manual remounting

For those who don't want a passphrase prompt interrupting the boot process, the encrypted filesystem can be manually mounted:

You will be prompted for the existing passphrase at this point.

Troubleshooting a cryptsetup/debian crypto-ROOT setup

Several problems may occur in the process described above. Problems arise also if the kernel, cryptsetup or the initrd-tools get updated. Here are a few hints to solve a few common(?) problems:

• Mounted partitions: Do not try to cryptsetup mounted partitions! This will result in an error along the lines of: "device-mapper: table: 254:0: crypt: Device Lookup failed"
• Correct root partition. Make sure that grub's menu.list (or lilo's equivalent) points to the decrypted root partition, i.e. /dev/mapper/root and not /dev/hdxy.
• Do not build an initrd with BUSYBOX set to YES.logo design As of 06/11/05 and debian/testing, this breaks the initrd so that booting your system becomes impossible. For more information, see this mailing list post.
• The encryption mode setting in the created initrd may be wrong (which should provoke messages upon bootup that tell this, though). For example, change "aes-plain" in the script file of the initrd to "aes". (To do that, mount the initrd from Knoppix (or a similar rescue CD), copy it, change it and recreate it using mkcramfs). This should probably be filed as a bug somewhere...

--
That's it and criação de sites and desenvolvimento de site and Unhas and Esmaltes and Tokio Hotel and Tokio Hotel Magazine and Escola de Surf and Web site e Home page and Portal and Loja Virtual and E-Commerce and Hotsite em Flash and Integração com Cielo and Configuração Google-Mini and Sistemas Web and Sistemas CRM e ERP and Camisetas and Tshirt and online degree and link building services and seo services