Distribution
First of all, make sure you're running unstable(sid), testing(etch) or stable(sarge).
Required Packages
Then install some required packages:
apt-get install cryptsetup hashalot
Dependencies should pull in packages dmsetup and possibly libdevmapper1.00. Packages libgcrypt7-dev and libcppopt-dev are for programming against the libraries. You don't need these just to use dm-setup.
Kernel
All packaged kernels for sarge, etch and sid work fine. Compiled current 2.6.x kernels are also known to work without issues.
For user-compiled kernels, select the following options:
- Code maturity level options --->
- Prompt for development and/or incomplete code/drivers: on
- General setup --->
- Support for hot-pluggable devices: on
- Device Drivers ---> Multi-device support (RAID and LVM) --->
- Device mapper support: on
- Crypt target support: on
- Cryptographic options --->
- AES cipher algorithms: on
Compile and install your new kernel, and reboot to activate it.
If you have configurated the kernel options above as modules or used a packaged kernel, load the modules: kernel/drivers/md and kernel/crypto.
modconf --> aes, dm_crypt, dm_mod
Check that device mapper exists:
#ls -l /dev/mapper/control
crw------- 1 root root 10, 63 Feb 4 01:21 /dev/mapper/control
#
Check that AES is supported:
#grep aes /proc/crypto
name : aes
#
Check that the crypt target is supported: (Newer versions than these are also fine)
#dmsetup targets
crypt v1.0.0
striped v1.0.1
linear v1.0.1
error v1.0.1
#
Creating the encrypted partition 3
It is a three step process to create our encrypted partition:
- run cryptsetup on the partition, which creates a device mapper device with target 'crypt'.
- create the file system on our new device.
- mount our new device.
Imagine you want to encrypt /dev/hda9 and it is (to become) your home partition. (Options of the cryptsetup script can be found on this very homepage ;)
2)
Create the device mapper
Use cryptsetup to create the encrypted device (home), backed by the real device (/dev/hda9). "home" is just a name for the encrypted device; it will appear with that name under /dev/mapper.
#cryptsetup -y create home /dev/hda9
Enter passphrase:
Verify passphrase:
#
If you get: "Command failed: No such file or directory", you mistyped the 2nd password.
Alternatively, you could not rely on the defaults, but supply all arguments yourself:
#cryptsetup -y -c aes -h ripemd160 -s 256 create home /dev/hda9
WARNING: keysize is in bits not bytes
WARNING: use ripemd160 instead of rmd160 2
Enter passphrase:
Verify passphrase:
#
If you want to encrypt /dev/hda3 and it is going to contain data, the command would read:
#cryptsetup -y create data /dev/hda3
Enter passphrase:
Verify passphrase:
#
You get the idea.
Confirm it worked:
#dmsetup ls
home (254, 0)
#ls -l /dev/mapper
total 0
brw------- 1 root root 254, 0 Jun 13 22:34 home
crw------- 1 root root 10, 63 Feb 4 01:21 control
#
You now have a "virtual" block device called /dev/mapper/home, which is mapped (through the crypt target) to /dev/hda9.
Create filesystem (only to be done once)
#mkfs -t ext3 /dev/mapper/home
(lots of pretty mkfs output comes by)
#
or:
mkfs -t ext3 /dev/mapper/data
mkfs -t ext2 /dev/mapper/home
whatever suits you.
Mount filesystem
Make sure the directory where you want to mount the virtual block device exists, for example /mnt/home. Then mount it:
#mount -t ext3 /dev/mapper/home /mnt/home
#
or:
mount -t ext3 /dev/mapper/data /data
To verify that it worked:
#grep home /proc/mounts
/dev/mapper/home /mnt/home ext3 rw 0 0
#
Make It Permanent
If everythings works fine, it's time to make things permanent - the Debian way.
In /etc/crypttab insert (
without a leading empty line):
home /dev/hda9 none cipher=aes
...or: data /dev/hda3
See crypttab man page for details.
In /etc/fstab insert:
/dev/mapper/home /home ext3 defaults 0 1
...or: /dev/mapper/data /data ext3 defaults 0 1
this way the boot process will hang waiting for a password (the noauto option anyway will not mount the partition at boot time), if you don't want to interrupt boot process you can modify /etc/default/cryptdisks this way:
CRYPTDISKS_ENABLE=No
and then run as root
/etc/init.d/cryptdisks start
to create the devices when you want (also use defaults,noauto as said)
/etc/init.d/cryptdisks creates the /dev/mapper/home file; then /etc/fstab mounts that.
Manual remounting
For those who don't want a passphrase prompt interrupting the boot process, the encrypted filesystem can be manually mounted:
cryptsetup create home /dev/hda9
You will be prompted for the existing passphrase at this point.
mount /dev/mapper/home /home
Troubleshooting a cryptsetup/debian crypto-ROOT setup
Several problems may occur in the process described above. Problems arise also if the kernel, cryptsetup or the initrd-tools get updated. Here are a few hints to solve a few common(?) problems:
- Mounted partitions: Do not try to cryptsetup mounted partitions! This will result in an error along the lines of: "device-mapper: table: 254:0: crypt: Device Lookup failed"
- Correct root partition. Make sure that grub's menu.list (or lilo's equivalent) points to the decrypted root partition, i.e. /dev/mapper/root and not /dev/hdxy.
- Do not build an initrd with BUSYBOX set to YES.logo design As of 06/11/05 and debian/testing, this breaks the initrd so that booting your system becomes impossible. For more information, see this mailing list post.
- The encryption mode setting in the created initrd may be wrong (which should provoke messages upon bootup that tell this, though). For example, change "aes-plain" in the script file of the initrd to "aes". (To do that, mount the initrd from Knoppix (or a similar rescue CD), copy it, change it and recreate it using mkcramfs). This should probably be filed as a bug somewhere...
--
That's it and
criação de sites and
desenvolvimento de site and
Unhas and
Esmaltes and
Tokio Hotel and
Tokio Hotel Magazine and
Escola de Surf and
Web site e Home page and
Portal and
Loja Virtual and
E-Commerce and
Hotsite em Flash and
Integração com Cielo and
Configuração Google-Mini and
Sistemas Web and
Sistemas CRM e ERP and
Camisetas and
Tshirt and
online degree and
link building services and
seo services