[dm-crypt] Encrypt all partitions with dm-crypt

Christophe kereoz at kereoz.org
Thu Aug 23 17:10:25 CEST 2012

On Thu, Aug 23, 2012 at 01:27:28PM +0200, Arno Wagner wrote:
> > What do you mean by plain dm-crypt ? 
> plain dm-crypt = cryptsetup not for LUKS, i.e. a headerless
> set-up. Used this way in the man-page and the FAQ. I assume 
> that is what he meant. 

> > If you mean aes-plain, then the mechanisms
> That is something different. Plain dm-crypt defaults to
> aes-cbc-essiv:sha256

Sorry, aes-plain was the default in previous versions if my memory is right...
anyway, without LUKS headers is what I had in mind, aes-plain being one of the
possible cipher strings.

> > present in most distributions won't be able to "see" your encrypted volumes, and
> > /etc/crypttab won't be of any use either.
> > 
> > However, as Arno sait you can do it with an initramfs image. Debian for
> > instance has a pretty convenient mechanism to automatically create
> > initramfs images for your different kernels, and you can use hooks to
> > place your own scripts in it.  When you install cryptsetup, Debian updates
> > all the initramfs images with the cryptsetup binary. 
> Nice! Seems cryptsetup support in distros is definitely getting
> better.

Debian proposes an encrypted LVM partition scheme with cryptsetup/LUKS since a
few years now.
> > All you'll need to
> > to after that is to add a custom boot parameter to your bootloader (say
> > encrypted_root=/dev/sdX), place a script in the initramfs that will map
> > the partition with cryptsetup (e.g.  cryptsetup -c aes-plain create root
> > ${encrypted_root}) and update your /etc/fstab (/dev/mapper/root / ...).
> So no full support yet? Pity. As some others here have pointed out,
> there are Distros with full cryptsetup integration. Gentoo seems
> to be one. On the other hand, it seems some problems Ubuntu has
> with LUKS are still not solved, so YMMV.

Debian has full support for cryptsetup/LUKS, but not for plain dm-crypt, not to
my knowledge anyway. I think this makes sense as there is no way to
automatically detect an encrypted partition with no header. 

The only advantage I can see in using encrypted partitions with no header is to
"hide" the encrypted volume, however the partition, cipher and hash function
have to be specified somewhere if one wants the distro to be able to do
automatic configuration. The bootloader will need it in its configuration, which
doesn't make it any better than LUKS in terms of discreetness.  

IMHO, successfully hiding an encrypted partition necessarily involves manual
operations, which makes plain dm-crypt out of the scope of a general distro such
as Debian.

More information about the dm-crypt mailing list