[dm-crypt] Encrypt all partitions with dm-crypt

Arno Wagner arno at wagner.name
Thu Aug 23 18:07:28 CEST 2012

On Thu, Aug 23, 2012 at 05:10:25PM +0200, Christophe wrote:
> On Thu, Aug 23, 2012 at 01:27:28PM +0200, Arno Wagner wrote:
> > > What do you mean by plain dm-crypt ? 
> > 
> > plain dm-crypt = cryptsetup not for LUKS, i.e. a headerless
> > set-up. Used this way in the man-page and the FAQ. I assume 
> > that is what he meant. 
> > > If you mean aes-plain, then the mechanisms
> > 
> > That is something different. Plain dm-crypt defaults to
> > aes-cbc-essiv:sha256
> Sorry, aes-plain was the default in previous versions if my memory is right...
> anyway, without LUKS headers is what I had in mind, aes-plain being one of the
> possible cipher strings.

According to the FAQ Section 8.1 you are righ. (I wrote that,
so I think it is correct ;-)


> > > present in most distributions won't be able to "see" your encrypted volumes, and
> > > /etc/crypttab won't be of any use either.
> > > 
> > > However, as Arno sait you can do it with an initramfs image. Debian for
> > > instance has a pretty convenient mechanism to automatically create
> > > initramfs images for your different kernels, and you can use hooks to
> > > place your own scripts in it.  When you install cryptsetup, Debian updates
> > > all the initramfs images with the cryptsetup binary. 
> > 
> > Nice! Seems cryptsetup support in distros is definitely getting
> > better.
> Debian proposes an encrypted LVM partition scheme with cryptsetup/LUKS since a
> few years now.
> > > All you'll need to
> > > to after that is to add a custom boot parameter to your bootloader (say
> > > encrypted_root=/dev/sdX), place a script in the initramfs that will map
> > > the partition with cryptsetup (e.g.  cryptsetup -c aes-plain create root
> > > ${encrypted_root}) and update your /etc/fstab (/dev/mapper/root / ...).
> > 
> > So no full support yet? Pity. As some others here have pointed out,
> > there are Distros with full cryptsetup integration. Gentoo seems
> > to be one. On the other hand, it seems some problems Ubuntu has
> > with LUKS are still not solved, so YMMV.
> Debian has full support for cryptsetup/LUKS, 

For encrypted root? News to me, but would be a good thing.

> but not for plain dm-crypt, not to
> my knowledge anyway. I think this makes sense as there is no way to
> automatically detect an encrypted partition with no header. 
> The only advantage I can see in using encrypted partitions with no header
> is to "hide" the encrypted volume, however the partition, cipher and hash

The second one is better resilience, as there is no header 
single-point-of-failure. Whether that is worth total loss of
key management depends on the application.

> function have to be specified somewhere if one wants the distro to be able
> to do automatic configuration.  

Thet is not the issue. Reasonable defaults would do that. The
issue is that the partiton type cannot be detected anymore 
without the key.

> The bootloader will need it in its
> configuration, which doesn't make it any better than LUKS in terms of
> discreetness.

Huh? What is the bootloader going to do with that info? Last
I checked, you still need a running kernel and system (possibly
in the form of an initrd) to do anything with encrypted partitions,
no matter whether LUKS or plain. I may be behind times here, if so,
please explain.

> IMHO, successfully hiding an encrypted partition necessarily involves
> manual operations, which makes plain dm-crypt out of the scope of a
> general distro such as Debian.

I agree. But hiding is not even supported by cryptsetup. 
Headerless operation is something else.

Arno Wagner,    Dr. sc. techn., Dipl. Inform.,   Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 

More information about the dm-crypt mailing list