[dm-crypt] Encrypt all partitions with dm-crypt
arno at wagner.name
Wed Sep 5 15:01:25 CEST 2012
On Wed, Sep 05, 2012 at 08:21:36AM +0400, Stayvoid wrote:
> Hello there,
> Let's move back to the initial questions...
> I'd like to use a plain version of dm-crypt because it doesn't
> store a header on a disk. (Yes, I know that LUKS is a recommended
> way, but I've already made my choice.)
That is fine. I am doing the same in some places.
> I haven't found any guides to the plain version that's why I
> decided to ask first.
That is because the plain version is actually simpler to use,
it just is missing most "enterprise" features.
> Here is what I'm going to do:
> (These notes are based on this guide .
> I'm using a LiveUSB.)
> 1. Overwrite a hard disk:
> # dd if=/dev/urandom of=/dev/sda bs=1M
That will be very slow. The way fastest method is to mapl
with plain dm-crypt and a random key (like the typical swap
set-up) and then overwrite with zeros.
You solution will work though, although if you do it with
dd_rescue /dev/urandom /dev/sda
you get a progess indicator.
> 2. Create partitions:
> # fdisk /dev/sda
> Here is my partition scheme:
> Device Boot Start End Blocks Id System
> /dev/sda1 2048 206847 102400 83 Linux
> /dev/sda2 206848 2303999 1048576 82 Linux
> /dev/sda3 2304000 312581807 155138904 83 Linux
> * /dev/sda1 -- /boot;
> * /dev/sda2 -- swap;
> * /dev/sda3 -- the rest.
> When can I create the filesystems?
> Can I do it at this step?
No. Nothing is encrypted.You could create the boot
filesystem if that stays unencrypted.
> 3. Mapping partitions:
> # cryptsetup -y -c aes-xts-plain -s 512 create swap /dev/sda2
> # cryptsetup -y -c aes-xts-plain -s 512 create main /dev/sda3
> After this step the guide  suggests to unlock LUKS partitions:
> # cryptsetup luksOpen /dev/<partitions name> <device-mapper name>
> How to do it using the plain version of dm-crypt?
> Is it even necessary?
No. You just map it like you stated and then create the filesystem
on the mapped device. The luksFormat step does not happen.
mke2fs -j /dev/mapper/main
> 4. Encrypting the swap partition with suspend-to-disk support:
> How to do it using the plain version?
No idea. Suspend-to-disk is insecure unless done right and it
needs to be done right by your distro. Basically you
can put in "cryptsetup create" for any "cryptsetup luksOpen" and
swap the arguments.
"cryptsetup close" and "cryptsetup luskClose" are synonyms
AFAIK, i.e. both remove the mapping whether plain or LUKS.
> What else should be done to finish the configuration?
>  https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS
> dm-crypt mailing list
> dm-crypt at saout.de
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell
More information about the dm-crypt