I wanted a small encrypted part of my hard disk, and I found http://www.debian-administration.org/articles/469 (which uses LVM as an example, which was a bit of a pain, as I'm not using LVM), and http://www.saout.de/ (which doesn't use LVM, but skips a few details at the end) both to be very useful.
Both articles are far better than this, at explaining why you do each step; I just didn't find the actual syntax required to be so very clear. This article aims to fill the gap.
It took a while to sort out the exact syntax necessary to get it running on boot. So here it is:
|Partition to be encrypted||/dev/sda8|
1 (Optional): Wipe out the current contents:
# dd if=/dev/urandom of=/dev/sda8
2: Create encrypted partition
Replace the "passphrase_goes_here" with the passphrase you'll enter every time you want to mount the filesystem (on boot, or afterwards).
# cryptsetup luksFormat /dev/sda8 WARNING! ======== This will overwrite data on /dev/sda8 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: passphrase_goes_here Verify passphrase: passphrase_goes_here Command successful. # cryptsetup luksOpen /dev/sda8 crypto Enter LUKS passphrase: passphrase_goes_here key slot 0 unlocked. Command successful.
You have made an encrypted partition, known as /dev/mapper/crypto (instead of /dev/sda8, which is now useless to the normal tools -
mount /dev/sda8, for example, will no longer work.)
3: Create a filesytem
# mkfs.ext3 /dev/mapper/crypto mke2fs 1.40.2 (12-Jul-2007) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 973440 inodes, 1945736 blocks 97286 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=1996488704 60 block groups 32768 blocks per group, 32768 fragments per group 16224 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632 Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 34 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.
4: Set it to mount on boot
You'll need an entry in
/etc/crypttab, and also in
# echo "crypto /dev/sda8 none luks,check=ext2,retry=1" >> /etc/crypttab # echo "/dev/mapper/crypto /crypto ext3 defaults 1 2" >> /etc/fstab # mkdir /crypto
... you'll also need to remove (or comment-out) any existing /dev/sda8 entries in /etc/fstab
5: Configure initramfs
I'm not sure if this is needed; for a non-root filesystem, I doubt it.
# update-initramfs -u -k all update-initramfs: Generating /boot/initrd.img-2.6.22-2-686 update-initramfs: Generating /boot/initrd.img-2.6.18-5-686
6: Use it!
You should be prompted for the passphrase when the system boots - just before it mounts the filesystems. If you enter the right one, it will mount it; otherwise, the encrypted filesystem will not be mounted.
If you later want to mount it, then you can do this:
# cryptsetup luksOpen /dev/sda8 crypto Enter LUKS passphrase: passphrase_goes_here key slot 0 unlocked. Command successful. # mount /dev/mapper/crypto /crypto
Or you can unmount it, and make it so that it can't be remounted (without the passphrase), like this:
# umount /crypto # cryptsetup luksClose crypto
This can all be embodied into a wrapper script:
#!/bin/sh case $1 in start) cryptsetup luksOpen /dev/sda8 crypto echo "Mounting /crytpo..." mount /dev/mapper/crypto /crypto ;; stop) echo "Unmounting /crytpo..." umount /crypto cryptsetup luksClose crypto ;; *) echo "Usage: crypt [ start | stop ]" ;; esac