I wanted a small encrypted part of my hard disk, and I found http://www.debian-administration.org/articles/469 (which uses LVM as an example, which was a bit of a pain, as I'm not using LVM), and http://www.saout.de/ (which doesn't use LVM, but skips a few details at the end) both to be very useful.

Both articles are far better than this, at explaining why you do each step; I just didn't find the actual syntax required to be so very clear. This article aims to fill the gap.

It took a while to sort out the exact syntax necessary to get it running on boot. So here it is:

Partition to be encrypted/dev/sda8
Mountpoint/crypto


1 (Optional): Wipe out the current contents:

# dd if=/dev/urandom of=/dev/sda8

2: Create encrypted partition

Replace the "passphrase_goes_here" with the passphrase you'll enter every time you want to mount the filesystem (on boot, or afterwards).

# cryptsetup luksFormat /dev/sda8

WARNING!
========
This will overwrite data on /dev/sda8 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: passphrase_goes_here
Verify passphrase: passphrase_goes_here
Command successful.
# cryptsetup luksOpen /dev/sda8 crypto
Enter LUKS passphrase: passphrase_goes_here
key slot 0 unlocked.
Command successful.

You have made an encrypted partition, known as /dev/mapper/crypto (instead of /dev/sda8, which is now useless to the normal tools - mount /dev/sda8, for example, will no longer work.)

3: Create a filesytem

# mkfs.ext3 /dev/mapper/crypto
mke2fs 1.40.2 (12-Jul-2007)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
973440 inodes, 1945736 blocks
97286 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1996488704
60 block groups
32768 blocks per group, 32768 fragments per group
16224 inodes per group
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 34 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

4: Set it to mount on boot

You'll need an entry in /etc/crypttab, and also in /etc/fstab:

# echo "crypto /dev/sda8 none luks,check=ext2,retry=1" >> /etc/crypttab
# echo "/dev/mapper/crypto /crypto ext3 defaults 1 2" >> /etc/fstab
# mkdir /crypto

... you'll also need to remove (or comment-out) any existing /dev/sda8 entries in /etc/fstab

5: Configure initramfs

I'm not sure if this is needed; for a non-root filesystem, I doubt it.

# update-initramfs -u -k all
update-initramfs: Generating /boot/initrd.img-2.6.22-2-686
update-initramfs: Generating /boot/initrd.img-2.6.18-5-686

6: Use it!

You should be prompted for the passphrase when the system boots - just before it mounts the filesystems. If you enter the right one, it will mount it; otherwise, the encrypted filesystem will not be mounted.

If you later want to mount it, then you can do this:

# cryptsetup luksOpen /dev/sda8 crypto
Enter LUKS passphrase: passphrase_goes_here
key slot 0 unlocked.
Command successful.
# mount /dev/mapper/crypto /crypto

Or you can unmount it, and make it so that it can't be remounted (without the passphrase), like this:

# umount /crypto
# cryptsetup luksClose crypto

This can all be embodied into a wrapper script:

#!/bin/sh

case $1 in
  start)
	cryptsetup luksOpen /dev/sda8 crypto
	echo "Mounting /crytpo..."
	mount /dev/mapper/crypto /crypto
	;;
  stop)
	echo "Unmounting /crytpo..."
	umount /crypto
	cryptsetup luksClose crypto
	;;
  *)
	echo "Usage: crypt [ start | stop ]"
	;;
esac
Linux Encrypted Filesystems with LUKS
Share on Twitter Share on Facebook Share on LinkedIn