This is a short howto to describe the basic usage of Device-Mapper, DM-Crypt, and Cryptsetup to mount and use encrypted partitions and container files.
This is partially in response to the recent articles about the numbers of USB flash thumbdrives that are regularly lost. If we learn to use encryption then that statistic is just sad but not worrying. (see The problem of lost USB flash thumbdrives)
Background
Device Mapper and DM-Crypt
Starting in version 2.6, the Linux kernel started providing the Device-Mapper interface. This interface allowed for the creation of layers of virtual block devices ontop of real block devices. These devices are used for things like RAID formats, snapshot or encryption. The DM-Crypt is the module for Device-Mapper that provides access to the cryptographic functions.
CryptsetupCryptsetup is the primary userland tool for creating and managing encrypted partitions and containers for DM-Crypt.
Linux Unified Key Setup (LUKS)LUKS provides a standard on-disk format for encrypted partitions to facilitate cross distribution compatability, to allow for multiple users/passwords, effective password revocation, and to provide additional security against low entropy attacks. To use LUKS, you must use an enabled version of cryptsetup. To the authors knowledge currently only Debian (Etch, Lenny and Sid), Ubuntu and Gentoo offer LUKS enabled versions of cryptsetup in their repositories.
Creating a New Encrypted Container File or Partition
Create the Container and Loopback Mount it
First we need to create the container file, and loopback mount it.
root@host:~$ dd if=/dev/urandom of=testfile bs=1M count=10Note: Skip this step for encrypted partitions.
10+0 records in
10+0 records out
10485760 bytes (10 MB) copied, 1.77221 seconds, 5.9 MB
root@host:~$ losetup /dev/loop/0 testfile
root@host:~$
luksFormat
Before we can open an encrypted partition, we need to initialize it.
root@host:~$ cryptsetup luksFormat /dev/loop/0Note: For encrypted partitions replace the loopback device with the device label of the partition.
WARNING!
========
This will overwrite data on /dev/loop/0 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
root@host:~$
luksOpen
Now that the partition is formated, we can create a Device-Mapper mapping for it.
root@host:~$ cryptsetup luksOpen /dev/loop/0 testfsFormating the Filesystem
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
root@host:~$
The first time we create the Device-Mapper mapping, we need to format the new virtual device with a new filesystem.
root@host:~$ mkfs.ext2 /dev/mapper/testfsMounting the Virtual Device
mke2fs 1.39-WIP (09-Apr-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
2432 inodes, 9724 blocks
486 blocks (5.00%) reserved for the super user
First data block=1
2 block groups
8192 blocks per group, 8192 fragments per group
1216 inodes per group
Superblock backups stored on blocks:
8193
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 34 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to overri
root@host:~$
Now, we can mount the new virtual device just like any other device.
root@host:~$ mount /dev/mapper/testfs /mnt/test/
root@host:~$
Mounting an Existing Encrypted Container File or Partition
root@host:~$ losetup /dev/loop/0 testfileNote: Skip the losetup setup for encrypted partitions.
root@host:~$ cryptsetup luksOpen /dev/loop/0 testfs
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
root@host:~$ mount /dev/mapper/testfs /mnt/test/
root@host:~$
Unmounting and Closing an Encrypted Container File or Partition
root@host:~$ umount /mnt/testNote: Skip the losetup setup for encrypted partitions.
root@host:~$ cryptsetup luksClose /dev/mapper/testfs
root@host:~$ losetup -d /dev/loop/0
root@host:~$
Handling Multiple Users and Passwords
The LUKS header allows you to assign 8 different passwords that can access the encyrpted partition or container. This is useful for environments where the CEO & CTO can each have passwords for the device and the administrator(s) can have another. This makes it easy to change the password in case of employee turnover while keeping the data accessible.
Adding passwords to new slotsroot@host:~$ cryptsetup luksAddKey /dev/loop/0Deleting key slots
Enter any LUKS passphrase:
Verify passphrase:
key slot 0 unlocked.
Enter new passphrase for key slot:
Verify passphrase:
Command successful.
root@host:~$
root@host:~$ cryptsetup luksDelKey /dev/loop/0 1
Command successful.
root@host:~$
Displaying LUKS Header Information
root@host:~$ cryptsetup luksDump /dev/loop/0
LUKS header information for /dev/loop/0
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
MK digest: a9 3c c2 33 0b 33 db ff d2 b9 dc 6c 01 d6 90 48 1d c1 2e bb
MK salt: 98 46 a3 28 64 35 f1 55 f0 2b 8e af f5 71 16 64
3c 30 1f 6c b1 4b 43 fd 23 49 28 a6 b0 e4 e2 14
MK iterations: 10
UUID: 089559af-41af-4dfe-b736-9d9d48d3bf53
Key Slot 0: ENABLED
Iterations: 254659
Salt: 02 da 9c c3 c7 39 a5 62 72 81 37 0f eb aa 30 47
01 1b a8 53 93 23 83 71 20 03 1b 6c 90 84 a5 6e
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED