root@squeeze:~# apt-get install cryptsetup
root@squeeze:~# vgcreate vol0 /dev/sda No physical volume label read from /dev/sda Physical volume "/dev/sda" successfully created Volume group "vol0" successfully created root@squeeze:~# vgs VG #PV #LV #SN Attr VSize VFree vol0 1 0 0 wz--n- 1020.00m 1020.00m root@squeeze:~# lvcreate -n lv_crypt -L 200M vol0 Logical volume "lv_crypt" created root@squeeze:~# lvs LV VG Attr LSize Origin Snap% Move Log Copy% Convert lv_crypt vol0 -wi-a- 200.00m
After this, the best thing to do is to write random data in the partition to generate noise.
root@squeeze:~# dd if=/dev/urandom of=/dev/mapper/vol0-lv_crypt dd: writing to `/dev/mapper/vol0-lv_crypt': No space left on device 409601+0 records in 409600+0 records out 209715200 bytes (210 MB) copied, 60.7331 s, 3.5 MB/s
Finally, we create/format the encrypted partition, and open it to have it available to the system
root@squeeze:~# cryptsetup luksFormat /dev/mapper/vol0-lv_crypt WARNING! ======== This will overwrite data on /dev/mapper/vol0-lv_crypt irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: root@squeeze:~# cryptsetup luksOpen /dev/mapper/vol0-lv_crypt crypt Enter passphrase for /dev/mapper/vol0-lv_crypt:
Once opened, we can access it as a non-encrypted partition available under /dev/mapper/crypt (all the names can be changed to something more suitable for you), so we can format and access it like a normal partition.
root@squeeze:~# mkfs.ext4 /dev/mapper/crypt mke2fs 1.41.12 (17-May-2010) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) Stride=0 blocks, Stripe width=0 blocks 51000 inodes, 203772 blocks 10188 blocks (5.00%) reserved for the super user First data block=1 Maximum filesystem blocks=67371008 25 block groups 8192 blocks per group, 8192 fragments per group 2040 inodes per group Superblock backups stored on blocks: 8193, 24577, 40961, 57345, 73729 Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 36 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. root@squeeze:~# mount /dev/mapper/crypt /media/crypt/
If you are using a graphical desktop, like GNOME, it can manage it automatically with Nautilus, asking you the pass-phrase and root password.
You can avoid to work in the command line using the /etc/crypttab file, to open this filesystem during system boot. The systax of this file is pretty simple:
root@squeeze:~# cryptsetup luksUUID /dev/mapper/vol0-lv_crypt 1495abcf-38b5-4065-9880-4f8512d7c535 root@squeeze:~# cat /etc/crypttab # crypt UUID=1495abcf-38b5-4065-9880-4f8512d7c535 none luks
Using the disk UUID we can avoid future problems of the disk not being in the same path (like a pendrive)
At boot time, the system will ask for the passphare to open the encrypted disk
We can also especify a file with the key, to avoid this question. We can have a external usb drive with this file, or we can have this key files locally, to open external usb drives.
Rivero I/O 