Encrypted filesystems in Debian Squeeze

We need to have cryptsetup installed
root@squeeze:~# apt-get install cryptsetup
The partition can be a whole disk (a pendrive per example), a partition or even a lvm volume. In this case, we are going to use a lvm volume using a hard disk
root@squeeze:~# vgcreate vol0 /dev/sda
No physical volume label read from /dev/sda
Physical volume "/dev/sda" successfully created
Volume group "vol0" successfully created

root@squeeze:~# vgs
VG   #PV #LV #SN Attr   VSize    VFree   
vol0   1   0   0 wz--n- 1020.00m 1020.00m

root@squeeze:~# lvcreate -n lv_crypt -L 200M vol0
Logical volume "lv_crypt" created

root@squeeze:~# lvs
LV       VG   Attr   LSize   Origin Snap%  Move Log Copy%  Convert
lv_crypt vol0 -wi-a- 200.00m 


After this, the best thing to do is to write random data in the partition to generate noise.

root@squeeze:~# dd if=/dev/urandom of=/dev/mapper/vol0-lv_crypt
dd: writing to `/dev/mapper/vol0-lv_crypt': No space left on device
409601+0 records in
409600+0 records out
209715200 bytes (210 MB) copied, 60.7331 s, 3.5 MB/s

Finally, we create/format the encrypted partition, and open it to have it available to the system

root@squeeze:~# cryptsetup luksFormat /dev/mapper/vol0-lv_crypt 

This will overwrite data on /dev/mapper/vol0-lv_crypt irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
root@squeeze:~# cryptsetup luksOpen /dev/mapper/vol0-lv_crypt crypt
Enter passphrase for /dev/mapper/vol0-lv_crypt: 

Once opened, we can access it as a non-encrypted partition available under /dev/mapper/crypt (all the names can be changed to something more suitable for you), so we can format and access it like a normal partition.

root@squeeze:~# mkfs.ext4 /dev/mapper/crypt 
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
51000 inodes, 203772 blocks
10188 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67371008
25 block groups
8192 blocks per group, 8192 fragments per group
2040 inodes per group
Superblock backups stored on blocks: 
        8193, 24577, 40961, 57345, 73729

Writing inode tables: done                            
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 36 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

root@squeeze:~# mount /dev/mapper/crypt /media/crypt/

If you are using a graphical desktop, like GNOME, it can manage it automatically with Nautilus, asking you the pass-phrase and root password.

You can avoid to work in the command line using the /etc/crypttab file, to open this filesystem during system boot. The systax of this file is pretty simple:

root@squeeze:~# cryptsetup luksUUID /dev/mapper/vol0-lv_crypt 
root@squeeze:~# cat /etc/crypttab 
crypt   UUID=1495abcf-38b5-4065-9880-4f8512d7c535 none  luks

Using the disk UUID we can avoid future problems of the disk not being in the same path (like a pendrive)

At boot time, the system will ask for the passphare to open the encrypted disk

We can also especify a file with the key, to avoid this question. We can have a external usb drive with this file, or we can have this key files locally, to open external usb drives.


Avoiding unnecesary restarts

When you have a lot of servers to manage from a single keyboard/monitor, sometimes is easy to reboot a Linux system when trying to login into a Windows one using the crtl+alt+del keys. To solve this, just comment this line in the /etc/inittab file:

ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

Evitando apagados innecesarios

Cuando se maneja un gran número de servidores desde un único monitor/teclado, más de una vez se corre el peligro de que por querer hacer las cosas rápidas, pulsamos crtl+alt+sup para iniciar sesión en Windows… pero si es un Linux, eso supone un reinicio del servidor. Para evitarlo, en el fichero /etc/inittab, buscaremos algo parecido a esta línea y la comentamos:

ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now