Gentoo Wiki ArchivesGentoo Wiki

Dm-crypt

Contents

Introduction

dmcrypt is a way of encrypting and decrypting files using a cryptographic cipher. dmcrypt allows you to access these files like a normal block device, dmcrypt is designed to be put on a block device but with a loopback device we can easily avoid the need for a separate partition.

There are other ways to encrypt files such as Cryptoloop (deprecated, less secure and uncleanly coded) or loopaes (more secure and faster, but harder to use)

Security Issue

As for every other hard drive encryption mechanism, the encryption key is stored in RAM to allow dm-crypt to encrypt/decrypt the data. Therefore the security of the key relies on the security of the RAM.

Recently some researchers have found that, under certain conditions, it is possible to retrieve this key, even if the system is shutdown.

See: http://citp.princeton.edu/memory/

A work around would be to always shut-down your system properly, and stay around for a while to ensure that nobody is playing with your computer. For the more paranoid ones, you can also take the RAM on your pocket, making the key effectively inaccessible.

You have to remember that hard-drive encryption is only effective when the corresponding partition is unmounted. An encrypted partition which is always mounted is as secure as a clear partition, as one may access each of them the same way.

Loopback or partition?

A loopback means that you have a file that is on a partition that you then mount using a special device called a loopback. The loop device then acts as a normal block device transforming your file into just another hard disk :)

This is useful if for example you wish to store all your ssh keys safely but don't want to have to make another partition for it!

Configuring your kernel for dmcrypt

You must configure your kernel to be able to use dmcrypt. Use your favourite kernel or emerge development-sources.

cd /usr/src/linux
make menuconfig

You must first enable the device mapper (dm):

Linux Kernel Configuration: Device Mapper
 Device Drivers --> 
 [*] Multiple devices driver support (RAID and LVM)
  <*> Device mapper support
  <*> Crypt target support
Then you must enable the cipher (aes):
 Cryptographic API --> 
  <*> AES cipher algorithims (i586)
If you're going to be using dmcrypt on a loopback file, not a partition:
 Device Drivers --> Block Devices -->
 <*> Loopback device support # Remember, cryptoloop is not dmcrypt

If you wish you may enable all of the above as modules, but you must then modprobe them.

Now compile your kernel:

make && make modules_install

Now inform your bootloader of this change and reboot (or if you compiled them all as a module and do it right you can just modprobe)

Installing the tools needed 

emerge sys-fs/cryptsetup

Using dmcrypt with a partition

If you wish to use dmcrypt on a partition then read this, otherwise see below for information on using it with a loopback device.

First we create a device mapper device called 'mycrypt' on a partition, say /dev/hda7 (we will use that throughout the guide)

cryptsetup -y create mycrypt /dev/hda7

Has it worked?

dmsetup ls

It should display 'mycrypt'

Now create a filesystem (replace mke2fs with whatever your filesystem creation tool is):

mke2fs /dev/mapper/mycrypt

Now mount it:

mount /dev/mapper/mycrypt /mnt/point

Test it worked, congratulations!

To bring it down:

umount /mnt/point
cryptsetup remove mycrypt

Using dmcrypt with a loopback device

This is for using dmcrypt with a loopback device; see above for using it with a partition.

First, create our file:

touch protected
shred -n1 -s50M protected

This creates a file called 'protected' in your current directory of 50MB. By prefilling it with random data, it's impossible to see afterwards how much has been used.

Now let's set a loopback device to use this file. First find the name of the first unused loop device :

losetup -f

Use this loop device to set a loopback (in this case /dev/loop0 is available)

losetup /dev/loop0 /path/to/protected

Now lets create an encrypted device mapper device using cryptsetup :

cryptsetup -y create mycrypt /dev/loop0

Check it worked:

dmsetup ls

You should see 'mycrypt' listed

Now create a filesystem (replace mke2fs with whatever your filesystem creation tool is) :

mke2fs /dev/mapper/mycrypt

Now mount it:

mount /dev/mapper/mycrypt /mount/point

Check it works for a while, and be happy, then continue reading :)

To unmount it:

umount /mount/point
cryptsetup remove mycrypt
losetup -d /dev/loop0

To automate this process you could write your own script (see below) or try the tool "cryptmount" [1].

umount/mount Scripts

Cause the script mentioned above is down, I'll post mine.

Mount:

#!/bin/bash
losetup /dev/loop0 /Your/Container
sleep 1
cryptsetup create Container /dev/loop0 
sleep 1
mount /dev/mapper/Container /mnt/Container

replace Container with your file, save it under /usr/bin/something and chmod +x /usr/bin/something

Umount:

#!/bin/bash
umount /dev/mapper/Container
cryptsetup remove Container
losetup -d /dev/loop0

Replace Container with your file, save it under /usr/bin/somethingother and chmod +x /usr/bin/somethingother

See also

Retrieved from "http://www.gentoo-wiki.info/Dm-crypt"
Last modified: Sun, 07 Sep 2008 09:36:00 +1000 Hits: 48,792

Created by NickStallman.net, Luxury Homes Australia
Real estate agents should be using interactive floor plans and real estate agent tools.