dmcrypt is a way of encrypting and decrypting files using a cryptographic cipher. dmcrypt allows you to access these files like a normal block device, dmcrypt is designed to be put on a block device but with a loopback device we can easily avoid the need for a separate partition.
There are other ways to encrypt files such as Cryptoloop (deprecated, less secure and uncleanly coded) or loopaes (more secure and faster, but harder to use)
As for every other hard drive encryption mechanism, the encryption key is stored in RAM to allow dm-crypt to encrypt/decrypt the data. Therefore the security of the key relies on the security of the RAM.
Recently some researchers have found that, under certain conditions, it is possible to retrieve this key, even if the system is shutdown.
A work around would be to always shut-down your system properly, and stay around for a while to ensure that nobody is playing with your computer. For the more paranoid ones, you can also take the RAM on your pocket, making the key effectively inaccessible.
You have to remember that hard-drive encryption is only effective when the corresponding partition is unmounted. An encrypted partition which is always mounted is as secure as a clear partition, as one may access each of them the same way.
Loopback or partition?
A loopback means that you have a file that is on a partition that you then mount using a special device called a loopback. The loop device then acts as a normal block device transforming your file into just another hard disk :)
This is useful if for example you wish to store all your ssh keys safely but don't want to have to make another partition for it!
Configuring your kernel for dmcrypt
You must configure your kernel to be able to use dmcrypt. Use your favourite kernel or emerge development-sources.
cd /usr/src/linux make menuconfig
You must first enable the device mapper (dm):
|Linux Kernel Configuration: Device Mapper|
Device Drivers --> [*] Multiple devices driver support (RAID and LVM) <*> Device mapper support <*> Crypt target support Then you must enable the cipher (aes): Cryptographic API --> <*> AES cipher algorithims (i586) If you're going to be using dmcrypt on a loopback file, not a partition: Device Drivers --> Block Devices --> <*> Loopback device support # Remember, cryptoloop is not dmcrypt
If you wish you may enable all of the above as modules, but you must then modprobe them.
Now compile your kernel:
make && make modules_install
Now inform your bootloader of this change and reboot (or if you compiled them all as a module and do it right you can just modprobe)
Installing the tools needed
Using dmcrypt with a partition
If you wish to use dmcrypt on a partition then read this, otherwise see below for information on using it with a loopback device.
First we create a device mapper device called 'mycrypt' on a partition, say /dev/hda7 (we will use that throughout the guide)
cryptsetup -y create mycrypt /dev/hda7
Has it worked?
It should display 'mycrypt'
Now create a filesystem (replace mke2fs with whatever your filesystem creation tool is):
Now mount it:
mount /dev/mapper/mycrypt /mnt/point
Test it worked, congratulations!
To bring it down:
umount /mnt/point cryptsetup remove mycrypt
Using dmcrypt with a loopback device
This is for using dmcrypt with a loopback device; see above for using it with a partition.
First, create our file:
touch protected shred -n1 -s50M protected
This creates a file called 'protected' in your current directory of 50MB. By prefilling it with random data, it's impossible to see afterwards how much has been used.
Now let's set a loopback device to use this file. First find the name of the first unused loop device :
Use this loop device to set a loopback (in this case /dev/loop0 is available)
losetup /dev/loop0 /path/to/protected
Now lets create an encrypted device mapper device using cryptsetup :
cryptsetup -y create mycrypt /dev/loop0
Check it worked:
You should see 'mycrypt' listed
Now create a filesystem (replace mke2fs with whatever your filesystem creation tool is) :
Now mount it:
mount /dev/mapper/mycrypt /mount/point
Check it works for a while, and be happy, then continue reading :)
To unmount it:
umount /mount/point cryptsetup remove mycrypt losetup -d /dev/loop0
To automate this process you could write your own script (see below) or try the tool "cryptmount" .
Cause the script mentioned above is down, I'll post mine.
#!/bin/bash losetup /dev/loop0 /Your/Container sleep 1 cryptsetup create Container /dev/loop0 sleep 1 mount /dev/mapper/Container /mnt/Container
replace Container with your file, save it under /usr/bin/something and chmod +x /usr/bin/something
#!/bin/bash umount /dev/mapper/Container cryptsetup remove Container losetup -d /dev/loop0
Replace Container with your file, save it under /usr/bin/somethingother and chmod +x /usr/bin/somethingother
Created by NickStallman.net, Luxury Homes Australia
Real estate agents should list their apartments, townhouses and units in Australia.