Dm-crypt

dm-crypt is a disk encryption system using the kernels crypto API framework and device mapper. dm-crypt is cappable of encrypting whole disks, logical volumes, single files and RAID volumes.

Kernel Configuration

To use dm-crypt the certain kernel modules must be built such as any hashing functions or stream ciphers that are to be used to encrypt the volume, a file system that is to be applied to the encrypted volume such as ext3, loopback device support and initrd support. For a basic configuration SHA256 and MD5 hashes are generally built into the kernel by default along with the AES cipher, if different alogrithms are required these can be found under the Cryptographic API section. This is an example of a basic kernel configuration.

    General setup  --->
      [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
[*] Enable loadable module support
    Device Drivers --->
      [*] Multiple devices driver support (RAID and LVM) --->
        <*> Device mapper support
        <*> Crypt target support
      [*] Block Devices --->
        <*>  Loopback device support
[*] Cryptographic API --->
    <*> SHA224 and SHA256 digest algorithm

Most of the gentoo install media will have the basic modules built in by default, however more custom modules such as Whirlpool hashes are not included, but can easily be built then loaded.

Configuring Encrypted Volume

For this example the volume will be a plain partition (/dev/sda1)

• Load kernel modules appropriate to your setup

• Generate key

• Fill volume with random bits/shred (optional)

or

• cryptsetup luksFormat

For keyFile based auth

For password based auth

• cryptsetup open

For keyFile based auth

For password based auth

• mkfs, using ext4 in this case

• mount

Initrd Options

• dracut
• busybox
  • grub config quirks
    • rd.luks.key
    • root=luks-{UUID}

References

• [1]