dm-crypt

From Gentoo Wiki
(Redirected from DM-Crypt)
Jump to: navigation, search

IconInformation.png
This article is a stub. You can help Gentoo Wiki by expanding it.
External resources
Home icon Homepage
Wikipedia Logo Wikipedia

dm-crypt is a disk encryption system using the kernels crypto API framework and device mapper. dm-crypt is cappable of encrypting whole disks, logical volumes, single files and RAID volumes.

Kernel Configuration

To use dm-crypt the certain kernel options must be built-in such as any hashing functions or stream ciphers that are to be used to encrypt the volume, a filesystem that is to be applied to the encrypted volume such as ext4, loopback device support and initramfs support. For a basic configuration SHA256 and MD5 hashes are generally built into the kernel by default along with the AES cipher, if different alogrithms are required these can be found under the Cryptographic API section. This is an example of a basic kernel configuration.

Kernel configuration

General setup  --->
    [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
[*] Enable loadable module support
    Device Drivers --->
        [*] Multiple devices driver support (RAID and LVM) --->
            <*> Device mapper support
            <*> Crypt target support
        [*] Block Devices --->
            <*>  Loopback device support
[*] Cryptographic API --->
    <*> SHA224 and SHA256 digest algorithm

Most of the Gentoo install media will have the basic modules built in by default, however more custom modules such as Whirlpool hashes are not included, but can easily be built then loaded.

Configuring Encrypted Volume

For this example the volume will be a plain partition (/dev/sda1).

  • Load kernel modules appropriate to your setup
root # modprobe {dm-mod,dm-crypt,aes,sha256,cbc}
  • Generate key
root # dd if=/dev/urandom of=keyFile bs=1024 count=4
  • Fill volume with random bits/shred (optional)
root # shred -v -n 2 /dev/sda1
or
root # dd if=/dev/urandom of=/dev/sda1 bs=1M
  • cryptsetup luksFormat
For keyFile based auth
root # cryptsetup luksFormat /dev/sda1 keyFile
For password based auth
root # cryptsetup -y luksFormat /dev/sda1
  • cryptsetup open
For keyFile based auth
root # cryptsetup -d keyFile luksOpen /dev/sda1 encVol
For password based auth
root # cryptsetup luksOpen /dev/sda1 encVol
  • mkfs, using ext4 in this case
root # mkfs.ext4 /dev/mapper/encVol
  • mount
root # mount /dev/mapper/encVol MOUNTPOINT

Initrd config For Wholedisk Encryption

The easiest option for booting an encrypted root partition is to use dracut. To configure dracut for dm-crypt make sure to include the crypt module. Follow the dracut article making sure to include the crypt module along with any others required:

File/etc/portage/make.conf

DRACUT_MODULES="... crypt ..."
Retrieved from "http://wiki.gentoo.org/index.php?title=Dm-crypt&oldid=13481"
Personal tools
Namespaces

Variants
Actions
Gentoo Websites logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Navigation
Toolbox
Categories