Dm-crypt

dm-crypt is a disk encryption system using the kernels crypto API framework and device mapper subsystem. With dm-crypt, administrators can encrypt entire disks, logical volumes, partitions, but also single files.

The dm-crypt subsystem supports the Linux Unified Key Setup (LUKS) structure, which allows for multiple keys to access the encrypted data, as well as manipulate the keys (such as changing the keys, adding additional passphrazes, etc.)

Configuration
There are two prerequisites before one can start using dm-crypt:


 * 1) Configuration of the Linux kernel
 * 2) Installation of the  package

Kernel Configuration
To use dm-crypt there are a number of configuration entries that are necessary.

First of all, support for the device mapper infrastructure as well as the crypt target must be included:

Next, the Linux kernel needs to support the set of cryptographic APIs that the administrator wants to use for encryption. These can be found under the Cryptographic API section:

If the root file system will be encrypted as well, then an initial ram file system needs to be created in which the root filesystem is decrypted before it is mounted. Thus this requires initramfs support as well:

Cryptsetup installation
The package provides the   command, which is used to open or close the encrypted storage as well as manage the passphrazes or keys associated with it.

Keyfile or passphrase
In order to start with encrypted storage, the administrator will need to decide which method to use for the encryption key. With  the choice is either a passphrase or a keyfile. In case of a keyfile, this can be any file, but it is recommended to use a file with random data which is properly protected (considering that access to this keyfile will mean access to the encrypted data).

To create a keyfile, one can use the  command:

In the next sections, we will show every command for both situations - passphrase and keyfile. Of course, only one method is necessary.

Creating an encrypted storage platform
In order to create an encrypted storage platform (which can be a disk, partition, file, ...) use the  command with the luksFormat option.

For instance, to have as the storage medium for the encrypted data:

Configuring Encrypted Volume
For this example the volume will be a plain partition.


 * Load kernel modules appropriate to your setup


 * Generate key




 * Fill volume with random bits/shred (optional)
 * or
 * or


 * cryptsetup luksFormat
 * For keyFile based auth


 * For password based auth


 * cryptsetup open
 * For keyFile based auth


 * For password based auth


 * mkfs, using ext4 in this case


 * mount

Initrd config For Wholedisk Encryption
The easiest option for booting an encrypted root partition is to use dracut. To configure dracut for dm-crypt make sure to include the crypt module. Follow the dracut article making sure to include the crypt module along with any others required: