I figured out how to set up an encrypted partition on Ubuntu the other day. There are a bunch of ways of doing it but I found this to be the simplest. It should work on Debian too, since all the relevant packages are Debian ones anyway. In my example I’m encrypting an LVM partition (logical volume), but it should work with any device, including removable USB keys (see end notes). UPDATE: This is broken in Edgy but I figured out a simple fix, see below.
Install the cryptsetup package from apt
# apt-get install cryptsetup
Choose a partition you’d like to encrypt.
In my case, I’m encrypting an LVM logical volume on a sata harddisk:
Format the partition as a “LUKS” partition
LUKS stands for Linux Unified Key Setup. Run the following command and enter a password when prompted:
# cryptsetup luksFormat -c aes-cbc-essiv:sha256 /dev/mapper/vg0-home
The option “
-c aes-cbc-essiv:sha256” sets what cipher to use. It’s AES by standard, which is a good default but you want to enable ESSIV support explicitly because it’s rather important. With this option the crypto uses an different IV for each sector – protecting against known plaintext attacks and information leakage (such as the “watermarking attack).
Configure cryptsetup initscript
/etc/crypttab add a line like this:
crypt-home /dev/mapper/vg0-home none luks
crypt-home” is the name of the device mapper node that will be created (in the
/dev/mapper/ dir). This is the the device you’ll mount.
Make the filesystem
Firstly, execute the cryptsetup initscript (or reboot):
This asks for your password and (if successful) creates the
Now init your filesystem of choice (in this example, ext3):
Configure fstab to automount the partition
Add a line to
/dev/mapper/crypt-home /home ext3 defaults 0 2
Obviously, mounting this won’t work unless the cryptdisks initscript has been executed, but this happens in the correct order on boot.
On boot, you’ll be prompted for the password quite early on in the boot process. The prompt should time out after 180 seconds if you don’t type anything (handy for a server).
After you’ve typed the correct password, the device mapper device is created and then the unencrypted partition is mounted shortly after (alongside all the other partitions, as usual).
UPDATE: LUKS on boot broken in Edgy
This worked fine for me with Dapper, but an upgrade to Edgy broke it. It’s been reported as a bug on launchpad but I figured out a simple fix in the mean time:
Change line 294 in
$CRYPTCMD $PARAMS luksOpen $src $dst < &1
$CRYPTCMD $PARAMS luksOpen $src $dst < /dev/console
Now it jumps to console from splash on boot and asks for password.
Remember, data from your encrypted partition could end up on disk in your unencrypted swap partition. Depending on what you’re trying to achieve, this probably isn’t desirable. Set your swap partition to be stored in another encrypted device using LUKS. Use /dev/random as the keyfile and it’ll use a random password for encryption on every boot. I expect this will break hibernate support though.
USB keys and other removable devices
If you create a LUKS partition on a removable device (such as a USB key), the HAL daemon will spot that it’s LUKS and automatically handle all the cryptsetup stuff (including a nice Gnome password box). In this case, don’t setup the
- After creating the LUKS partition, open it manually (you’ll be prompted for the password):
cryptsetup luksOpen /dev/sdusbdiskdevicename1 luks-temp
- Create the filesystem:
- Manually close the LUKS partition:
cryptsetup luksClose luks-temp
- Now just eject/unplug the device then reinsert it and you’ll be asked for the password!
These encrypted removable devices are even supported on Windows (see FreeOFTE) but you’ll obviously need to use a Windows compatible file system, like FAT32 or NTFS rather than EXT3).