Sunday, January 07, 2007

dm-crypt filesystem encryption

Dependencies needed:
Kernel Setup:
Device Drivers > Multi-device support (RAID and LVM) > Device Mapper Support (dm-mod)
Device Drivers > Multi-device support (RAID and LVM) > Crypt Target Support (dm-crypt)
Cryptographic Options > (Select cyphers .. ex. aes, twofish)

Userspace tools needed:
libdevmapper Syntax:
Syntax: cryptsetup [<OPTIONS>] <action> <name> [<device>]
-c <cipher> (see /proc/crypto)
-h {plain/<hash>} (see hashalot)
-y (verifies the passphrase by asking for it twice)
-d <file> (read key from file
e.g. /dev/urandom; useful for swap devices.
If set, the parameters -h and -y will be ignored)
-s <keysize> (in bits) (WARNING: in bytes for
-b <size> (in sectors)
-o <offset> (in sectors)
-p <skipped> (in sectors)
<action> is one of:
create - create device
remove - remove device
reload - modify active device
resize - resize active device
status - show device status
<name> is the device to create under /dev/mapper/
<device> is the encrypted device

Create crypto physical device (sized by existing partition): -c aes -h plain -y -b `blockdev --getsize \
/dev/hdb2` create cryptvol1 /dev/hdb2

Copy over data:
dd if=/dev/hdb2 of=/dev/mapper/cryptvol1 bs=4k

No comments: