dm-crypt/Encrypting a non-root file system
The following are examples of encrypting a secondary, i.e. non-root, filesystem with dm-crypt.
Contents
Overview
Encrypting a secondary filesystem usually protects only sensitive data, while leaving the operating system and program files unencrypted. This is useful for encrypting an external medium, such as a USB drive, so that it can be moved to different computers securely. One might also choose to encrypt sets of data separately according to who has access to it.
Because dm-crypt is a block-level encryption layer, it only encrypts full devices, full partitions and loop devices. To encrypt individual files requires a filesystem-level encryption layer, such as eCryptfs or EncFS. See Disk encryption for general information about securing private data.
Partition
This example covers the encryption of the /home
partition, but it can be applied to any other comparable non-root partition containing user data.
/home
directory on a partition, or create a common partition for all user's /home
directories.First make sure the partition is empty (has no file system attached to it). Delete the partition and create an empty one if it has a file system. Then prepare the partition by securely erasing it, see Dm-crypt/Drive preparation#Secure erasure of the hard disk drive.
Then setup the LUKS header with:
# cryptsetup options luksFormat --type luks2 device
Replace device
with the previously created partition. See Dm-crypt/Device encryption#Encryption options for LUKS mode for details like the available options
.
To gain access to the encrypted partition, unlock it with the device mapper, using:
# cryptsetup open device name
After unlocking the partition, it will be available at /dev/mapper/name
. Now create a file system of your choice with:
# mkfs.fstype /dev/mapper/name
Mount the file system to /home
, or if it should be accessible to only one user to /home/username
, see #Manual mounting and unmounting.
Manual mounting and unmounting
To mount the partition:
# cryptsetup open device name # mount -t fstype /dev/mapper/name /mnt/home
To unmount it:
# umount /mnt/home # cryptsetup close name
Automated unlocking and mounting
There are three different solutions for automating the process of unlocking the partition and mounting its filesystem.
At boot time
Using the /etc/crypttab
configuration file, unlocking happens at boot time by systemd's automatic parsing. This is the recommended solution if you want to use one common partition for all user's home partitions or automatically mount another encrypted block device.
See Dm-crypt/System configuration#crypttab for references and Dm-crypt/System configuration#Mounting at boot time for an example set up.
On user login
Using pam_exec it is possible to unlock (cryptsetup open) the partition on user login: this is the recommended solution if you want to have a single user's home directory on a partition. See dm-crypt/Mounting at login.
Unlocking on user login is also possible with pam_mount.
Loop device
There are two methods for using a loop device as an encrypted container, one using losetup
directly and one without.
Without losetup
Using losetup directly can be avoided completely by doing the following [1]:
# dd if=/dev/urandom of=key.img bs=20M count=1 # cryptsetup --align-payload=1 luksFormat key.img
Before running cryptsetup
, look at the Encryption options for LUKS mode and Ciphers and modes of operation first to select your additional desired settings.
The instructions for opening the device and making the file system are the same as #Partition.
Having too small of a file will get you a Requested offset is beyond real size of device /dev/loop0
error, but as a rough reference creating a 4 MiB file will encrypt it successfully. [2]
If creating a larger file, dd
from /dev/urandom
will stop after 32 MiB, requiring the iflag=fullblock
option to complete the full write. [3]
Manual mounting and unmounting procedure is equivalent to #Manual mounting and unmounting.
Using losetup
A loop device enables to map a blockdevice to a file with the standard util-linux tool losetup
. The file can then contain a filesystem, which can be used quite like any other filesystem. A lot of users know TrueCrypt as a tool to create encrypted containers. Just about the same functionality can be achieved with a loopback filesystem encrypted with LUKS and is shown in the following example.
First, start by creating an encrypted container, using an appropriate random number generator:
# dd if=/dev/urandom of=/bigsecret bs=1M count=10
This will create the file bigsecret
with a size of 10 megabytes.
Next create the device node /dev/loop0
, so that we can mount/use our container:
# losetup /dev/loop0 /bigsecret
/dev/loop0: No such file or directory
, you need to first load the kernel module with modprobe loop
. These days (Kernel 3.2) loop devices are created on demand. Ask for a new loop device with # losetup -f
.From now on the procedure is the same as for #Partition, except for the fact that the container is already randomised and will not need another secure erasure.
Manual mounting and unmounting
To unmount the container:
# umount /mnt/secret # cryptsetup close secret # losetup -d /dev/loop0
To mount the container again:
# losetup /dev/loop0 /bigsecret # cryptsetup open /dev/loop0 secret # mount -t ext4 /dev/mapper/secret /mnt/secret