8th January 2008

Easy disk crypto with Debian

Tags : ,

posted in Configuration |

I just release how simple is to encrypt a filesystem with Debian. Here is this, little, howto. Say we have a new disk, /dev/sda1. Let's begin with installing some stuff :

% aptitude install cryptsetup hashalot

Then we crypt with cryptsetup as LUKS. Choose a long and complex passphrase :

% cryptsetup --verbose --verify-passphrase luksFormat /dev/sda1

Map the device to get usable /dev/mapper/cryptodisk :

% cryptsetup luksOpen /dev/sda1 cryptodisk
% ls /dev/mapper/cryptodisk

Create filesystem :

% mkfs.ext3 -j /dev/mapper/cryptodisk

Add mount point and mount. Greate job, it works. Unmount :

% mkdir /mnt/cryptodisk
% mount /dev/mapper/cryptodisk /mnt/cryptodisk
% umount /mnt/cryptodisk

Add the new device to crypttab to get automatic mount. Here we choose to give just one try with a timout of 10 seconds. As this, the system can bootup without problem even if there is nobody to type the passprase :

% cat /etc/crypttab
cryptodisk /dev/sda1 none luks,tries=1,timeout=10

Restart the service and enter passphrase :

% /etc/init.d/cryptdisks restart

Change your fstab :

% cat /etc/fstab
/dev/mapper/cryptodisk /mnt/cryptodisk auto user,noauto 0 0

Mount filesystem and make it usable for user :

% mount /mnt/cryptodisk
% sudo chown -R user.user /mnt/cryptodisk

That's all. Little tips : /dev entry can change. To find it more easily simply use the /dev/disk/by-id. Very usefull for USB devices.

This entry was posted on Tuesday, January 8th, 2008 at 7:42 pm and is filed under Configuration. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image