diff options
author | rekado <rekado@elephly.net> | 2013-10-01 23:23:18 +0800 |
---|---|---|
committer | rekado <rekado@elephly.net> | 2013-10-01 23:23:18 +0800 |
commit | 139258943c13644947b61bbebbeda7bd1ac868f0 (patch) | |
tree | 23fccea8db988e17bb7f02e0de336226a190e7bf /posts | |
parent | 743ab3108207bd9ef06cc3cc0f42aa8e15519c26 (diff) |
new post: dm-crypt tutorial
Diffstat (limited to 'posts')
-rw-r--r-- | posts/2013-10-01-dm-crypt.markdown | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/posts/2013-10-01-dm-crypt.markdown b/posts/2013-10-01-dm-crypt.markdown new file mode 100644 index 0000000..a892a16 --- /dev/null +++ b/posts/2013-10-01-dm-crypt.markdown @@ -0,0 +1,71 @@ +--- +title: How to create an encrypted file container with dm-crypt +tags: gnu, linux, crypto, tutorial +--- + +Here are some instructions on how to create an encrypted filesystem on a file. + +Create an empty file with the size of your container. Here I'll use a 100MB +container. The file is created with `dd` which reads chunks from an input +device and writes the contents to a file or another device. + + dd if=/dev/zero bs=1M count=100 of=~/my-container.img + +This command means the following: read 100 chunks of one megabyte from the zero +device `/dev/zero` and write them to the file `~/my-container.img`. This will +create a file named `my-container.img` in your home directory that will be +about 100MB of zeros[^1]. + +[^1]: You could use `/dev/urandom` as the input device if you wanted to, but +that would be considerably slower and wouldn't help you much. Later commands +will initialise the file/partition, so you don't need to initialise it manually +with random numbers.) + +Next, we'll initialise the LUKS partition on the file and set the initial +passphrase. + + sudo cryptsetup luksFormat ~/mycontainer + +Note that you need to type "YES" (i.e. "yes" in *uppercase*) to confirm the +operation; there is no error message when you fail this step which may be +confusing. Make sure that the file you want to format is your container file +or an empty partition's device file. Input your passphrase when prompted. You +will have to input this passphrase whenever you mount the container unless you +decide to store the passphrase with the container (which obviously is not very +safe). Note that you have to run this as root, because cryptsetup must access +the loopback device. (On the Hurd this would not be necessary, I think.) + +Now, we'll open the container. Opening the container creates a kernel device +file which can then be mounted. + + sudo cryptsetup luksOpen ~/mycontainer secret-device + +This command will prompt for the container's passphrase and then create a +device file with the name `/dev/mapper/secret-device`. You may choose another +name than "secret-device". + +The container is now decrypted. Since the device has no filesystem yet we +still cannot put any data on it. Use `mkfs.ext4` to create an ext4 filesystem +on the decrypted container: + + sudo mkfs.ext4 /dev/mapper/secret-device + +Now the filesystem can be mounted like a filesystem on a regular block device. + + mkdir ~/my-mount-point + sudo mount /dev/mapper/secret-device ~/my-mount-point + +The first command creates a new mount point (an empty directory) named +"my-mount-point" in your home directory. The second command mounts the +decrypted device at this location. + +You can now write to the directory as usual. Once you are done follow these +steps to unmount the device and close (= re-encrypt) the container: + + sudo umount ~/my-mount-point + sudo cryptsetup luksClose secret-device + +To access the container again only these two commands are required: + + sudo cryptsetup luksOpen ~/mycontainer secret-device + sudo mount /dev/mapper/secret-device ~/my-mount-point |