TOOL » LINUX » PACKAGE

Dm-crypt

Last updated:
Reference:wiki.archlinux.org
Package:arch

Encrypt removable data disk

ASSUMPTION

Disk is /dev/disk/by-label/backup. The whole disk will be used. We'll call the encrypted partition encBackup.

Encrypt data partition

Wipe the disk.

shell
sudo cryptsetup open --type plain --key-file /dev/urandom /dev/disk/by-label/backup encBackup
# OR: sudo cryptsetup open --type plain --cipher aes-xts-plain64 --key-file /dev/urandom /dev/disk/by-label/backup encBackup
sudo dd if=/dev/zero of=/dev/mapper/encBackup status=progress bs=1M
sudo cryptsetup close encBackup

Create the encrypted partition. For stronger password, use one generated by pass.

Then open volume and create the file system.

shell
pass bkphdd | sudo cryptsetup --key-file - luksFormat /dev/disk/by-label/backup
# OR: sudo cryptsetup --verify-passphrase luksFormat /dev/disk/by-label/backup

pass bkphdd | sudo cryptsetup --key-file - open /dev/disk/by-label/backup encBackup
# OR: sudo cryptsetup open /dev/disk/by-label/backup encBackup
sudo mkfs.ext4 /dev/mapper/encBackup

Mount and unmount

Mount

shell
pass bkphdd | sudo cryptsetup --key-file - open /dev/disk/by-label/backup encBackup
# OR: sudo cryptsetup open /dev/disk/by-label/backup encBackup
sudo mount -o nodev,nosuid,noexec /dev/mapper/encBackup /media/hdd1

Unmount

shell
sudo umount /media/hdd1 && sudo sync
sudo cryptsetup close encBackup

Encrypt swap

Steps without using encrypted root partition (some steps differ).

Useful links:

ASSUMPTION

Swap is on disk /dev/nvme0n1 and partition /dev/nvme0n1p2. We'll call the encrypted partition encSwap.

Encrypt swap partition

First disable swap if in use and disable automount.

shell
sudo swapoff /dev/nvme0n1p2
sudo parted /dev/nvme0n1
(parted) print
(parted) set 2 no_automount on

Wipe the partition (not the disk).

shell
sudo cryptsetup open --type plain --key-file /dev/urandom /dev/nvme0n1p2 encSwap
sudo dd if=/dev/zero of=/dev/mapper/encSwap status=progress bs=1M
sudo cryptsetup close encSwap

Create the encrypted partition, open volume and create the filesystem.

shell
sudo cryptsetup luksFormat /dev/nvme0n1p2
sudo cryptsetup config --label=swap /dev/nvme0n1p2
sudo cryptsetup open /dev/disk/by-label/swap encSwap
sudo mkswap /dev/mapper/encSwap

GRUB configuration

Now we configure the boot options on GRUB.

Update the configuration /etc/default/grub by:

  • Adding cryptdevice=/dev/disk/by-label/swap:encSwap
  • Update resume to resume=/dev/mapper/encSwap
ini
GRUB_CMDLINE_LINUX_DEFAULT="audit=0 loglevel=3 quiet cryptdevice=/dev/disk/by-label/swap:encSwap resume=/dev/mapper/encSwap"

TIP

For more details on the options used here, check mkinitcpio -H encrypt.

Regenerate the grub.cfg:

shell
sudo grub-mkconfig -o /boot/grub/grub.cfg

Initrd configuration

We use initrd to open swap. Update HOOKS in /etc/mkinitcpio.conf by adding encrypt somewhere before resume and filesystems:

shell
HOOKS=(base udev setvtrgb autodetect modconf keyboard keymap block encrypt resume filesystems fsck)

Regenerate the initramfs.

shell
sudo mkinitcpio -p linux

Fstab configuration

Finally configure fstab to mount the swap on boot. Add the following line to /etc/fstab:

txt
/dev/mapper/encSwap swap swap defaults 0 0

Using keyfile in USB drive

This step is optional.

Add the module vfat to /etc/mkinitcpio.conf:

shell
MODULES=(vfat)

And add cryptkey=device:fstype:path kernel option to /etc/default/grub:

ini
cryptkey=/dev/disk/by-label/USB_LOADER:vfat:/swap_keyfile

Apply the changes.

shell
sudo mkinitcpio -p linux
sudo grub-mkconfig -o /boot/grub/grub.cfg

Now create the swap_keyfile in your USB drive with the password on it.

WARNING

Be careful to not put a new line at the end of the file! Text editors usually put it automatically, so use echo -n or a password generator command.

Encrypt home

ASSUMPTION

Home is on disk /dev/nvme0n1 and partition /dev/nvme0n1p4. We'll call the encrypted partition encHome.

WARNING

When creating the home partition, do not set the flag linux-home, or else it will conflict with the configuration in /etc/crypttab. (only password unlock will be available, even without configuration in /etc/crypttab)

Encrypt home partition

Wipe the partition as described in the sections above.

Create the encrypted partition, open volume and create the filesystem.

shell
cryptsetup luksFormat /dev/nvme0n1p4
cryptsetup config --label=home /dev/nvme0n1p4
cryptsetup open /dev/disk/by-label/home encHome
mkfs.ext4 /dev/mapper/encHome

Crypttab configuration

Add the following line to /etc/crypttab:

ini
# <name>   <device>                  <password>                                    <options>
encHome    /dev/disk/by-label/home   /home_keyfile:/dev/disk/by-label/USB_LOADER

Now create the home_keyfile in your USB drive with the password on it.

TIP

Syntax for password is path:device, the inverse of the setting cryptkey without fstype used to encrypt swap.

WARNING

Be careful to not put a new line at the end of the file! Text editors usually put it automatically, so use echo -n or a password generator command.