Home | Content | Search | Navigation | Toolbox | Actions | In other languages

Encrypted Filesystems

From openSUSE

[edit]

Setup

In order to use this howto you will need the superuser rights. If you're not logged in as root (which you shouldn't be), you'll need to use the sudo command instead.

First you have to install the cryptsetup package (util-linux-crypto) via YAST. With Suse 10.2 it already includes LUKS (also see Linux Unified Key Setup Information).

In this howto the partition to be encrypted will be named /dev/sda3 as an example. You can set up a partition with YAST>>System>>Partitioner, if you need to.

The filesystem used in this howto will be reiserfs although you can use any other.

The cipher used in this howto will be AES, other ciphers like twofish' are also possible. To see which ciphers are already loaded you can enter: 

cat /proc/crypto

To load the kernel module aes enter: 

modprobe aes
sudo /sbin/modprobe aes

To permanently load the aes cipher module you have to edit YAST>>System>>etc/sysconfig-Editor>>System/Kernel/MODULES_LOADED_ON_BOOT and add aes. To see which ciphers are available as kernel modules check the following folder /lib/modules/2.6.18*/kernel/crypto. You should find at least aes, blowfish, des and twofish. 

cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda3
sudo /sbin/cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda3

With this command you create an encrypted partition on the device /dev/sda3. LUKS creates a reserved area at the beginning of the volume, where it stores header information as well as the eight keyslots. The password you enter now is the masterpassword. Later secondary passwords can be added and deleted. Not the masterpassword. The switch -c defines the algorithm, -y requires you to verify the password, -s determines the key length. luksFormat enables LUKS for the creation of the volume header.

Shown here is an anternative setup with a twofish cipher: 

cryptsetup -c twofish-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda3
sudo /sbin/cryptsetup -c twofish-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda3

After confirmation and entering the password twice, you can now decrypt the partition with: 

cryptsetup luksOpen /dev/sda3 my_secure_partion
sudo /sbin/cryptsetup luksOpen /dev/sda3 my_secure_partion

The partition is now listed as the virtual device /dev/mapper/my_secure_partition.

Now we setup a filesystem with: 

mkreiserfs /dev/mapper/my_secure_partition
sudo /sbin/mkreiserfs /dev/mapper/my_secure_partition

Now you can mount the device to /mnt with: 

mount /dev/mapper/my_secure_partition /mnt
sudo mount /dev/mapper/my_secure_partition /mnt

To unmount the device use: 

umount /mnt
sudo umount /mnt

To close the LUKS volume use: 

cryptsetup luksClose my_secure_partition
sudo /sbin/cryptsetup luksClose my_secure_partition
Retrieved from "http://en.opensuse.org/Encrypted_Filesystems"
The content on this and other wiki pages is posted by community members who are not acting for or on behalf of Novell, Inc., whether or not they otherwise have affiliation with Novell.
This site uses the YAML CSS framework.
About openSUSE | Disclaimers | Feedback
This page was last modified 11:33, 2 October 2007. This page has been accessed 4,527 times.

Founded by Novell