August 26, 2009

Encrypted file systems on Debian/Ubuntu Linux

Filed under: Technical — Tags: , , — James Bunton @ 2:06 am

Recently I set up an encrypted file system so I could do rsync backups to a secured location. What you end up with is a mountable file system that you can use to securely store data. Debian offers an easy way to set up encrypted file systems using the LUKS standard with the cryptsetup package. You’ll need to enter a decryption passphrase to mount the volume whenever the system boots.

Package installation

Install the required packages:

# aptitude install e2fsprogs cryptsetup

Partitioning

Use your favourite partitioning tool, for example fdisk or cfdisk to set aside a whole partition with enough space to store your data.

Erase

This step is optional. For complete security you want the contents of the disk to be random before you start using it. Use the badblocks tool to do this.

# badblocks -c 10240 -s -w -t random -v /dev/sdX9

Format

The luksformat tool will format a partition to be used with LUKS (Linux Unified Key Setup) and then create a filesystem on it.

# luksformat -t ext3 /dev/sdX9

Mounting Manually

First use cryptsetup to create a device file:

# cryptsetup luksOpen /dev/sdX9 cryptofoo

You can now mount the device from /dev/mapper/cryptofoo:

# mount /dev/mapper/cryptofoo /mnt

When you’re done, unmount and then remove the cryptofoo device.

# umount /mnt; cryptsetup luksClose cryptofoo

Mount on Boot

Now all that remains is to add one line in each of crypttab and fstab

Add this line to /etc/crypttab:

myname /dev/sdX9 none luks

The crypttab file is examined by the system during boot. Each line maps a real encrypted device file (/dev/sdX9) to a virtual decrypted device file (/dev/mapper/myname). Once you’ve added done this run the following command to actually set up the mapping:

# /etc/init.d/cryptdisks restart

Now you can set up that virtual device file to be mounted like any other. For example, the following command would mount your filesystem:

# mount /dev/mapper/myname /mnt

Note that you should probably use partition UUIDs (UUID=XXXXX) in place of device file names (/dev/sdX9) in your crypttab for a more robust system. The easiest way to find these is by running:

# ls -l /dev/disks/by-uuid

Add a line like this to /etc/fstab

/dev/mapper/myname /path/to/mountpoint ext3 defaults 0 2