This are some helper tools to make use of the device mapper crypt target. I wrote them mainly for my personal use, so they are especially designed for my needs, but perhaps you'll find them similarly useful.
Although I use this program for encrypting all my ext2 filesystems (except root) myself, I cannot guarantee its correctness. So be careful and backup your data!
You need a kernel with the device mapper compiled in or as a module. (Kernel 2.6 has it and there is a patch available for kernel 2.4 - for example in the Debian package kernel-patch-device-mapper.) The kernel should also know the filesystems tmpfs and sysfs.
The following libraries are required: libdevmapper, libgcrypt11 and libxml2.
Mount sysfs on /sys and tmpfs on /dev/links with e.g. the following /etc/fstab entries:
sysfs /sys sysfs defaults 0 0 tmpfs /dev/links tmpfs defaults,size=4096 0 0
Extract the tarball and execute as root 'make install'. (On a Debian system install the .deb package instead.)
Setup an init script link, so that /etc/init.d/cryptswap is executed just before the normal activation of swapping. (For example in Debian this would be a symlink from /etc/rcS.d/S08cryptswap to ../init.d/cryptswap, but the .deb package will already take care of this.)
To encrypt your swap partition (with a random key) edit /etc/default/cryptswap and put the device name of your swap partition, new name (e.g. swap1) and the cipher (e.g. aes or twofish) in there. The line should be something like:
/dev/hda5 swap1 twofish
Be careful to write the correct device name in there. The contents of this device will be overwritten every reboot!
Then edit your /etc/fstab and change the swap partition to the device in /dev/mapper with the new name. For our example the line should be:
/dev/mapper/swap1 none swap sw 0 0
Either reboot or deactivate your swap partition, start /etc/init.d/cryptswap manually and activate the new swap partition.
cryptfs allows you to encrypt some filesystems and offers a simple form of logical volume management.
All information about the encrypted filesystems have to be provided in a xml file. An example with explanations is provided in example/cryptfs.xml or on Debian systems in /usr/share/doc/dmcryptfs/cryptfs.xml.gz. A simple setup with one encrypted filesystem would be:
<?xml version="1.0" encoding="UTF-8"?> <dmcrypt>
<!-- On the first setup these should be set to "no" to be able to create a filesystem on it. --> <option name="fsck" value="yes"/> <option name="mount" value="yes"/> <storage device="/dev/hda6"> <entry name="home" cipher="aes256"/> </storage> <action name="boot"> <key type="passphrase">/home filesystem encryption</key> <map name="home"/> </action>
This xml file should be saved as /etc/cryptfs.xml. A call of 'cryptfs boot' will then activate this encrypted filesystem. ("boot" is the name of the action in the xml file.)
There is an init script called cryptfs, which will call 'cryptfs boot' during boot if there is such an action available. (On Debian systems this script will be installed automatically. So don't name your actions "boot" unless they should be started at boot time.)
My primary goal was to make it play nicely with hotplugging to implement two factor authentication (that means, that authentication is based on two things: something you have (e.g. an usb-stick) and something you know (your passphrase)). So some hotplug-scripts are provided to make that work:
which gives SCSI- and USB-devices some special name as a link. See /etc/default/scsidevices for an explanation.
looks if there is an action in /etc/cryptfs.xml that has the same name as a block device (or a symlink to a block device) which was just plugged into the computer. This action is then executed.
When I plug in my usb stick 00_linkscsi.hotplug creates a symlink /dev/links/usbstick, which points to the corresponding device (something like /dev/sda1, sdb1...). In my /etc/cryptfs.xml there is also an action "/dev/links/usbstick" which will than be called and uses a file on the usb stick as a part of the key.
This encryption protects your data against physical theft of the harddisc (maybe with the PC or laptop attached to it). Be it by a normal thief or governmental power. Because once the computer is turned off, it doesn't know the key anymore and without the key, the data can't be decrypted (if you have chosen a good cipher like twofish or aes).
However this encryption does not help against intruders into the running system. Everybody who can become root can read the data in the decrypted block devices and can also read out the keys ('dmsetup table' gives it away). So make sure that your system is also secure in these regards.
If you have questions, found bugs, have ideas for improvements, more features or if you just like it, please tell me. (Or if you like to write a better documentation. ;-)
My mail address is: email@example.com
Thanks to Christophe Saout for the device mapper crypt target and for very fast bug fixing on New Year's eve.