Re: encrypted partition question

To: debian-security@lists.debian.org
Subject: Re: encrypted partition question
From: Frank Störzer <frank.stoerzer@web.de>
Date: Thu, 4 Sep 2008 20:42:17 +0200
Message-id: <[🔎] 200809042042.17410.frank.stoerzer@web.de>
In-reply-to: <[🔎] 1220549112.2816.28.camel@discovery1>
References: <[🔎] 1220549112.2816.28.camel@discovery1>

Hi Alexander,

Am Donnerstag, 4. September 2008 19:25:12 schrieb Alexander Golovin:
>  I was trying to encrypt my ext3 partition /dev/hda6, that's what I
> did:
>
> 1. I've added modules: aes, dm_mod, dm_crypt, to /etc/modules
> 2. Created the cryptographic device mapper: cryptsetup -y create
> crypt /dev/hda6 (entered passphrase twice) 3. Changed this options:
> echo "crypt /dev/hda6" >> /etc/crypttab; echo "/dev/mapper/crypt
> /mnt/crypt ext3 defaults 0 1" >> /etc/fstab 4. Created mount
> directory; mkdir /mnt/crypt
> 5. Created a filesystem on the mapped device: mkfs.ext3
> /dev/mapper/crypt
Mostly OK, later more.
>
>  So, when I've tryied to mount /mnt/crypto It was mounted without
> passphrase question, but it was mounted. 
That's allright. Cryptsetup makes a container, which contains the 
mountable filesystem. You can compare it with a lvm-device. The 
lvm-device is just a container for the filesystem. 
> But , after reboot I've  tried to mount my partition, and that what I 
have now: 
> # mount /mnt/crypt/
> mount: special device /dev/mapper/crypt does not exist
>
> And I don't have a crypt file in /dev/mapper/ directory.
You only have to open your crypted container. 

Your Problem is in this line:
> 3. Changed this options: echo "crypt /dev/hda6" >> /etc/crypttab;

There is somthing missing. Where should cryptsetup get it's key?
On my PC, the line looks like:

home /dev/sda6    none    luks

none stands for "ask key", luks is the way, I've used to encrypt this 
disk. For my /tmp it looks like:

tmp  /dev/sda10     /dev/urandom    tmp

This means, the key is provided by /dev/urandom (I haven't to know the 
key and debian deletes every boot the tmp direktory.) and the way it is 
used is for a /tmp-directory. You can encrypt the swap in the same way, 
when you don't want to hipernate. The only difference on my system to 
the way /tmp is encrypted, you have to give somthing like 
swap,cipher=twofish-cbc-essiv:sha256 instead of tmp. As cipher you can 
use aes, blowfish or some others. A little search on the internet will 
show you more. Cbc-essiv is used to encrypt the blocks in a more secure 
way and sha256  is the used hashing algorithm for the passphrase (as I 
understand the technic used with linux).

I have used the debian installer to encrypt my partions and as far I 
know, cryptsetup always uses luks to encrypt partitions on debian.

I suppose, that your line have to look like this line:

crypt /dev/hda6  none   luks


Greetings

Frank

Reply to:

Follow-Ups:
- Re: Re: encrypted partition question
  - From: Alexander Golovin <alex.golovin@mail.ru>

References:
- encrypted partition question
  - From: Alexander Golovin <alex.golovin@mail.ru>

Prev by Date: Re: encrypted partition question
Next by Date: Re: encrypted partition question
Previous by thread: Re: encrypted partition question
Next by thread: Re: Re: encrypted partition question
Index(es):
- Date
- Thread