encryption, collection of text by Mandriva and other authors:
As of mdv2009.1, cryptoloop is deprecated, and cryptoloop encrpyted filesystems will no lounger be mounted automatically. If you have any filesystems like this, you should migrate them to LUKS. You can still mount manually via a process such as this (not tested on a partition created by drakcrypt):
1) Encryption of a partition by LUKS
initscripts supports mounting of LUKS encrypted filesystems at boot, however you will have to create the encrypted volumes manually.
In recent releases of Mandriva (2009.0 and later?), diskdrake supports creation of LUKS based encrypted volumes, including during installation. Screenshots should be added here.
This section covers the (easy) task of just encrypting the /home partition. Encrypting the root partition is more complex.
Note that this was done with an LVM volume set aside for /home, if you are not using LVM, replace all occurrences of /dev/mapper/VGsys-home or /dev/VGsys/home with the partition you are using (e.g. /dev/hda6).
Creating an encrypted volume
You should be able to do this with diskdrake, either during or after installation (as of 2009.0). The command-line method was documented here before this, and is retained for completeness.
Firstly, ensure you aren't accessing the block device you are going to create the encrypted filesystem on, otherwise you will receive funny error messages.
Install the necessary software
To ensure the filesystem is mounted at boot, you now need to make two changes:
Edit /etc/fstab, and change the entry for /home, in my case it was from:
/dev/mapper/VGsys-home /home ext3 noatime 0 0
/dev/mapper/cryptohome /home ext3 noatime 0 0
Now, initscripts needs to know how to run the 'cryptsetup luksOpen' command, it does this by reading /etc/crypttab, add an entry like this:
rebuild the initrd:
bootloader-config --action rebuild-initrds
Mounting the filesystem at login
It should be possible to mount the filesystem at login using pam_mount (in contrib), just install using:
HAL apparently has support for LUKS encrypted devices. However, on Mandriva 2007.1 under GNOME, while inserting a flash disk with a LUKS-encrypted filesystem prompts for the passphrase, entering the correct passphrase does not result in it being mounted. Under KDE4 (4.1 and later I think), click on the "Volume (crypto_LUKS)" entry in either the hardware notifier, or the "Places" panel in Dolphin, and you should get a dialog prompting you for your passphrase. Once you enter a correct passphrase, new volumes will appear (in the device notifier plasmoid and the Places panel in Dolphin). Click them to mount the filesystem. Under KDE3, no dialog appears at all. However, it can be mounted quite easily with pmount:
[bgmilne@comanche ~]$ pmount /dev/sda1
Enter LUKS passphrase:
[bgmilne@comanche ~]$ mount|grep sda1
/dev/mapper/_dev_sda1 on /media/sda1 type vfat (rw,noexec,nosuid,nodev,quiet,shortname=mixed,uid=500,gid=500,umask=077,iocharset=utf8)
2) Encrypted SWAP
While it is possible to have the SWAP partition encrypted with a random key on every boot ... what happens to resuming from suspend-to-disk ? Since encrypted partitions are usually more useful on laptops ... and so is suspending ... it seems it may not really be practical. But, in the end, if someone has stolen your laptop, the chances of them recovering data off your /home are *much* better than them being able to reconstruct documents from your swap partition (IMHO).
Creating an encrypted file acting as a partition (using loopback)
The /swap Partition
We need to encrypt the swap partition, since we don’t want encryption keys to be swapped to an unencrypted disk. To do that we can first use the cryptsetup to encrypt the partition and then create a swap filesystem on it in the usual way and turn it on with swapon. The actual commands can be seen below:
a) short method:
open /etc/crypttab with an editor and enter the line:
cryptswap /dev/sda6 /dev/urandom swap,check=/bin/true
The option check=/bin/true is not necessary!
After that open /etc/fstab and enter the following line for the swap-partition: :
/dev/mapper/cryptswap swap swap defaults 0 0
The commands above read the key from /dev/urandom, which is appropriate for swap. If we would like to store our hibernation file on the swap partition, we can’t use the /dev/urandom, but we must use a password as with every other encrypted partition. In such cases, the key must be known in advance, since we need to be able to read the contents of swap in order to boot from the hibernation file. In such a case, we can use the commands shown below to create an encrypted swap partition:
cryptsetup --verify-passphrase --cipher serpent-cbc-essiv:sha256 --key-size 256 create swap /dev/sda2
cryptsetup luksAddKey /dev/sda2 /root/keyfile
We also need to change the /etc/fstab for the system to be able to use the encrypted swap. The fstab swap entry must contain something like this:
/dev/mapper/cryptswap swap swap defaults 0 0
3) En-/decryption of this partition through a stored key
dd if=/dev/urandom of=/media/usb/key bs=4k count=1
1+0 Datensätze ein
1+0 Datensätze aus
4096 Bytes (4,1 kB) kopiert, 0,0018383 Sekunden, 2,2 MB/s
cryptsetup luksAddKey /dev/hda3 /media/usb/key
Enter any LUKS passphrase:
key slot 0 unlocked.