[Gllug] [OT] Disk Encryption

[Dennis Furey]

On Thu, Mar 04, 2010 at 06:36:09PM +0000, John Edwards wrote:
> 
> How do you use LUKS?
> 
> Certain files, whole filesystem, root filesystem?
> 

It's full disk encryption, and can be used for the root filesystem. I
have encrypted roots on a half dozen boxes and encrypted filesystems
on some external usb drives. I also store a backup of my home
directory in a loopback mounted LUKS filesystem image. Once in a while
I unmount that and write the backing file to a DVD or split it into
small fixed sized pieces that I sync with a bucket on Amazon S3. (The
backing file is unintelligible without the key.)

For a non-root filesystem, you have to set up a physical device (like
/dev/sdb1) using the cryptsetup command first with a made up name and
passphrase, and then mount it as /dev/mapper/madeupname instead of
mounting /dev/sdb1. You'll also have to format it before mounting it
the first time, as ext3 or reiserfs or whatever filesystem you want.

For an encrypted root, you need a modified initramfs to prompt for the
passphrase and set it up automatically when booting. The Debian
cryptsetup package is helpful but migrating an existing system to an
encrypted root isn't fully automated. There are some good web
tutorials hanging around. There's also a way to get an encrypted swap
partition with a random password generated on each boot, but I prefer
having enough RAM to do without a swap.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug