Hey,
This is supported with r34790 on 3rd of November (As I understand this should be included in 8.0-rc2 release). You'll have to recompile sysvinit if you want that on your production system. It will create file /etc/init.d/system.new so you'll have to rename it.
TODO: there is no rootfs support!!!
!!!BACKUP ALL YOUR DATA AND DO IT ON YOUR OWN RISK!!!
(it's safe if you won't mix up device names)
/dev/sda6 will be used for /home/baldzius
/dev/sda8 will be used for swap
Note: I'll be doing this on my production system so I'll have different partitions created for that, please change device names accordingly to your system.
(Haven't tested but LVM should work fine)
Install cryptsetup:
./scripts/Emerge-Pkg cryptsetup
First we will start from swap. Encrypting swap is very easy and straight forward, all you need to do is add a line in /etc/crypttab
(don't worry if this file is missing in your system):
swap /dev/sda8 defaults
Next comment out swap line in /etc/fstab and add a new one (you can change existing one if you know what are you doing):
/dev/mapper/swap swap swap defaults 0 0
That's it. Time to reboot and check the system
# cat /proc/swaps
Filename Type Size Used Priority
/dev/mapper/swap partition 3903752 0 -1
# cryptsetup status swap
/dev/mapper/swap is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda8
offset: 0 sectors
size: 7807527 sectors
mode: read/write
WARNING: system script won't do anything if you have swap created as LUKS device, you'll have to take care of it by yourself and use other than swap name.
As you can see by default it uses aes-cbc-essiv cipher with 256bits keysize. You can make changes in /etc/crypttab if you want to customize it:
swap /dev/sda8 /dev/urandom -c aes-xts-plain -s 512
options field is treated as string so don't worry.
NOTE: you can google about differences between /dev/random and /dev/urandom in case you wonder why I've used the later one.
WARNING: right now /etc/init.d/system init scripts supports aes , sha256 and sha512 by loading those modules, make sure you've added required modules if you want to use something else.
Reboot
Checking if changes worked:
# cryptsetup status swap
/dev/mapper/swap is active:
cipher: aes-xts-plain
keysize: 512 bits
device: /dev/sda8
offset: 0 sectors
size: 7807527 sectors
mode: read/write
So far so good.
Basically I would recommend the default value as it looks cleaner:
swap /dev/sda8 defaults
NOTE: I didn't implement crypt support for /tmp . I saw no point as we mount it to shared memmory. If you still want to encrypt tmp you can encrypt it as LUKS device just like /home below.
Next step I am going to encrypt /home dir. As I am doing this on production system and already have /home I will do it for specific user (baldzius) with spare partition created.
I will use /dev/sda6
Fill partition with random data (this will take a while depending on the size of your partition):
I would recommend skiping this step, unless you're very paranoic :)
# dd if=/dev/urandom of=/dev/sda6
NOTE: the step below is needed only in case if you skiped swap steps and went straight to encrypting home directory. You don't need to load modules if you have already swap encrypted as system init script have them already loaded.
Load crypt modules:
# modprobe dm-mod
# modprobe aes
# modprobe sha256
Initialize the partition (use any cipher you want):
# cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda6
WARNING!
========
This will overwrite data on /dev/sda6 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Type the password of your choise.
Create device mapping:
# cryptsetup luksOpen /dev/sda6 home
Enter passphrase for /dev/sda6:
Key slot 0 unlocked.
You can check the device:
# ls -la /dev/mapper/
total 0K
drwxr-xr-x 2 root root 100 Nov 1 13:59 .
drwxr-xr-x 15 root root 12620 Nov 1 13:59 ..
crw------- 1 root root 10, 59 Nov 1 12:25 control
brw------- 1 root root 253, 0 Nov 1 13:59 home
brw------- 1 root root 253, 1 Nov 1 12:25 swap
or
# dmsetup ls
home (253, 0)
swap (253, 1)
The list will be bigger if you are using LVM
Create file system, I will use ext4 (pick up any you like):
# mkfs.ext4 /dev/mapper/home
Now you can do testing to see if it works by mounting it and doing some file operations, unmount it when you are done.
Also don't forget to remove the mapping:
# cryptsetup luksClose home
Final step is to mount it after each reboot, add to /etc/fstab :
/dev/mapper/home /home/baldzius ext4 relatime,errors=remount-ro 0 2
That's it, time for reboot.
On system startup you'll be asked to type for passphrase. Volume won't be mounted if you fail for 3x times.
Check the system:
# df -h
...
/dev/mapper/home 9.2G 149M 8.6G 2% /home/baldzius
# cryptsetup status home
/dev/mapper/home is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda6
offset: 2056 sectors
size: 19532921 sectors
mode: read/write
Looks good. Now you're encrypted, enjoy! :)
BR,
Aldas
-----------------------------------------------------------
If you wish to unsubscribe from this mailing, send mail to
lists@... with a subject of: unsubscribe t2
