Tuesday, August 12, 2008

Encrypted loop device on boot

There are a lot of tutorials on how to setup an encrypted LUKS home / root / swap partitions available, but I couldn't find any description about setting up an encrypted loop device on boot. It's easy to create an encrypted file and mount it manually, but I just couldn't find a way to configure it with /etc/crypttab to have it mounted on boot. So, here is the solution for Ubuntu 8.04 (should work on other distros that support crypttab too):
  1. Create an encrypted file first - this is covered in a lot of tutorials, but let's do it here (you need to be root to do this):
    • create empty /.cryptdata file
      dd if=/dev/zero of=/.cryptdata count=10 bs=1M
    • mount it via loop device
      losetup /dev/loop0 /.cryptdata
    • create an encrypted volume out of it
      cryptsetup luksFormat /dev/loop0
    • open the volume
      cryptsetup luksOpen /dev/loop0 cryptdata
    • format the volume (create filesystem)
      mke2fs -j /dev/mapper/cryptdata
  2. Add the following entry to /etc/crypttab:
    cryptdata /.cryptdata none luks
  3. Add the following entry to /etc/fstab:
    /dev/mapper/cryptdata /home/cryptdata ext3 relatime 0 2
  4. Create mountpoint for the encrypted filesystem:
    mkdir /home/cryptdata
Starting from now, the encrypted file will be mounted via loop device on system startup; you'll be asked for encryption password.

No comments: