Encrypting (almost) your entire hard drive with dm-crypt (LUKS) and lvm2, Part 2

| 2 Comments | 1 TrackBack

Six months ago I posted an outline for encrypting your system with LUKS. Well, I figure it's about time for me to write up how to actually go about it. In this post, I'll outline the necessary kernel configuration.

The basic kernel configuration that I mentioned a long time ago still holds. Basically, you need to have the following options built into your kernel: CONFIG_DM_CRYPT, CONFIG_CRYPTO_CBC, CONFIG_CRYPTO_SHA256, and CONFIG_CRYPTO_AES. Most of those will be turned on when you enable:

Device Drivers ->
  Multiple devices driver support (RAID and LVM) ->
    Device mapper support ->
      Crypt target support

However, the SHA256 support will not be. It can be found at:

Cryptographic API ->
  SHA224 and SHA256 digest algorithm

On the note of kernel configuation: for this process, you will need to do a fair amount of work from within another linux environment (most likely a LiveCD). For Gentoo, the most recent CD image I've found that has all the necessary configuration is the 2006.1 version... As I recall, some of the intermediate minimal CDs, at least, didn't possess cryptsetup at all. And the most recent weekly build I tried, while it did have lvm and cryptsetup installed, didn't have CONFIG_CRYPTO_SHA256 either built in, or as a module.

Probably the best bet is an Ubuntu 8.10 Alternative CD. You'll have to either boot in recovery mode, or go through a bit of the installation procedure, as it doesn't initially have cryptsetup available. But, once it's detected the CD and loaded the modules from it, you can just switch to another virtual console and do things from there.

Next time, I'll outline creating the disk partitions.

1 TrackBack

Last time I kinda cheated and gave pretty much a redux of an earlier post. This one will hopefully have some more substance to it. The partitioning scheme I'm currently using is like this: /dev/sda1 - /boot (ext2) /dev/sda2 -... Read More


The best bet for a LiveCD is GRML. It's made for adminitration tasks like this (and - although Debian-based - it still comes with EVMS :-) )



Man, don't leave us hanging. :)

I'm ready to get this going. The initramfs stuff is what I'm waiting on...