From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wyRgd0hby7pX for ; Thu, 23 Aug 2012 13:27:33 +0200 (CEST) Received: from v4.tansi.org (ns.km33513-03.keymachine.de [87.118.94.3]) by mail.saout.de (Postfix) with ESMTP for ; Thu, 23 Aug 2012 13:27:33 +0200 (CEST) Received: from gatewagner.dyndns.org (84-72-142-78.dclient.hispeed.ch [84.72.142.78]) by v4.tansi.org (Postfix) with ESMTPA id 39D9C20666F for ; Thu, 23 Aug 2012 13:27:33 +0200 (CEST) Date: Thu, 23 Aug 2012 13:27:28 +0200 From: Arno Wagner Message-ID: <20120823112728.GA20834@tansi.org> References: <20120823090049.GB14639@Latty> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120823090049.GB14639@Latty> Subject: Re: [dm-crypt] Encrypt all partitions with dm-crypt List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On Thu, Aug 23, 2012 at 11:00:49AM +0200, Christophe wrote: > On Wed, Aug 22, 2012 at 04:10:01PM +0400, Stayvoid wrote: > > Hello, > > > > I'd like to encrypt all partitions (or most of them) with plain dm-crypt. > > What do you mean by plain dm-crypt ? plain dm-crypt = cryptsetup not for LUKS, i.e. a headerless set-up. Used this way in the man-page and the FAQ. I assume that is what he meant. > If you mean aes-plain, then the mechanisms That is something different. Plain dm-crypt defaults to aes-cbc-essiv:sha256 > present in most distributions won't be able to "see" your encrypted volumes, and > /etc/crypttab won't be of any use either. > > However, as Arno sait you can do it with an initramfs image. Debian for > instance has a pretty convenient mechanism to automatically create > initramfs images for your different kernels, and you can use hooks to > place your own scripts in it. When you install cryptsetup, Debian updates > all the initramfs images with the cryptsetup binary. Nice! Seems cryptsetup support in distros is definitely getting better. > All you'll need to > to after that is to add a custom boot parameter to your bootloader (say > encrypted_root=/dev/sdX), place a script in the initramfs that will map > the partition with cryptsetup (e.g. cryptsetup -c aes-plain create root > ${encrypted_root}) and update your /etc/fstab (/dev/mapper/root / ...). So no full support yet? Pity. As some others here have pointed out, there are Distros with full cryptsetup integration. Gentoo seems to be one. On the other hand, it seems some problems Ubuntu has with LUKS are still not solved, so YMMV. > It requires a bit of fiddling but it'll work, and if your distro has such > mechanisms as Debian has, it won't break your configuration when updating > grub or the kernel because it'll run the hooks again. And on the plus side, if you ever run into a situation where you need to access your encrypted partition with a rescue system (seems to happen regularly), you know what to do from doing parts yourself. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell