This post is very similar previous one that I wrote on encrypting flash drives using cryptsetup, which may be useful since the procedure is very similar. When installing Fedora, the option is given to encrypt the entire hard-drive, but sometimes this is unnecessary. Instead it may be more convenient to simply have a separate encrypted partition to place more private information, and to leave the rest of the hard-drive decrypted.
First create the partition that you want to have encrypted. This can be done by using a GParted live-cd. The live image can be downloaded here, and GParted is very easy to use. Simply shrink a current partition and then create a new one with the blank space left over. It does not matter how you format the new partition since it will be rewritten later on.
The partition that I created was located on /dev/sda4, but you should of course use the location of your partition when going through the rest of the tutorial.
Formatting the Partition and Creating the Device Mapper
Encrypting the partition is easy and can be done in three steps. The first step initializes the luks partition, the second opens the partition and creates a device mapper, and the third sets up the partition’s file system. I have chosen cryptmap as the name of the device mapper, but the choice is arbitrary and can be changed to whatever you would like it to be.
[brad@localhost ~]$ sudo cryptsetup luksFormat /dev/sda4 [brad@localhost ~]$ sudo cryptsetup luksOpen /dev/sda4 cryptmap [brad@localhost ~]$ sudo mkfs.ext3 /dev/mapper/cryptmap
Mounting the Partition
The first command opens the luks partition and creates the device mapper, which I have named cryptmap. After entering the command into the terminal, the password to decrypt the partition will be requested. The device mapper can then be mounted to access the contents of the partition by using the second command given below. The folder /mnt/cryptpart will have to have to be created, and the naming convention here is also arbitrary.
[brad@localhost ~]$ sudo cryptsetup luksOpen /dev/sda4 cryptmap [brad@localhost ~]$ sudo mount /dev/mapper/cryptmap /mnt/cryptpart
Unmounting the Partition
There are actually two steps to unmounting the partition. The first step is to unmount the device mapper. However, at this point the information on the partition is still accessible because it can be remounted without the necessity of the decryption password. Therefore, it is also important to close the luks partition after the mapper is umounted.
[brad@localhost ~]$ sudo umount /dev/mapper/cryptmap [brad@localhost ~]$ sudo cryptsetup luksClose /dev/mapper/cryptmap
No Password Prompt at Boot
To prevent being requested to enter in the password for the luks partition every time the computer is restarted, add the phrase rd_NO_LUKS to the vmlinuz line in /boot/grub/grub.conf. Do not do this if your root partition is encrypted or you won’t be able to boot the OS. The /boot/grub/grub.conf file should have a section that looks similar to text below. The line that starts with kernel /vmlinuz is broken up into three lines so that it can be pasted here. This line may not be exactly the same as yours depending on what boot parameters you have and it should not be copied. The purpose of the text below is just to illustrate where the place the parameter rd_NO_LUKS, which is highlighted with red text.
default=0
timeout=1
splashimage=(hd0,1)/grub/splash.xpm.gz
hiddenmenu
title Fedora (2.6.32.9-70.fc12.i686)
root (hd0,1)
kernel /vmlinuz-2.6.32.9-70.fc12.i686 ro root=/dev/mapper/VolGroup-
lv_root nomodeset noiswmd LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16
KEYBOARDTYPE=pc KEYTABLE=us rhgb quiet rd_NO_LUKS
initrd /initramfs-2.6.32.9-70.fc12.i686.img
Blog RSS
0 Responses to “How to Create an Encrypted Partition”