Once you have a nice new empty partition, you'll encrypt it with the cryptsetup command. Be very sure you are encrypting the correct partition:# cryptsetup --verbose --verify-passphrase -c aes-cbc-plain luksFormat /dev/sda2
This will overwrite data on /dev/sda2 unrecoverable.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
This creates the encrypted partition. Now you need to create and name a mountable logical partition. In this example, it is named sda2, which could be test or fred or mysecretpartition, or anything you want: # cryptsetup luksOpen /dev/sda2 sda2
Enter LUKS passphrase:
key slot 0 unlocked.
This should show as a block device in /dev/mapper:$ ls -l /dev/mapper
crw-rw---- 1 root root 10, 63 2007-06-09 18:38 control
brw-rw---- 1 root disk 254, 0 2007-06-09 19:46 sda2
Now put a filesystem on the logical partition:# mkfs.ext3 /dev/mapper/sda2
Now you$ mkdir /home/me/crypted
need to make a mount point so you can mount and use this nice new encrypted partition. Remember, you must use the device name is from /dev/mapper/. I'll put it in my home directory. Watch for operations that require rootly powers:
# mount /dev/mapper/sda1 /home/me/crypted
Confirm that it mounted, and write a test file:# df -H
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/sda2 7.9G 152M 7.3G 3% /home/carla/crypted
# cd /home/me/crypted
# nano test
So far so good! But there is one big problem: only root can access this partition. We need our ordinary user to be able to use it. This virtual partition can be managed in /etc/fstab, just like any other partition. So add a line to /etc/fstab to allow an unprivileged user to mount and unmount the partition:/dev/mapper/sda2 /home/carla/crypted ext3 user,atime,noauto,rw,dev,exec,suid 0 0
Now Carla can mount it herself:$ mount ~/crypted
But Carla still cannot write to it. For this we need rootly powers one more time, to put the correct ownership and permissions on the mounted block device:# chown carla:carla /home/carla/crypted/
# chmod 0700 /home/carla/crypted/
Ok then, that's a lot of Carlas! But now Carla has her own encrypted directory to read and write to just like any other directory in her
home directory, and no one else can touch it.
You may unmount and shut off the encrypted partition manually like this:$ umount crypted
# cryptsetup luksClose sda2
You'll need your LUKS password only when you open the encrypted device. Remember, if you lose this password you are toast. You may delete the partition and start over, but your data are unrecoverable. Once the encrypted device is open and mounted, you may use it like any other partition.
You need root powers to run cryptsetup. This is probably not ideal for your users. There are a number of different ways to handle this. One is to use sudo; *buntu users are already set up with an all-powerful sudo. Another option is to configure it to start up at boot, and close at shutdown. Or you might want to create some nice desktop icons so your users can start it up and shut it down easily on demand.
We'll learn how to do these things next week, plus we'll learn how to encrypt USB keys, and how to set up a failsafe for a lost passphrase.