[NCLUG] Encrypted Filesystems?

Bob Proulx bob at proulx.com
Thu Apr 19 09:33:16 MDT 2007 

Sean Reifschneider wrote:
> Michael Milligan wrote:
> > Ubuntu does, since last October ("Edgy" release).  Even integrated with
> > Gnome... pops a password dialog and does the rest auto-magically.
> 
> That's the easy part, even relatively easy to do on Fedora.  It's the root
> file-system, well before Gnome is available, that is what I'm looking
> to next.  Encrypted /home is a 99% solution for me right now though.

Me too.  Since I first posted my original questions I have been using
my laptop with an encrypted root filesystem.  It has all been working
quite well enough that I would definitely recommend it.

The Debian installer in the recently released Etch has nice support
for setting this up at installation time.  You can choose either
dm-crypt or loop-aes.  I chose dm-crypt.  I chose to have LUKS request
the key at boot time.  You can chose AES, Twofish, Blowfish, Serpent
for encryption.  I chose AES.  You can choose 256, 192, 128 bits with
AES.  I chose AES 128 bit encryption as an optimization for cpu usage
for longer battery life.

I wanted to only interact once at boot time so I only set up one
encrypted partition.  I made it an LVM partition so that I could split
up the result into at least swap and filesystem space (for servers I
am a fan of the many captive partition model) and have an option to
resize things later through LVM.  To keep things simple (and I know
what is happening on my laptop) I put the entire filesystem in one
partition.

In order to enable booting an encrypted root or an lvm root the /boot
partition must not be encrypted.  I always use a separate /boot anyway
so that is fine with me.

This made my system look like:

  /dev/hda1                  /boot
  /dev/hda5                  base for encrypted partition
  /dev/mapper/hda5_crypt     base for lvm volume group vg0
  /dev/mapper/vg0-root       /
  /dev/mapper/vg0-swap       swap

Suspend to disk uses the encrypted swap.  Resuming from suspend uses
LUKS to ask for the passphrase.  Resume after that point is normal and
has worked flawlessly for me.

Thanks Sean and Scott for great hints at hacking society for other
laptop setup!  Suspend to ram is working great.  I have all of the
buttons working.  The light is blinking.  Life is good.

Bob

More information about the NCLUG mailing list