When UbuntuLinux uses an encrypted file system, data security can be well protected. In this case, even if we send our machines to hackers, as long as they do not have a key, the data they see will only be a bunch of garbled characters and there is no value to use. This document describes how to use dm-crypt to create an encrypted file system. Compared with other methods for creating an encrypted file system, the dm-crypt system has unparalleled advantages: it is faster and easier to use. In addition, it is widely used and can run on various Block devices.
When Ubuntu Linux uses an encrypted file system, data security can be well protected. In this case, even if we send our machines to hackers, as long as they do not have a key, the data they see will only be a bunch of garbled characters and there is no value to use.
This document describes how to use dm-crypt to create an encrypted file system. Compared with other methods for creating an encrypted file system, the dm-crypt system has unparalleled advantages: it is faster and easier to use. In addition, it is widely used and can run on a variety of Block devices, even if these devices use RAID and LVM, there is no obstacle. The dm-crypt system has these advantages mainly because the technology is based on the device-mapper feature of the kernel version 2.6. Device-mapper is designed to provide a general and flexible method for adding a virtual layer to an actual block device to facilitate developers to process images, snapshots, cascading and encryption. In addition, dm-crypt uses the kernel password Application Programming Interface to implement transparent encryption and is compatible with the cryptloop system.
1. Configure the kernel
Dm-crypt uses the kernel's Cryptographic Application Programming Interface to complete password operations. Generally, the kernel usually loads various encryption programs in the form of modules. For 256-bit AES, its security strength is already very high, even if it is used to protect top-secret data. Therefore, we use the 256-bit AES password in this article. To ensure that your kernel has loaded the AES password module, please use the following command to check:
$ Cat/proc/crypto
If the output is similar to the following, it indicates that the AES module has been loaded:
Name: aes
Module: aes
Type: cipher
Blocksize: 16
Min keysize: 16
Max keysize: 32
Otherwise, we can use modprobe to manually load the AES module. The command is as follows:
$ Sudo modprobe aes
Next, install the dmsetup package, which contains the tools required to configure device-mapper:
$ Sudo apt-get install dmsetup cryptsetup
To check whether the device image program has been created in the dmsetup package, type the following command: $ ls-l/dev/mapper/control
Next, load the dm-crypt kernel module: $ sudo modprobe dm-crypt
After dm-crypt is loaded, it is automatically registered with device-mapper. If you perform another test, device-mapper can recognize dm-crypt and add crypt as an available object: $ sudo dmsetup targets
If everything goes well, now you should see the following output of crypt:
Crypt v1.1.0
Striped v1.0.2
Linear v1.0.1
Error v1.0.1
This indicates that our system is ready for loading encryption devices. Next, we will first create an encryption device.