How to Use dm-crypt to build an encrypted file system (EFS)

Compared with other methods for creating an encrypted file system, the dm-crypt system has unparalleled advantages: it is faster and easier to use. In addition, it is widely used and can run on a variety of Block devices, even if these devices use RAID and LVM, there is no obstacle. The dm-crypt system has these advantages mainly because the technology is based on the device-mapper feature of the kernel version 2.6. Device-mapper is designed to provide a general and flexible method for adding a virtual layer to an actual block device to facilitate developers to process images, snapshots, cascading and encryption. In addition, dm-crypt uses the kernel password Application Programming Interface to implement transparent encryption and is compatible with the cryptloop system.

Step 1: Kernel preparation

Dm-crypt uses the kernel's Cryptographic Application Programming Interface to complete password operations. Generally, the kernel usually loads various encryption programs in the form of modules. For AES, its security strength is already very high, even if it is used to protect top-secret data. To ensure that the user's kernel has loaded the AES password module, perform the check according to the following command:

# Cat/proc/crypto

Otherwise, you can use modprobe to manually load the AES module. The command is as follows:

# Modprobe aes

Next, install the dmsetup package, which contains the tools required to configure device-mapper, as shown in the following command:

# Yum install dmsetup cryptsetup

To check whether the device image program has been established in the dmsetup package, type the following command:

# Ls-l/dev/mapper/control

Then, run the following command to load the dm-crypt kernel module:

# Modprobe dm-crypt

After dm-crypt is loaded, it is automatically registered with evice-mapper. If you perform another test, device-mapper can recognize dm-crypt and add crypt as an available object. After performing the preceding steps, you can view the following output of crypt according to the following command:

# Dmsetup targets

This indicates that the system is ready to load the encryption device. Next, we will first create an encryption device.

Step 2: Create an encrypted device

To create a file system loaded as an encrypted device, you have two options: Create a disk image and load it as a return device; and use a physical device. In either case, except for the creation and bundling of delivery devices, other operations are similar.

Create a disk image

If you do not have a physical device (such as a storage stick or another disk partition) for encryption, you can use the command dd to create an empty disk image, then, the image is loaded as a return device and can still be used. We will introduce the following example:

# Dd if =/dev/zero of =/virtual. img bs = 1 M count = 100

Here we create a 100 MB disk image named virtual. img. To change its size, you can change the value of count.

Next, we use the losetup command to associate the image with a delivery device:

# Losetup/dev/loop0/virtual. img

Now we have a virtual block device, which is located at/dev/loop0 and can be used just like other devices.

Set Block devices

Prepare physical block devices (such as/dev/hda1), or virtual block devices (such as the previous delivery image, and use device-mapper to load the encrypted logical volume), we can configure the block device.

The following uses cryptsetup to create a logical volume and bind it with the block device:

# Cryptsetup-y create ly_EFS device_name

Ly_EFS is the name of the new logical volume. The last device_name parameter must be the block device that will be used as the encrypted volume. Therefore, to use the previously created image as a virtual block device, run the following command:

# Cryptsetup-y create ly_EFS/dev/loop0

Whether it is a physical block device or a virtual block device, the program requires the password of the logical volume.-y is used to enter the password twice to ensure that it is correct. This is important because your data will be locked once the password is wrong. to confirm whether the logical volume has been created, run the following command to check whether:

# Dmsetup ls

As long as the command lists the logical volumes, it indicates that the logical volumes have been successfully created. However, depending on the machine, the device number may be different. Device-mapper will load its virtual device to/dev/mapper. Therefore, your virtual block device should be/dev/mapper/ly_EFS, although it is no different from other Block devices, it is actually transparent and encrypted.

Like a physical device, you can also create a file system on a virtual device:

# Mkfs. ext3/dev/mapper/ly_EFS

Create a mount point for the new virtual block device and load it. The command is as follows:

# Mkdir/mnt/ly_EFS

# Mount/dev/mapper/ly_EFS/mnt/ly_EFS

You can use the following command to view the information after loading:

# Df-h/mnt/ly_EFS

After completing the preceding steps, the user can see that the mounted file system, although seemingly identical to other file systems, actually writes all data under/mnt/ly_EFS, data is written to the disk only after transparent encryption. Therefore, the data read from the disk is ciphertext.

Unmount an encrypted device

To uninstall the encrypted file system, there is no difference between the two methods:

# Umount/mnt/ly_EFS

Even if a block device has been uninstalled, it is still considered as a virtual device in dm-crypt. If you do not believe it, run the command dmsetup ls again to verify that the device is still listed. Because dm-crypt caches the password, other users on the machine can reload the device without knowing the password. To avoid this, you must explicitly Delete the device from dm-crypt After detaching the device. The command is as follows:

# Cryptsetup remove ly_EFS

After that, it will be completely cleared. to load it again, you must enter the password again.

Reload the encrypted device

After you detach an encrypted device, you may need to load it as a common user. To simplify this process, add the following content to the/etc/fstab file:

/Dev/mapper/ly_EFS/mnt/ly_EFS ext3 noauto, noatime 0 0

In addition, you can also create a script for the dm-crypt device and load the volume for us, the method is to replace/dev/DEVICENAME with the actual device name or file path:

#! /Bin/sh

Cryptsetup create ly_EFS/dev/DEVICENAME

Mount/dev/mapper/ly_EFS/mnt/ly_EFS

If you are using a send-back device, you can also use the script to bind the device. The script is as follows:

#! /Bin/sh

Losetup/dev/loop0 ~ /Virtual. img

Cryptsetup create ly_EFS/dev/loop0

Mount/dev/mapper/ly_EFS/mnt/ly_EFS