Prelude

• Whenever you're finished working with your encrypted partition make sure the device is closed, else someone may read the content of the partition without password
• To make sure it is close do following as user root
  

L40:~ # dmsetup ls
cr_sdb1 (253, 0)
L40:~ #

• when you get more than one line identify your encrypted partition with "cryptsetup status <devicemappername>"

L40:~ # cryptsetup status cr_sdb1
/dev/mapper/cr_sdb1 is active:
  cipher:  cbc(aes)-cbc-essiv:sha256
  keysize: 128 bits
  device:  /dev/sdb1
  offset:  1032 sectors
  size:    7918950 sectors
  mode:    read/write
L40:~ #

• Afterwards close the device mapping

L40:~ # cryptsetup luksClose cr_sdb1
L40:~ #

• now the partition is secure and you can unplug the device

1. create encrypted partition

1.1 create a encrypted partition with YaST on SLE 10

• open a root terminal and stop the HAL daemon

L40:~ # rchal stop
Shutting down HAL daemon                                                                 done
L40:~ #

• plug in your mass storage device
• start the YaST2 partitoner
• delete the unecrypted partition on the device (new devices like USB sticks have a VFAT filesystem on it)

• create a new primary partition on you mass storage device
• be sure to check the option "encrypt file system"

• when clicking on OK you will get a password dialog where you have to insert the password for your encrypted partition. Make sure you remember what you enter here. If you forget it all your data can't be decrypted again and can't be resored in any way.
• when ready click on "APPLY" and you will see a dialog what will be done next.

• again click "APPLY" and YaST2 will start to delete the old partition and create a new one.

• CAUTION: now you need to close device manager mapping. To do this, as user root, first run

L40:~ # dmsetup ls
cr_sdb1 (253, 0)
L40:~ #

• when you get more than one line identify your encrypted partition with "cryptsetup status <devicemappername>"

L40:~ # cryptsetup status cr_sdb1
/dev/mapper/cr_sdb1 is active:
  cipher:  cbc(aes)-cbc-essiv:sha256
  keysize: 128 bits
  device:  /dev/sdb1
  offset:  1032 sectors
  size:    7918950 sectors
  mode:    read/write
L40:~ #

• Afterwards close the device mapping

L40:~ # cryptsetup luksClose cr_sdb1
L40:~ #

• now unplug the device and start the HAL daemon again

L40:~ # rchal start
Starting HAL daemon                                                          done
L40:~ #

1.2 create a encrypted partition with YaST on SLE 11

• plug in your mass storage device
• start the YaST2 partitioner
• delete the unecrypted partition on the device (new devices like USB sticks have a VFAT filesystem on it)

• create a new primary partition on you mass storage device
• be sure to check the option "encrypt file system"

• when clicking on "NEXT" you will get a password dialog where you have to insert the password for your encrypted partition. Make sure you remember what you enter here. If you forget it all your data can't be decrypted again and can't be resored in any way.
• when ready click on "FINISH" and you will see a dialog what will be done next.

• again click "FINISH" and YaST2 will start to delete the old partition and create a new one.
  
• CAUTION: now you need to close device manager mapping. To do this, as user root, first run

L40:~ # dmsetup ls
cr_sdb1 (253, 0)
L40:~ #

• when you get more than one line identify your encrypted partition with "cryptsetup status <devicemappername>"

L40:~ # cryptsetup status cr_sdb1
/dev/mapper/cr_sdb1 is active:
  cipher:  cbc(aes)-cbc-essiv:sha256
  keysize: 128 bits
  device:  /dev/sdb1
  offset:  1032 sectors
  size:    7918950 sectors
  mode:    read/write
L40:~ #

• Afterwards close the device mapping

L40:~ # cryptsetup luksClose cr_sdb1
L40:~ #

• now unplug the device

1.3 create a encrypted partition on commandline

• When working from a Desktop Environment (KDE or GNOME) on SLED10 first open a root terminal and stop the HAL daemon

L40:~ # rchal stop
Shutting down HAL daemon                                                                 done
L40:~ #

• plug in your mass storage device
• use fdisk to change the partition identifier to a linux partition

L40:~ # fdisk /dev/sdb

Command (m for help): t
Selected partition 1
Hex code (type L to list codes): 83
Changed system type of partition 1 to 83 (Linux)

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: If you have created or modified any DOS 6.x
partitions, please see the fdisk manual page for additional
information.
Syncing disks.
L40:~ #

• prepare the partiton for encryption

L40:~ # cryptsetup luksFormat /dev/sdb1

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
L40:~ #

• Now open the encrypted partition and give a name for the device mapper to identify the device in this example the name is mycrypt_sdb1
  

L40:~ # cryptsetup luksOpen /dev/sdb1 mycrypt_sdb1
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
L40:~ #

• now you can create a filesystem on your encrypted partition

L40:~ # mkfs.ext3 /dev/mapper/mycrypt_sdb1
mke2fs 1.38 (30-Jun-2005)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
495008 inodes, 989868 blocks
49493 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1015021568
31 block groups
32768 blocks per group, 32768 fragments per group
15968 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736

Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 28 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
L40:~ #

• Afterwards close the encrypted partition. CAUTION: if you don't do this, the device is unencrypted, the partion can't be mounted without giving a password in this stage.

L40:~ # cryptsetup luksClose mycrypt_sdb1
L40:~ #

• now unplug the device and when working from a Desktop Environment (KDE or GNOME) on SLED10 do not forget to start HAL daemon again
  

L40:~ # rchal start
Starting HAL daemon                                                          done
L40:~ #

2. mount an encrypted partition

2.1 mount an encrypted partition with KDE on SLE 10

• plugin your device, you will get a popup window asking for your password to unlock the encrypted partition
• the filesystem will be mounted at /media/dm-<x>

2.2 mount an encrypted partition with GNOME on SLE 10

• automatic mounting of encrypted partitons not yet supported please use commandline

2.3 mount an encrypted partition with KDE on SLE 11

• automatic mounting of encrypted partitons not yet supported please use commandline

2.4 mount an encrypted partition with GNOME on SLE 11

• plugin your device, you will get a popup window asking for your password to unlock the encrypted partition
• the filesystem will be mounted at /media/disk

2.5 mount an encrypted partition on commandline

• plugin your device
• open a root terminal and mount the encrypted partition using command "mount.crypt"

L40:~ # mount.crypt /dev/sdb1 /mnt
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
L40:~ #

3. unmount a encrypted partition

3.1 unmount a encrypted partition with KDE on SLE 10

• locate the partition in KDE using Konqueror and from content menu select "safety remove"
• CAUTION: afterwards you're required to close the encrypted partiton manualy
• open a root terminal
• find your encrypted partition in device mapper

L40:~ # dmsetup ls
luks_crypto_f25062c7-bd7c-4f2a-9f4d-73ff3cdbceac (253, 0)
L40:~ #

• when you get more than one line identify your encrypted partition with "cryptsetup status <devicemappername>"

L40:~ # cryptsetup status luks_crypto_f25062c7-bd7c-4f2a-9f4d-73ff3cdbceac
/dev/mapper/luks_crypto_f25062c7-bd7c-4f2a-9f4d-73ff3cdbceac is active:
  cipher:  cbc(aes)-cbc-essiv:sha256
  keysize: 128 bits
  device:  /dev/sdb1
  offset:  1032 sectors
  size:    7918950 sectors
  mode:    read/write
L40:~ #

• Afterwards close the device mapping

L40:~ # cryptsetup luksClose luks_crypto_f25062c7-bd7c-4f2a-9f4d-73ff3cdbceac
L40:~ #

• now unplug the device
  

3.2 unmount a encrypted partition with GNOME on SLE 10

• unmount of encrypted partitons not yet supported please use commandline

3.3 unmount a encrypted partition with KDE on SLE 11

• unmount of encrypted partitons not yet supported please use commandline

3.4 unmount a encrypted partition with GNOME on SLE 11

• locate the partition in nautilus an click the eject icon next to the partition (device)
  

3.5 unmount a encrypted partition on commandline

• open a root terminal and unmount the encrypted partition using command "umount.crypt"

L40:~ # umount.crypt /mnt
L40:~ #

• afterwards please make sure that the device mapper mapping is removed or you're in risk that the unencrypted data can be accessed by someone else. To do this display all device mapper entries

L40:~ # dmsetup ls
cr_sdb1 (253, 0)
L40:~ #

• if you're unsure what devicemapper entry is your encrypted partition use "cryptsetup status <devicemappername>" to get informations

L40:~ # cryptsetup status cr_sdb1
/dev/mapper/cr_sdb1 is active:
  cipher:  cbc(aes)-cbc-essiv:sha256
  keysize: 128 bits
  device:  /dev/sdb1
  offset:  1032 sectors
  size:    7918950 sectors
  mode:    read/write
L40:~ #

• if you have identified your partition, close it

L40:~ # cryptsetup luksClose cr_sdb1
L40:~ #