Howto create and use crypted filesystem

This document (7003991) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 10 Service Pack 2
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 10 Service Pack 2
SUSE Linux Enterprise Desktop 11

Situation



Resolution

Prelude

  • Whenever you're finished working with your encrypted partition make sure the device is closed, else someone may read the content of the partition without password
  • To make sure it is close do following as user root
L40:~ # dmsetup ls
cr_sdb1 (253, 0)
L40:~ #

  • when you get more than one line identify your encrypted partition with "cryptsetup status <devicemappername>"
L40:~ # cryptsetup status cr_sdb1
/dev/mapper/cr_sdb1 is active:
  cipher:  cbc(aes)-cbc-essiv:sha256
  keysize: 128 bits
  device:  /dev/sdb1
  offset:  1032 sectors
  size:    7918950 sectors
  mode:    read/write
L40:~ #
  • Afterwards close the device mapping
L40:~ # cryptsetup luksClose cr_sdb1
L40:~ #
  • now the partition is secure and you can unplug the device

1. create encrypted partition

1.1 create a encrypted partition with YaST on SLE 10


  • open a root terminal and stop the HAL daemon
L40:~ # rchal stop
Shutting down HAL daemon                                                                 done
L40:~ #
  • plug in your mass storage device
  • start the YaST2 partitoner
  • delete the unecrypted partition on the device (new devices like USB sticks have a VFAT filesystem on it)

  • create a new primary partition on you mass storage device
  • be sure to check the option "encrypt file system"

  • when clicking on OK you will get a password dialog where you have to insert the password for your encrypted partition. Make sure you remember what you enter here. If you forget it all your data can't be decrypted again and can't be resored in any way.
  • when ready click on "APPLY" and you will see a dialog what will be done next.

  • again click "APPLY" and YaST2 will start to delete the old partition and create a new one.
  • CAUTION: now you need to close device manager mapping. To do this, as user root, first run
L40:~ # dmsetup ls
cr_sdb1 (253, 0)
L40:~ #

  • when you get more than one line identify your encrypted partition with "cryptsetup status <devicemappername>"
L40:~ # cryptsetup status cr_sdb1
/dev/mapper/cr_sdb1 is active:
  cipher:  cbc(aes)-cbc-essiv:sha256
  keysize: 128 bits
  device:  /dev/sdb1
  offset:  1032 sectors
  size:    7918950 sectors
  mode:    read/write
L40:~ #
  • Afterwards close the device mapping
L40:~ # cryptsetup luksClose cr_sdb1
L40:~ #
  • now unplug the device and start the HAL daemon again
L40:~ # rchal start
Starting HAL daemon                             done
L40:~ #


1.2 create a encrypted partition with YaST on SLE 11

  • plug in your mass storage device
  • start the YaST2 partitioner
  • delete the unecrypted partition on the device (new devices like USB sticks have a VFAT filesystem on it)

  • create a new primary partition on you mass storage device
  • be sure to check the option "encrypt file system"

  • when clicking on "NEXT" you will get a password dialog where you have to insert the password for your encrypted partition. Make sure you remember what you enter here. If you forget it all your data can't be decrypted again and can't be resored in any way.
  • when ready click on "FINISH" and you will see a dialog what will be done next.

  • again click "FINISH" and YaST2 will start to delete the old partition and create a new one.
  • CAUTION: now you need to close device manager mapping. To do this, as user root, first run
L40:~ # dmsetup ls
cr_sdb1 (253, 0)
L40:~ #

  • when you get more than one line identify your encrypted partition with "cryptsetup status <devicemappername>"
L40:~ # cryptsetup status cr_sdb1
/dev/mapper/cr_sdb1 is active:
  cipher:  cbc(aes)-cbc-essiv:sha256
  keysize: 128 bits
  device:  /dev/sdb1
  offset:  1032 sectors
  size:    7918950 sectors
  mode:    read/write
L40:~ #
  • Afterwards close the device mapping
L40:~ # cryptsetup luksClose cr_sdb1
L40:~ #
  • now unplug the device

1.3 create a encrypted partition on commandline

  • When working from a Desktop Environment (KDE or GNOME) on SLED10 first open a root terminal and stop the HAL daemon
L40:~ # rchal stop
Shutting down HAL daemon                                                                 done
L40:~ #
  • plug in your mass storage device
  • use fdisk to change the partition identifier to a linux partition
L40:~ # fdisk /dev/sdb

Command (m for help): t
Selected partition 1
Hex code (type L to list codes): 83
Changed system type of partition 1 to 83 (Linux)
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: If you have created or modified any DOS 6.x
partitions, please see the fdisk manual page for additional
information.
Syncing disks.
L40:~ #
  • prepare the partiton for encryption
L40:~ # cryptsetup luksFormat /dev/sdb1

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
L40:~ #
  • Now open the encrypted partition and give a name for the device mapper to identify the device in this example the name is mycrypt_sdb1
L40:~ # cryptsetup luksOpen /dev/sdb1 mycrypt_sdb1
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
L40:~ #
  • now you can create a filesystem on your encrypted partition
L40:~ # mkfs.ext3 /dev/mapper/mycrypt_sdb1
mke2fs 1.38 (30-Jun-2005)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
495008 inodes, 989868 blocks
49493 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1015021568
31 block groups
32768 blocks per group, 32768 fragments per group
15968 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 28 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
L40:~ #
  • Afterwards close the encrypted partition. CAUTION: if you don't do this, the device is unencrypted, the partion can't be mounted without giving a password in this stage.
L40:~ # cryptsetup luksClose mycrypt_sdb1
L40:~ #
  • now unplug the device and when working from a Desktop Environment (KDE or GNOME) on SLED10 do not forget to start HAL daemon again
L40:~ # rchal start
Starting HAL daemon                             done
L40:~ #


2. mount an encrypted partition

2.1 mount an encrypted partition with KDE on SLE 10

  • plugin your device, you will get a popup window asking for your password to unlock the encrypted partition
  • the filesystem will be mounted at /media/dm-<x>

2.2 mount an encrypted partition with GNOME on SLE 10

  • automatic mounting of encrypted partitons not yet supported please use commandline

2.3 mount an encrypted partition with KDE on SLE 11

  • automatic mounting of encrypted partitons not yet supported please use commandline

2.4 mount an encrypted partition with GNOME on SLE 11

  • plugin your device, you will get a popup window asking for your password to unlock the encrypted partition
  • the filesystem will be mounted at /media/disk

2.5 mount an encrypted partition on commandline

  • plugin your device
  • open a root terminal and mount the encrypted partition using command "mount.crypt"
L40:~ # mount.crypt /dev/sdb1 /mnt
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
L40:~ #

3. unmount a encrypted partition

3.1 unmount a encrypted partition with KDE on SLE 10

  • locate the partition in KDE using Konqueror and from content menu select "safety remove"
  • CAUTION: afterwards you're required to close the encrypted partiton manualy
  • open a root terminal
  • find your encrypted partition in device mapper
L40:~ # dmsetup ls
luks_crypto_f25062c7-bd7c-4f2a-9f4d-73ff3cdbceac (253, 0)
L40:~ #
  • when you get more than one line identify your encrypted partition with "cryptsetup status <devicemappername>"
L40:~ # cryptsetup status luks_crypto_f25062c7-bd7c-4f2a-9f4d-73ff3cdbceac
/dev/mapper/luks_crypto_f25062c7-bd7c-4f2a-9f4d-73ff3cdbceac is active:
  cipher:  cbc(aes)-cbc-essiv:sha256
  keysize: 128 bits
  device:  /dev/sdb1
  offset:  1032 sectors
  size:    7918950 sectors
  mode:    read/write
L40:~ #
  • Afterwards close the device mapping
L40:~ # cryptsetup luksClose luks_crypto_f25062c7-bd7c-4f2a-9f4d-73ff3cdbceac
L40:~ #
  • now unplug the device

3.2 unmount a encrypted partition with GNOME on SLE 10

  • unmount of encrypted partitons not yet supported please use commandline

3.3 unmount a encrypted partition with KDE on SLE 11

  • unmount of encrypted partitons not yet supported please use commandline

3.4 unmount a encrypted partition with GNOME on SLE 11

  • locate the partition in nautilus an click the eject icon next to the partition (device)

3.5 unmount a encrypted partition on commandline

  • open a root terminal and unmount the encrypted partition using command "umount.crypt"
L40:~ # umount.crypt /mnt
L40:~ #
  • afterwards please make sure that the device mapper mapping is removed or you're in risk that the unencrypted data can be accessed by someone else. To do this display all device mapper entries
L40:~ # dmsetup ls
cr_sdb1 (253, 0)
L40:~ #
  • if you're unsure what devicemapper entry is your encrypted partition use "cryptsetup status <devicemappername>" to get informations
L40:~ # cryptsetup status cr_sdb1
/dev/mapper/cr_sdb1 is active:
  cipher:  cbc(aes)-cbc-essiv:sha256
  keysize: 128 bits
  device:  /dev/sdb1
  offset:  1032 sectors
  size:    7918950 sectors
  mode:    read/write
L40:~ #
  • if you have identified your partition, close it
L40:~ # cryptsetup luksClose cr_sdb1
L40:~ #

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7003991
  • Creation Date: 28-Jul-2009
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center