Device Drivers | Multi-device support | Device mapper support | Crypt target support
Enable the wanted encryption algorithm Cryptographic options | Cryptographic API (sha and aes)
Create a container.
dd if=/dev/zero of=container.loop bs=52428800 count=1
Mount it via loop device.
losetup /dev/loop0 container.loop
Prepare the encryption by selecting the algorithm.
cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/loop0 WARNING! ======== This will overwrite data on /dev/loop0 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase:
Unlock it.
cryptsetup luksOpen /dev/loop0 verysecret Enter LUKS passphrase: key slot 0 unlocked.
Create a filesystem.
mkfs.xfs /dev/mapper/verysecret
Mount it.
mount /dev/mapper/verysecret /mnt/crypt/
Umount it.
umount /mnt/crypt
Clear the passphrase.
cryptsetup luksClose verysecret
Add a second key (8 keys are possible).
cryptsetup luksAddKey /dev/loop0 Enter any LUKS passphrase: key slot 0 unlocked. Enter new passphrase for key slot:
Delete a key.
cryptsetup luksDelKey /dev/loop0 1
Umount the loop file.
losetup -d /dev/loop0
head -c 100 /dev/random | uuencode -m /dev/stdin | tail -n +2 | \ head -c 32
Damit bekommst du 32 Bytes Zufallsdaten, die du dann als Platten-Schlüssel benutzt. Wie viele Bytes du brauchst, hängt natürlich von deinem Verschlüsselungs-Algo ab.
Auf der Festplatte legst du diese Daten in PGP-Verschlüsselt ab:
gpg --symmetric --armor
Um die Platte zu mounten macht mein selbstgeschribenes Script dann unter anderem das:
FS_KEY="$(gpg --no-options --passphrase-fd 3 --no-tty --batch \ --no-default-keyring --keyring /tmp/pubkey.gpg \ --secret-keyring /tmp/seckey.gpg -d ${KEYFILE} 3<<<${PASSPHRASE} \ 2>/dev/null )" /usr/bin/sudo /bin/cryptsetup -d /dev/stdin create "${MAPPERDEV}" \ "${DEVICE}" <<<"${FS_KEY}"
See also here.