Device Drivers | Multi-device support | Device mapper support | Crypt target support

Enable the wanted encryption algorithm Cryptographic options | Cryptographic API (sha and aes)

Create a container.

dd if=/dev/zero of=container.loop bs=52428800 count=1

Mount it via loop device.

losetup /dev/loop0 container.loop 

Prepare the encryption by selecting the algorithm.

cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/loop0

WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 

Unlock it.

cryptsetup luksOpen /dev/loop0 verysecret 
Enter LUKS passphrase: 
key slot 0 unlocked.

Create a filesystem.

mkfs.xfs /dev/mapper/verysecret 

Mount it.

mount /dev/mapper/verysecret /mnt/crypt/

Umount it.

umount /mnt/crypt

Clear the passphrase.

cryptsetup luksClose verysecret

Add a second key (8 keys are possible).

cryptsetup luksAddKey /dev/loop0
Enter any LUKS passphrase: 
key slot 0 unlocked.
Enter new passphrase for key slot: 

Delete a key.

cryptsetup luksDelKey /dev/loop0 1

Umount the loop file.

losetup -d /dev/loop0

head -c 100 /dev/random | uuencode -m /dev/stdin | tail -n +2 | \
 head -c 32

Damit bekommst du 32 Bytes Zufallsdaten, die du dann als Platten-Schlüssel benutzt. Wie viele Bytes du brauchst, hängt natürlich von deinem Verschlüsselungs-Algo ab.

Auf der Festplatte legst du diese Daten in PGP-Verschlüsselt ab:

gpg --symmetric --armor

Um die Platte zu mounten macht mein selbstgeschribenes Script dann unter anderem das:

FS_KEY="$(gpg --no-options --passphrase-fd 3 --no-tty --batch \
    --no-default-keyring --keyring /tmp/pubkey.gpg \
    --secret-keyring /tmp/seckey.gpg -d ${KEYFILE} 3<<<${PASSPHRASE} \
    2>/dev/null )"

/usr/bin/sudo /bin/cryptsetup -d /dev/stdin create "${MAPPERDEV}" \
 "${DEVICE}" <<<"${FS_KEY}"

See also here.