Tech > dm-crypt



dm-crypt allows you to create encrypted partitions that can be mounted at boot time. The encrypted volume is created to either require a password or a key file before it can be mounted. One technique is to setup an encrypted root volume holding the keys to the others. The root volume requires a password, subsequent volumes being mounted only if the keys are accessible on the root encrypted volume.

The notes here assume you are using LVM to manage your partitions.

Warning - Backup everything. Mistakes or errors with many of the commands can easily destroy your data.

The instructions here are specific to Debian 5.0 (Lenny)


Create an LVM partition:

  # lvcreate -n private -L10G /dev/vg0

Optionally, if you have a lot of time to spare (can take many hours), fill the partition with random data:

  # dd if=/dev/urandom of=/dev/vg0/private

Then setup dm-crypt :

  # cryptsetup luksFormat /dev/vg0/private
  # cryptsetup luksOpen /dev/vg0/private crypto_private
  # mkfs.ext3 /dev/mapper/crypto_private
  # echo "crypto_private /dev/mapper/vg0/private none luks" >> /etc/crypttab
  # mkdir /mnt/private
  # echo "/dev/mapper/crypto_private /mnt/private ext3 defaults 0 2" >> /etc/fstab

Rebuilding Initramfs

You may need to re-build the initramfs. I'm not sure that it needs rebuilding under all circumstances.

All kernels can be rebuilt with:

  # update-initramfs -u -k all

Or just the current kernel:

  # update-initramfs -u -k `uname -r`

Using a Key File

Create the key file:

  # dd if=/dev/urandom of=/etc/private.key count=1 bs=1024

Format the partition:

  # cryptsetup luksFormat /dev/vg0/private /etc/private.key

Open the encrypted partition:

  # cryptsetup --key-file /etc/private.key luksOpen /dev/vg0/private crypto_private

Create the file system:

  # mkfs.ext3 /dev/mapper/crypto_private

Optionally close the encrypted partitions:

  # cryptsetup luksClose crypto_private

Update configuration files:

  # echo "crypto_private /dev/mapper/vg0/private /etc/private.key luks" >> /etc/crypttab
  # mkdir /mnt/private
  # echo "/dev/mapper/crypto_private /mnt/private ext3 defaults 0 2" >> /etc/fstab
  # update-initramfs -u -k all


Increasing Size

Unmount and close the encrypted volume:

  # umount /dev/mapper/crypto_private
  # cryptsetup luksClose crypto_private

Extend the underlying LVM volume:

  # lvextend -L+5G /dev/vg0/private

Extend the dm-crypt volume:

  # cryptsetup luksOpen /dev/vg0/private crypto_private
  # cryptsetup resize crypto_private

Then the filesystem:

  # e2fsck -f /dev/mapper/crypto_private
  # resize2fs /dev/mapper/crypto_private

The file system can now be remounted.

Reducing the Size

Warning: These steps are largely theoretical based on available documentation and observation. You must make backups if your data is of value.

You need to work in sectors. To find out how many sectors are currently in use for each volume type:


  # lvdisplay -c /dev/vg0/private | awk -F ':' '{print $7;}'


  # cryptsetup status crypto_private

Offset plus size should match the LVM sector count.


I'm not certain how you relate ext3 blocks to dm-crypt sectors, but I presume it's based on the underlying physical disk. This works for me. So fdisk gives bytes per sector, 512 for me. Tune2fs will give block count and block size. Multiply those together and divide by bytes per sector to get the number of sectors.

  # fdisk -l -u /dev/sda
  # tune2fs -l /dev/mapper/crypto_mount

Example, reducing a 10G LVM volume to 5G

Assuming 512 bytes per sector.

tune2fs: 2,621,311 blocks of 4096 = 10,736,889,856 bytes = 20,970,488 sectors lvdisplay: 20,971,520 sectors * 512 = 10,737,418,240 bytes dm-crypt: offset 1032 + size 20,970,488 = 20,971,520 sectors

5G = 10,485,760 sectors of 512 bytes

So, new LVM will be 5G or 10,485,760 sectors new dm-crypt will be 10,484,728 sectors (LVM less dm-crypt offset) Therefore ext3 file system is 10,484,728 sectors

Unmount and close the encrypted volume:

  # umount /dev/mapper/crypto_private

Reduce the size of the filesystem:

  # e2fsck -f /dev/mapper/crypto_private
  # resize2fs /dev/mapper/crypto_private 10484728s

Reduce the size of the underlying dm-crypt volume:

  # cryptsetup --size 10484728 crypto_private

Reduce the size of the underlying LVM volume:

  # cryptsetup luksClose crypto_private
  # lvresize -L5G /dev/vg0/private

Manually Mounting

If you don't want the volume mounted at boot time, set it to noauto in /etc/crypttab and /etc/fstab, then mount it with the cryptdisks_start command.

  # echo "crypto_private /dev/mapper/vg0/private /etc/private.key luks,noauto" >> /etc/crypttab
  # echo "/dev/mapper/crypto_private /mnt/private ext3 rw,noauto 0" >> /etc/fstab
  # cryptdisks_start crypto_private

Note: The sixth column of the /etc/fstab entry is left blank so that fsck will not be run on it during the boot process.


-- Frank Dean - 12 Feb 2010

Related Topics: DebianTips, LinuxHintsAndTips