I have a laptop. I have one harddrive in it, and I want to encrypt all data here. I want to encrypt it with a certificate which should be placed on an USB-key. And that USB-key should be encrypted with a password.

Can this be done and how?

with DM-CRYPT.
dm-crypt is a kernel module.. see if dm-crypt is compiled in your system by attempting to "modprobe dm-crypt" if it fails, then you will need to re-compile your kernel with dm-crypt support. (its in the RAID and LMV section, althought you dont need to enable RAID or LMV to use dm-crypt).

also, i would recomend againsed encrypting the whole system, this is pointless... instead, just encrypt your home parttion and swap space.


to encrypt your swap space, just add 2 lines in the boot script before the line that enables swap, make it first setup an encrypted device map using /dev/urandom as the encryption key, then reformat the device map as swap (this takes less than a second)

then mount the home directory in the same way, but use the USB thumb drive as the key instead of /dev/urandom.

this will create a very secure system.

It's worth mentioning that dm-crypt is only in recent versions of the 2.6 kernel.

For 2.4 kernels, checkout the Disk Encryption HOWTO.

Enjoy!
--- Cerbere

Hm, ok. I uses 2.6-kernel so dm-crypt should be easy to use.

But can I get a reason why I should not encrypt more then just the swap and home-dir? If I have only one harddrive maby I should make a couple of partitions and encrypt all but the one that is the boot-partition?

Encryption is used to keep your data secret....
whats the point in encrypting all your prpgrams like The Linux kernel and kde and xmms media player ?

whats the point in encrypting programs that are freely available on the internet... encrypting your /usr/ /lib/ /opt and other binary folders is absolutly pointless, it will just make installing linux extremely complicated, slow booting times, and generally.. its useless...

you only need to encrypt your home directory (to keep your own files safe)
you need to encrypt the swap space to keep application data safew after a shutdown (although this is a little paranoid)

you MAY also want to encrypt the /tmp and /var partiton...if you want to keeps your system logs secret.. but again, its a bit paranoid.

look for loopback crypto, I believe there was a program that was losetup tha came with a CryptoAPI patch. I think it was for 2.4 and than was integrated into the kernel source. Anyway I saw it in Gentoo sources.

i would recomend againsed this strongly.
for reasons documented in the dm-crypt kernel documentation.

crypto-loop is based on buggy loopback driver code.
its genratlly a sloppy, messy way of doing drive encryption, and requires you to patch many system ptograms like losetup, and mount.

dm-crypt is the replacement to crypto-loop.

its many times easyer to use, and far more functional.

crypto-loop does not allow you to use USB thunmbdrives or floppy disks as encryption keys.. but dm-crypt does.

I have 2.6.12.3 kernel and can't find the dm-crypt module!!!

I enabled all crypto modules, I disabled loopback, enabled multi device support RAID LVM >> device mapper support....

somethiing wrong missing????

what do you think? ( http://linuxreviews.org/howtos/secur...ingToTheFuture)

from your quote source...
current stable linux kernel is 2.6.12.

so the usual advice sticks, keep your kernel up to date, and use dm-crypt instead of the old broken crypto-loop.