This info is oddly hard to find on google so asking it here. I want to format an external drive to ext4 and encrypt it with a password. The best way I know of is cryptsetup with dm-crypt support so I wanna use that. Although the Yast - Partitioner can do this on its own, I’d rather know how to do it by hand as well (especially since Yast asks to install something called pam_mount which I don’t think I need).
My question is, what’s the cryptsetup command to encrypt an ext4 partition (or create / format one as encrypted)? Is it something like “cryptsetup dev/sda1/ mypassword123”? I don’t wish to use LUKS for this… just simple encryption so that whenever I mount the drive I’m asked for a password. Also no LVM.
You are better off with LUKS, which also will have just a simple password when mounting the drive.
The man pages explain what commands (i.e. “man cryptsetup”).
As far as I know, for dm-crypt, you would just use:
cryptsetup create cr_sdb1 /dev/sdb1
where I assume that the partition is “/dev/sdb1” and that you want the virtual encrypted device to be “/dev/mapper/cr_sdb1”.
Then you would “mkfs -t ext4 /dev/cr_sdb1” to create the ext4 file system. And, finally, a “mount /dev/cr_sdb1” (with other mount options, as needed).
For subsequent mounting, skip the “mkfs” step.
As far as I know, there is no forgiveness. If you type the wrong key, it will be encrypted/decrypted using the wrong key, so will probably look like an unformatted blob. Also, if you plug in the drive, you won’t be prompted for a key. You will have to type the command manually. The partition is not recognizably encrypted, since there is no crypto header with dm-crypt.
With LUKS there is forgiveness if you mistype the key, for what you enter has to match information in the LUKS header. You will be prompted a second time after a wrong key. And file system browsers can recognize that the partition is encrypted, because they check the header.
I recommend that you reconsider and use LUKS.
On 2012-12-26 23:26, MirceaKitsune wrote:
> Although the Yast - Partitioner can do this on its own, I’d rather
> know how to do it by hand as well (especially since Yast asks to install
> something called pam_mount which I don’t think I need).
You do need it.
Let YaST do it the first time.
>
> My question is, what’s the cryptsetup command to encrypt an ext4
> partition (or create / format one as encrypted)? Is it something like
> “cryptsetup dev/sda1/ mypassword123”? I don’t wish to use LUKS for
> this… just simple encryption so that whenever I mount the drive I’m
> asked for a password. Also no LVM.
From my old notes - you will have to change things as needed - for the
second time onwards:
> dd if=/dev/urandom of=/dev/sdc5 bs=1M count=500
>
> cryptsetup -v --key-size 256 luksFormat /dev/sdc5
>
> cryptsetup luksDump /dev/sdc5
>
> (crypto multimedia on partition)
>
> cryptsetup luksOpen /dev/sdc5 crmm_Amon_Din
>
> cryptsetup status /dev/mapper/crmm_Amon_Din
>
> mkfs.reiserfs -l Amon_Din /dev/mapper/crmm_Amon_Din
>
> file -s /dev/mapper/crmm_Amon_Din
>
> cryptsetup status crmm_Amon_Din
>
> cryptsetup remove crmm_Amon_Din
>
>
> Edit file /etc/crypttab:
>
> # part 1 -> 5
>> crmm_5_amon_din /dev/disk/by-uuid/286f633f-52f2-49b7-b1ef-f628c31db320 none noauto
>
>
> Edit file /etc/fstab:
> /dev/mapper/crmm_5_amon_din /mnt/ext/ reiserfs noatime,user,noauto,acl,user_xattr,nofail 1
Also, systemd has changed a few things, so beware.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))
Thank you for the help and useful info. I didn’t know not using LUKS has these disadvantages… sounds like I might want to use it then. But do I have to install a special package for it? Either way, what’s the command to do it with LUKS too?
Also, if possible, I’d like the drive to still work as plug-and-play. So when you plug it in it’s automatically mounted… in this case by requesting a password first.
On 2012-12-27 13:16, MirceaKitsune wrote:
>
> Thank you for the help and useful info. I didn’t know not using LUKS has
> these disadvantages… sounds like I might want to use it then. But do I
> have to install a special package for it? Either way, what’s the command
> to do it with LUKS too?
Just do it with yast, because there are many steps involved and we can
forget one.
My instructions generate a LUKS encrypted partition (LUKS is just a
standard, the actual encryption can use many methods). But my
instructions assume that the system is already prepared, which is what
yast does.
> Also, if possible, I’d like the drive to still work as plug-and-play.
> So when you plug it in it’s automatically mounted… in this case by
> requesting a password first.
That is done by the desktop, provided it is a LUKS partition. In that
case, forget about crypttab and fstab, remove the entries.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))
I can do it with Yast if nothing else works. But like I said, this is something I’d like to know to do by hand too, in case I’ll have to do it on a non-openSUSE Linux machine or something. I assume it’s just a few cryptsetup commands to get it working, but I’m not lucky with finding them on google. Would still like to know them and see some examples if anyone knows.
On 2012-12-27 14:16, MirceaKitsune wrote:
>
> I can do it with Yast if nothing else works. But like I said, this is
> something I’d like to know to do by hand too, in case I’ll have to do it
> on a non-openSUSE Linux machine or something. I assume it’s just a few
> cryptsetup commands to get it working, but I’m not lucky with finding
> them on google. Would still like to know them and see some examples if
> anyone knows.
But you need things like ‘pam’ so that you can enter the password when
needed, and you need to load the appropriate kernel modules on initrd
(maybe not your case). I know very little about pam, so I can not advise
you there.
The cryptsetup commands needed I told them already.
I have a list of documentation you could read, but it is not in my
laptop, so I can’t give it to you till I get back home.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))
There’s nothing special to install, as far as I know.
Again “man cryptsetup” gives the details. In any case, here they are, assuming that the device name is “/dev/sdb1” (change that to suit your needs):
cryptsetup luksFormat /dev/sdb1 ## you should be prompted for the key.
cryptsetup luksOpen /deb/sdb1 cr_sdb1 ### the name "cr_sdb1" can actually be any name you please
### you will be prompted again for the encryption key on that luksOpen.
mkfs -t ext4 /dev/mapper/cr_sdb1 ### uses the same name "cr_sdb1" as given above
cryptsetup luksClose cr_sdb1 ### again, uses the same name "cr_sdb1" used above
At this stage, the encrypted file system is created, then disconnect so that you can now unplug the drive.
You could add a line to “/etc/crypttab”, though I’m not sure if that is needed.
cr_sdb1 /dev/sdb1 none noauto
except that in place of “/dev/sdb1” you should use “/dev/by-id/–whatever-is-the-id-for-disk-part1” because the device name “/dev/sdb1” can change depending on what else is plugged in.
Try mounting with a file browser, both with and without the “/etc/crypttab” entry to see if you actually need the entry. If “/etc/crypttab” does not exist, then create it. It should be owned by root, and have permissions -rw-r–r–
Also, if possible, I’d like the drive to still work as plug-and-play. So when you plug it in it’s automatically mounted… in this case by requesting a password first.
If you instead use Yast, it will probably do everything for you. Then you might need to edit “/etc/crypttab” to change the last entry of the line to “noauto”.
Thanks for the help. I will try those commands on a VM at first and see how it works, then do my external drive if all goes well.
Thank you, I managed to get my external drive up and running with encryption using those commands. pam_mount was not needed, and it also works when plugging my drive in. The drive is automatically detected like before, and the password is asked once I click the drive in Dolphin.
The steps were those described by nrickert: I used “cryptsetup luksFormat” to create the encrypted container, after which it would automatically mount once plugging the drive in. From there I could easily format it from Yast, and now it works exactly as expected. Only addition is that in order to change the label of the device, I had to use: e2label /dev/mapper/cr_sdb1 “My label”
There would be one more question remaining: If I want to change the password later on, is there a cryptsetup command for that too? Which will prompt me for my current password, ask for new password, ask to confirm new password… like changing the password on any system usually works.
Again, “man cryptsetup” gives the answers.
cryptsetup luksAddKey – to add an additional key
cryptsetup luksRemoveKey – to remove an existing key (but you must have another key available)
cryptsetup luksChangeKey – to change an existing key
Check the man page for arguments and options.
You can have several distinct keys for the same container (up to 8).
Thank you, I believe that covers everything I needed to know. And the reason I don’t check man pages generally is that most are so large it’s hard to pin-point a specific little feature 
Use at the command line, rather than the GUI (in a terminal window). That way, you are browsing the man page with “less”. You can type “/string” (without the quotes) to search for “string”. Once you are familiar with less, it is easy to scroll forward/backward. The man page are a great resource, once you get the hang of using them.