Here’s how to set up an encrypted disk and swap partition on Fedora 6. Refer to Disk encryption in Fedora: Past, present and future for more information. For RedHat (RHEL 4) or CentOS 4, refer to http://wiki.centos.org/TipsAndTricks/EncryptedFilesystem.
Warning: I have no idea how to set up encrypted disks in combination with LVM. I tend to shy away from LVM because it’s yet another layer of abstraction, making it difficult to recover a broken system. However, the following links may be of help: , .
In these examples, I’m encrypting the /home partition located on partition /dev/sda5, and the swap partition located on /dev/sda3. The partitions will be different on your system.
Create and Format Encrypted Disk
Before you start, you may want to obliterate the partition that will hold the encypted file system:
$ shred /dev/sda5
Setup the crypt disk:
$ cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat
# You must type "YES" to proceed
# It will prompt you for a passphrase twice
$ cryptsetup luksOpen /dev/sda5 home
$ mkfs.ext3 -L /home /dev/mapper/home
$ cryptsetup luksClose home
Create the /etc/crypttab file. It should be formatted as follows:
swap /dev/sda3 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
home /dev/sda5 none luks
/dev/mapper/home /home ext3 defaults 2 1
/dev/mapper/swap swap swap defaults 0 0
Whenever you boot the system, it will prompt you for your passphrase for the /home partition.
At work, I got a shiny new Linux development machine — And AMD 64 Dual Core 3800+ processor running on an Asus M2V 1.xx motherboard.
After installing Fedora Core 6, I ran into two problems. First, the built-in Attansic L1 Ethernet adapter wasn’t recognized. Google research revealed that an Attansic L1 driver will probably appear in the mainline Linux kernel in a few months. Rather than wait, I plugged in a supported Ethernet card.
Second, the SATA hard drive driver timed out. Occasionally, the system froze up without many error messages showing up in the system log. I logged in at the console as root and ran “
exec tail -f /var/log/messages” (redirecting syslog to a remote machine is a better solution). The next time the system froze up, I saw more output in syslog. It contained approximately the following:
ata1.00 exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x2 frozen
ata1.00 BMDMA stat 0x4 timeout
ata1.00 qc timeout (cmd 0xec)
Google helped me stumble on the following workaround, which seems to work. I don’t know what it does. Edit
/etc/grub.conf. Find the lines that say “kernel” and add “
acpi=force irqpoll noapic hda=noprobe” to the end, and reboot.
title Fedora Core (2.6.19-1.2911.fc6)
kernel /vmlinuz-2.6.19-1.2911.fc6 ro root=LABEL=/ rhgb quiet acpi=force irqpoll noapic hda=noprobe
Useful commands (helpfully documented on this blog):
dmidecode – tells me what motherboard I have
lspci – Tells me what built-in ethernet adapter I have
cat /dev/cpuinfo – Tells me about my CPU
I’ll be at the Mountain West Ruby Conference March 16-17, 2007 9:00 AM – 5:00 PM each day. Registration is only $50 USD. http://mtnwestruby.org