[Trisquel-users] Full Disk Encryption - Multiple partitions

Stefano pietranera at gmail.com
Sun Jan 15 19:49:20 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Sat, 14 Jan 2012 17:41:05 +0100 (CET)
apvp at hush.ai wrote:

> Hello!
> 
> Basically, my question is: will i have to encrypt every single partition,
> one at a time, with cryptsetup -y --cipher aes-xts-essiv:sha256 --key-size
> 512 luksFormat /dev/PARTITION and, from there, work with each one
> individually, as explained in the link i've placed at the beginning of this
> post, or is it possible/recommended to encrypt the whole extended partition
> area (/dev/sda3) in place?
> 
> Any comment would be much appreciated. Thank you!
>

Hello,

you can indeed use multiple partitions, just follow the instructions for each
partitions.

When you're done and are ready to chroot, remember that you must mount the
partitions in the right order.

For example, let's say that you have / in /dev/mapper/crypto_root
(/dev/sda1) and /home in /dev/mapper/crypto_home (/dev/sda2), you should do:

mount /dev/mapper/crypto_root /mnt/root
mount /dev/mapper/crypto_home /mnt/root/home 

You do not need to insert a password for every encrypted partition if you add a
key file for the extra partitions. E.g. for your encrypted home, do:

cryptsetup luksAddKey /dev/sda2 /path/to/key/file

There are several way to create a key file with random characters.

Then, your /etc/crypttab should look like:

# <target name>	<source device> <key file>    <options> 
crypto_root /dev/disk/by-uuid/YOUR_UUID_FOR_ROOT none luks
crypto_home /dev/disk/by-uuid/YOUR_UUID_FOR_HOME /path/to/key/file luks

Note that YOU MUST HAVE A PASSWORD FOR YOUR "/" otherwise you will not be able
to boot!

Best,

- -- 
Stefano

Fortune of the day: "Are you sure the back door is locked?"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJPEx+wAAoJEP8aw3rrwAiNy80IAKdSOyB5L4/i6lWxj9V5NOlH
XxAU7TEBmH2S2vXO4f9Wwxxg8VwFfyV7gOvSPlFh1bGHxTXQbkvE9RMj8Sl4TakW
4Qdv++Kp+/L89N0l1dqvaPzyfvBdV7hlARcb4XCdVCbBzOBTWqnSkyHvQXPnk2DJ
8P01x/YhKqEne1VLtKzQibL6PMswEvLudkEkLOBEkALSzKTXZGzKxuNckrJKDJj4
mU+dW8hUQEMH0nASvkoKP/D4UrwXkt14EAev6aBF7cGk8qfXIrbl+LA3Cz2FMQis
2Ebwwp7iyqxFocPZgnAcKBLAhUBq4IYC7ewZ0cLjX3Ss2PaLq/bmLbQCsl6dTKg=
=DWmd
-----END PGP SIGNATURE-----


More information about the Trisquel-users mailing list