Protecting Data with Encrypted Linux Partitions - page 3

The Inevitable Whoopsie

Once you have a nice new empty partition, you'll encrypt it with the cryptsetup command. Be very sure you are encrypting the correct partition:

# cryptsetup --verbose --verify-passphrase -c aes-cbc-plain luksFormat /dev/sda2

WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

This creates the encrypted partition. Now you need to create and name a mountable logical partition. In this example, it is named sda2, which could be test or fred or mysecretpartition, or anything you want:

# cryptsetup luksOpen /dev/sda2 sda2
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

This should show as a block device in /dev/mapper:

$ ls -l /dev/mapper
total 0
crw-rw---- 1 root root  10, 63 2007-06-09 18:38 control
brw-rw---- 1 root disk 254,  0 2007-06-09 19:46 sda2

Now put a filesystem on the logical partition:

# mkfs.ext3 /dev/mapper/sda2

Now you need to make a mount point so you can mount and use this nice new encrypted partition. Remember, you must use the device name is from /dev/mapper/. I'll put it in my home directory. Watch for operations that require rootly powers:

$ mkdir /home/me/crypted
# mount /dev/mapper/sda1  /home/me/crypted

Confirm that it mounted, and write a test file:

# df -H

[...]
Filesystem             Size   Used  Avail Use% Mounted on
/dev/mapper/sda2       7.9G   152M   7.3G   3% /home/carla/crypted
# cd /home/me/crypted
# nano test
# ls
lost+found  test