Hi, On Wed, Sep 05, 2012 at 08:21:36AM +0400, Stayvoid wrote: > Hello there, > > Let's move back to the initial questions... > > I'd like to use a plain version of dm-crypt because it doesn't > store a header on a disk. (Yes, I know that LUKS is a recommended > way, but I've already made my choice.) That is fine. I am doing the same in some places. > I haven't found any guides to the plain version that's why I > decided to ask first. That is because the plain version is actually simpler to use, it just is missing most "enterprise" features. > Here is what I'm going to do: > (These notes are based on this guide [1]. > I'm using a LiveUSB.) > > 1. Overwrite a hard disk: > > # dd if=/dev/urandom of=/dev/sda bs=1M That will be very slow. The way fastest method is to mapl with plain dm-crypt and a random key (like the typical swap set-up) and then overwrite with zeros. You solution will work though, although if you do it with dd_rescue /dev/urandom /dev/sda you get a progess indicator. > > 2. Create partitions: > > # fdisk /dev/sda > > Here is my partition scheme: > > Device Boot Start End Blocks Id System > /dev/sda1 2048 206847 102400 83 Linux > /dev/sda2 206848 2303999 1048576 82 Linux > /dev/sda3 2304000 312581807 155138904 83 Linux > > * /dev/sda1 -- /boot; > * /dev/sda2 -- swap; > * /dev/sda3 -- the rest. Looks reasonable. > When can I create the filesystems? > Can I do it at this step? No. Nothing is encrypted.You could create the boot filesystem if that stays unencrypted. > 3. Mapping partitions: > > # cryptsetup -y -c aes-xts-plain -s 512 create swap /dev/sda2 > # cryptsetup -y -c aes-xts-plain -s 512 create main /dev/sda3 > > After this step the guide [1] suggests to unlock LUKS partitions: > > # cryptsetup luksOpen /dev/<partitions name> <device-mapper name> > > How to do it using the plain version of dm-crypt? > Is it even necessary? No. You just map it like you stated and then create the filesystem on the mapped device. The luksFormat step does not happen. So: mke2fs -j /dev/mapper/main mkswap /dev/mapper/main > > 4. Encrypting the swap partition with suspend-to-disk support: > > How to do it using the plain version? No idea. Suspend-to-disk is insecure unless done right and it needs to be done right by your distro. Basically you can put in "cryptsetup create" for any "cryptsetup luksOpen" and swap the arguments. "cryptsetup close" and "cryptsetup luskClose" are synonyms AFAIK, i.e. both remove the mapping whether plain or LUKS. Arno > > What else should be done to finish the configuration? > > [1] https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS > > Thanks > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
