BACKGROUND
==========
Linux 2.6 kernel includes a new facility: device-mapper. This is the layer that makes possible the creation of virtual block devices (exists in memory only) on top of real block devices (backed by physical device of some sort).

Virtual block devices are used to implement RAID, snapshots, and encryption, etc.

CRYPTSETUP
==========
This is the utility to create and manage encrypted block devices and containers for device-mapper. LUKS is the standard foron-disk storage of metadata that implement multiple user keys, and key management (creation and revocation), and is intended to be compatible across distributions.

As mentioned earlier, there are two ways to use cryptsetup: physical block device, and containers.

PHYSICAL BLOCK DEVICE
=====================
USB sticks, external hard drives, and disk partitions are physical block devices. It is often easiest to use cryptsetup on physical block devices directly. Many Linux distributions now prompt you to enter password as soon as an encrypted device is plugged in.

Here are the steps to create an encrypted block device manually:

We assume there is a USB stick inserted into the computer, and that it is recognized as /dev/sdb. We will encrypt the first partition on it. Everything between [ ] is what you would type in.

[root@localhost ~]# cryptsetup luksFormat /dev/sdb1

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): [YES]
Enter LUKS passphrase: [enter password]
Verify passphrase: [verify password]
Command successful.

We can verify that the encrypted device is created properly by issuing "luksDump" cryptsetup subcommand:

[root@localhost ~]# cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1

Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
MK digest: 98 47 e9 b1 da 4d 04 dd c8 12 eb 8f c5 0c 43 1e cb df 0d 57
MK salt: 3a 58 2b 54 81 96 2d f3 cf 10 6f a4 41 f7 03 82
86 35 33 d6 f7 2f 59 c0 e5 7d 59 3c 75 99 b0 c1
MK iterations: 10
UUID: 89f35f6d-1460-4767-9179-eac4bcf0d0aa

Key Slot 0: ENABLED
Iterations: 82519
Salt: d8 e4 0c 59 9a 25 0c b4 b5 38 d7 a7 20 12 6e ed
53 cb 2e 57 8d 03 25 f4 65 71 cb 5d 9e 96 34 fe
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

The output above shows you that the block device /dev/sdb1 is encrypted with AES, 128-bit key length. There is one key defined in the LUKS header, and there is room for seven more keys to be defined.

At this point, no virtual block device has been created. Only LUKS header has been placed on the physical block device.

To use this device for encrypted storage, you will need to issue "luksOpen" subcommand:

[root@localhost ~]# cryptsetup luksOpen /dev/sdb1 my-encrypted-device
Enter LUKS passphrase for /dev/sdb1: [enter password]
key slot 0 unlocked.
Command successful.

If you entered the password correctly, a virtual block device will be created in /dev/mapper/ directory. In the example above, we choose to name this virtual block device "my-encrypted-device".

[root@localhost ~]# ls -la /dev/mapper
total 0
drwxr-xr-x 2 root root 120 2009-05-04 22:10 .
drwxr-xr-x 15 root root 5180 2009-05-04 22:10 ..
crw-rw---- 1 root root 10, 63 2009-05-04 16:34 control
brw-rw---- 1 root disk 253, 2 2009-05-04 22:10 my-encrypted-device

From now on, you will work with this virtual block device exclusively. You will create filesystem with it, as well as mount and unmount it, instead of the physical device /dev/sdb1.

[root@localhost ~]# mke2fs -m0 /dev/mapper/my-encrypted-device
mke2fs 1.41.4 (27-Jan-2009)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
131072 inodes, 523772 blocks
0 blocks (0.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67633152
64 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 32 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.


Congratulations, you have just created an encrypted filesystem! This filesystem can now be mounted anywhere you'd like to store your data.

[root@localhost ~]# mkdir /tmp/my-encrypted-storage && mount /dev/mapper/my-encrypted-device /tmp/my-encrypted-storage

You can now put data in the directory which you mounted the virtual block device on. In the example above, anything written to /tmp/my-encrypted-storage will be encrypted and eventually written to /dev/sdb1.

Once you are done with the device, you will need to unmount and close the device-mapper virtual block device:

[root@localhost ~]# umount /tmp/my-encrypted-storage
[root@localhost ~]# cryptsetup luksClose /dev/mapper/my-encrypted-device

You can now safely remove the USB stick from the system.

That may seem like a lot of typing to get an encrypted storage device, but you may be in luck. Once you go through the steps to create and format an encrypted storage device, you may be able to use it again by simply plugging it into your computer, and allow the dbus and your desktop manager to detect the insertion of an LUKS-encrypted device and prompt you for the password.

We mentioned earlier that there are two ways you can use cryptsetup. The other way to use cryptsetup is to use it on a container file that exists on your filesystem. You would use this method if you have no other device available, or if you wish to encrypt a small subset of your data, instead of the entirety of the physical device.

ENCRYPTED CONTAINER ON EXISTING FILESYSTEM
==========================================
Linux has a facility called "loopback device" to create a virtual block device that is backed by a physical file on a filesystem. This is commonly used to create ISO image for pre-mastering purposes, as well as to create initrd for booting your Linux system, among other uses.

The only modification to the above set of commands are:

(1) create a loopback device that maps to a container file on the filesystem

[root@localhost ~]# dd if=/dev/urandom of=/tmp/container bs=1M count=512
[root@localhost ~]# losetup /dev/loop0 /tmp/container

This will create a file named "container", 512MB large, filled with psudorandom data, located in /tmp directory.

(2) wherever you see references to physical block device (/dev/sdb1), substitute it with /dev/loop0

[root@localhost ~]# cryptsetup luksFormat /dev/loop0

(3) after you've issued "cryptset luksClose", you should follow it with "losetup -d /dev/loop0" to destroy the loopback device named /dev/loop0 that you created earlier in (1).

That's all there is to using cryptsetup-luks under Linux.

Happy encrypting!
Puddles

Forgot to add that distributions now auto-mount USB sticks and HDs in /media directory, using the filesystem label of the device for the name of the directory under the /media mount point.

For example, if you label your encrypted device "mega-secret":

[root@localhost ~]# e2label /dev/mapper/my-encrypted-device mega-secret

Then that USB stick will be mounted as:

/media/mega-secret

assuming you enter the password correctly. This also limits what you can use to label your filesystem with, as some characters will be remapped to "safer" characters (e.g., "/" maps to "_").