Creating an encrypted disk in Ubuntu 7.10 (Gutsy Gibbon)

Encryption is becoming more common as users realize the dangers posed if someone were to get the data on their computers. The Ubuntu installer even prompts the user to setup an encrypted disk. While encrypting the primary disk of a desktop or laptop is desirable, I tend to use an external encrypted disk to store much of my data. To be more accurate I create a single large partition on the disk and encrypt that partition. I thought it would be useful, especially given the quality of information on the web, to share my process and some information about the options available.

The first step is to run the badblocks program. This will accomplish 3 things:

1. Verify that the disk is in good shape by checking for bad blocks.
2. Fill the disk with random data and thus making the encryption harder to detect and break.
3. Stress test the drive, hopefully making any problems with the drive apparent.

The command for this is:

• sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sdx
  • -c 10240 = test 10K blocks at a time
  • -s = show progress (for this command it’s necessary)
  • -w = write-mode test (write to disk and verify)
  • -v = verbose mode

This command can take a very long time to execute. I’ve had to run it on a few 500GB drives and it took between 6-8 hours each time. If badblocks fails to find errors it does give some piece of mind to the disk.

Next the disk should be partitioned. This is not necessary but if the disk is connected to a Windows machine (XP anyway, not sure about Vista) it will prevent an error message from appearing and a prompt to partition the disk.

I use cfdisk for this:

• sudo cfdisk /dev/sdx

And in the program I create 1 large primary partition with the available space (by default it will be a Linux partition which is fine). I then “Write” the changes and “Quit”.

In order to prevent the following error I found it necessary to unplug or power cycle the drive.

Unable to obtain sector size for /dev/sdb3Failed to setup dm-crypt key mapping.
Check kernel for support for the aes-cbc-plain cipher spec and verify that /dev/sdx1 contains at least 133 sectors.
Failed to write to key storage.
Command failed.

The next step is to setup the encrypted partition. At this point one has to decide on a cipher to use. The default cipher if not specified is “aes-cbc-essiv:sha256”.

Cipher names:

These are the top 3 finalists for the AES standard.

• aes (rijndael) - rijndael (wikipedia)
• serpent - serpent (wikipedia)
• twofish - twofish (wikipedia)

Cipher modes:

• cbc-essiv:sha256 (keysizes must be 128, 192, or 256)
• lrw-benbi (keysizes must be 256, 320, or 384)

Although AES and Twofish only support the key sizes above, Serpent actually supports any multiple of 8 between the min and max. However, I don’t find this to be of much practical value.

I would suggest using a key size of at least 256.

So, if one were to select the default cipher with a 256 key the command to setup that partition is:

• sudo cryptsetup -v -y -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/sdx1
  • -v = verbose mode
  • -y = verify passphrase
  • -c = cipher
  • -s = key size

After entering the passphrase twice and seeing the message “Command successful” you can then open the partition:

• sudo cryptsetup luksOpen /dev/sdx1 cryptdisk
  • the final parameter can be any name you want

Then it’s time to format the partition:

• sudo mkfs.ext3 /dev/mapper/cryptdisk

And finally the disk can be mounted:

• sudo mkdir /mnt/cryptdisk
• sudo mount /dev/mapper/cryptdisk /mnt/cryptdisk