Gentoo Wiki


This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc
This article is part of the Security series.



This article will describe how to:

Security Argument

In this situation someone trying to decrypt your partition would fail, even if he (however) gets your usb stick. Cause the stick is useless without the password, which is only known to you.

FIXME: Tell more. Especially: TrueCrypt and Hidden Partitions.

So, this approach results in a relatively high level of security. In addition I don't think it's necessary to encrypt the whole disk, including rootfs, cause all (my) sensitive data are located in the home dirs. But I recommend encrypting swap; to be sure your encryption-key is unusable, even if it somehow makes it's way to swap. Nevertheless it's a good idea to also encryt the /tmp fs.

By the way, this is although a matter of performance. It's slow enough to have an encrypted home partition.

FIXME: Say how to do this.

RC Addon needed

In case you want the encrypted partition to be mounted at boot-time, you will recognize that gentoo's rc system is not sufficient in this situation; at least for the approach I am just talking about. Don't get my wrong, Gentoo is just great.

While booting, the usb-key-container has to be located, decrypted using a password given by the user, mounted; and after this, the encrypted partition must be decrypted with the key from the usb-container and finally the usb-container needs to be unmounted and it's ecryption-mapping removed.

I've written an addon to the gentoo rc system which will do this for you.

On Boot

... when it's time to decrypt your partition, before checkfs/localmount are invoked:

... rc will call checkfs/localmount afterwards so the partition is fschecked and mounted

On Shutdown

... after localmount has unmounted the partition:


Why not use the existing dm-crypt-addon?

Dm-crypt is called by rc before checkfs and after localmount(and on shutdown). This is required cause you can define pre- and postmount-actions to be executed, and dm-crypt has to be called to run these when their time has come.

We could use this premount-action to mount the usb-key-container, right after decrypting it. Then encrypt the partition using the key from the mountpoint and unmount it again in the partition's premount action. This would look like this:

Code: /etc/conf.d/cryptfs
options=' --readonly'
pre_mount='mount ${dev} /mnt/usb-key-container'

options=' --key-file /mnt/usb-key-container'
pre_mount='umount /mnt/usb-key-container && cryptsetup luksClose usb-key-container'

This works cause dm-crypt first creates the device-mapping before it executes the premount action. The pre-/postmount-actions are originally inteded to be used for creating a fs on an encrypted /tmp and for changing it's permissions after mounting.

FIXME: Say howto do this

Abusing dm-crypt in that way has some disadvantages:

But it's your choice to stop reading at this point and copy/paste/review the above config.

What about simply writing an init script?

Yeah, this was my first thought. I wrote an init script that did the mapping/mounting/... stuff, but this was an useless waste of time, because init scripts will always be aborted by (even if added to the boot runlevel or called directly from checkfs) while sysinit is running. And excactly this is the time, we want the partition to be decrypted.


Encrypting the usb pen drive

fdisk -l

find the new added disk such as sda or sdb create the 2 partitions on usb pen disk fdisk sd* (what you find in fdisk -l)

dd if=/dev/urandom of=/dev/sd*2

Ecrypting the partition

Installing the rc addon


Creating fallback keys

Retrieved from ""

Last modified: Tue, 07 Oct 2008 05:39:00 +0000 Hits: 3,173