HOWTO: Replacing cryptoloop with dm-crypt in Debian

A while back, I wrote a little HOWTO on putting the cryptoloop module back in Debian. Yesterday, Josh Triplett pointed out to me that current dm-crypt can actually be used instead of the cryptoloop module to compatibly work with cryptoloop-formatted volumes. Huh.

It turns out to be as simple as

$ apt-get install cryptsetup
$ cryptsetup create -c mycipher -s mykeysize volume-label /dev/sdx7
$ mount /dev/mapper/volume-label /mount-point

Obviously you'll need to make some substitutions in the above. Use

$ umount /mount-point
$ cryptsetup remove volume-label

to clean up afterwards. Enjoy. Friend of Bart

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

ideas

Dunno. Things to try:

  • You may want to look at "--skip" vs "--offset". Not sure which you need here.

  • You may want to look at the "--key-size" option. Maybe there's a different default for twofish.

  • I don't think /dev/hdb1 vs /dev/sdb1 should make any difference, but for the record make sure you're trying the right volume.

  • If all else fails, see my other HOWTO for how to build cryptoloop for your box. See if that still works for you. That might give a clue about what's going on. Friend of Bart

more ideas

Huh. So the thing still pulls with cryptoloop; that's good, it means that we can rule out a lot of things.

  • There's some useful but dated information here.

  • The default keysize for most versions of losetup seems to be 256. For certain old versions of SuSE it was apparently 192.

I'm running out of ideas. You might want to ping the cryptsetup/dmcrypt folks directly... Friend of Bart

Gratz!

Glad you got it working! Thanks huge for the report—it is greatly appreciated and should help others out a lot. I know I learned some things. Friend of Bart

Yes, use cryptsetup create

Yes, use the horribly-named cryptsetup create every time, not cryptsetup reload. cryptsetup create won't touch your filesystem--it just "creates" the device file in /dev/mapper. So do it every time just like you did it the first time. Friend of Bart

Using dm-crypt on files

You will still need a loop device, but not cryptoloop. I just set this up for the first time last night.

    $ losetup -v -f my-filesystem-file
    Loop device is /dev/loop7
    $ cryptsetup -c my-cipher -s my-keysize volume-label /dev/loop7
    $ mount /dev/mapper/volume-label /mount-point

To take it all down:

    $ umount /mount-point
    $ cryptsetup remove volume-label
    $ losetup -d /dev/loop7

If you forget what loopback device you used, "cryptsetup status volume-label" will show this, unless you've already done the remove. So go carefully.

It's all lots more trouble that the cryptoloop solution, and no more secure. Apparently, though, it's the future for some reason. Friend of Bart