I used DM-Crypt/LUKS with Fedora Core 6 to quell my paranoia regarding a physical compromise of my notebook. I set up swap and partition encryption, especially for sensitive areas such as /home and /var.

Preface: While it is not necessary to have a fresh installation, I'd recommend it. The reason being that before you install you should scrub your drive with one or two passes (maybe even more if you're so inclined) of dd. This way you won't have any artifacts on any portion of the disk. Use a Live CD or use an installation CD and get to a shell and do the following:

# shred -n 100 -z -v /dev/hda

If you lack shred, you can do the following:

# i=0;while [ $i -lt 100 ] ; do dd if=/dev/zero of=/dev/hda; i=`expr $i + 1`; done
# dd if=/dev/urandom of=/dev/hda

The above will wipe the entire drive with random data 100 times (ensure adequate erasure) and then zero it to attempt to hide evidence of that.

When setting up encrypted partitions there are two tricks to doing it. The first is to have a good plan for how you want your partitions laid out. The second is to be very patient.

When I installed Fedora, I used LVM, but you certainly don't have to. Using LVM, I made my life easier by giving my group a small name (disk) and giving each logical volume a descriptive name (e.g. var for /var, home for /home, etc. instead of the default LogVol001, etc.).

After installation, before the Fedora firstboot, I immediately booted into single user and do the following:

Set up encrypted swap:

# swapoff -a
# cryptsetup -c aes-cbc-essiv:sha256 -d /dev/uurandom create swap /dev/disk/swap
# mkswap /dev/mapper/swap
# swapon -a

Edit /etc/fstab, replacing /dev/disk/swap with /dev/mapper/swap. You'll have to do this for every encrypted partition -- replace the original device with the dm-crypt device under /dev/mapper.

For each partition (/dfoo, /var, etc.) you can do the following:

# umount /dfoo
# fsck -fC /dev/foo
# cryptsetup -y create cryptfoo /dev/foo
# dd if=/dev/foo of=/dev/mapper/cryptfoo bs=4k
# fsck /dev/mapper/cryptfoo
# mount /dev/mapper/cryptfoo /dfoo

Note that the above is not guaranteed to work (although it worked for me) and that it can take a very long time.

I hadn't created any users when installing Fedora, so I just created a fresh partition for LUKS, which was faster than unnecessarily using dd to copy bits of nothingness (since there were no files) on /home.

# umount /home
# cryptsetup luksFormat /dev/disk/home
# cryptsetup luksOpen /dev/disk/home crypthome
# mkfs.ext3 -j -m 1 -O dir_index,sparse_super /dev/mapper/crypthome
# mount /dev/mapper/crypthome /home 

Don't forget to update /etc/fstab to reflect the dm-crypt mapped devices under /dev/mapper. Also, remember to add entries in crypttab for all the LUKS partitions.

crypttab should look like this:

swap        /dev/disk/swap    /dev/urandom    swap,cipher=aes-cbc-essiv:sha256
crypthome   /dev/disk/home    none
cryptvar    /dev/disk/var     none
crypttmp    /dev/disk/tmp     none            tmp
cryptfoo    /dev/foo          none

On your next boot, you should get prompted for the passphrases and all should be well.

If you want to check the status of your newly encrypted partitions after booting, just do this:

# dmsetup status              # show status on all dm-crypt devices
# cryptsetup status cryptfoo  # show status of the device 'cryptfoo'

On a side note: the dm-crypt wiki has an article on encrypting /var and keeping the key on a USB flash drive. I had tried that but had absolutely no luck. There were a lot of strange happenings with usb_storage and I/O errors, so I simply gave up. Plus, I worried about losing/damaging my flash drive and losing access to my data.

See also:

• dm-crypt wiki
• Using DM-Crypt
• dm-crypt hints