Encrypt Partitions

  Linux with LUKS | Linux dm-crypt only | FreeBSD GELI | FBSD pwd only | OS X image
  There are (many) other alternative methods to encrypt disks, I only show here the methods I
  know and use. Keep in mind that the security is only good as long the OS has not been
  tempered with. An intruder could easily record the password from the keyboard events.
  Furthermore the data is freely accessible when the partition is attached and will not
  prevent an intruder to have access to it in this state.

Linux

  Those instructions use the Linux dm-crypt (device-mapper) facility available on the 2.6
  kernel. In this example, lets encrypt the partition /dev/sdc1, it could be however any
  other partition or disk, or USB or a file based partition created with losetup. In this
  case we would use /dev/loop0. See file image partition. The device mapper uses labels to
  identify a partition. We use sdc1 in this example, but it could be any string.

dm-crypt with LUKS

  LUKS with dm-crypt has better encryption and makes it possible to have multiple passphrase
  for the same partition or to change the password easily. To test if LUKS is available,
  simply type # cryptsetup --help, if nothing about LUKS shows up, use the instructions below
  Without LUKS. First create a partition if necessary: fdisk /dev/sdc.

Create encrypted partition

# dd if=/dev/urandom of=/dev/sdc1          # Optional. For paranoids only (takes days)
# cryptsetup -y luksFormat /dev/sdc1       # This destroys any data on sdc1
# cryptsetup luksOpen /dev/sdc1 sdc1
# mkfs.ext3 /dev/mapper/sdc1               # create ext3 file system
# mount -t ext3 /dev/mapper/sdc1 /mnt
# umount /mnt
# cryptsetup luksClose sdc1                # Detach the encrypted partition

Attach

# cryptsetup luksOpen /dev/sdc1 sdc1
# mount -t ext3 /dev/mapper/sdc1 /mnt

Detach

# umount /mnt
# cryptsetup luksClose sdc1

dm-crypt without LUKS

# cryptsetup -y create sdc1 /dev/sdc1      # or any other partition like /dev/loop0
# dmsetup ls                               # check it, will display: sdc1 (254, 0)
# mkfs.ext3 /dev/mapper/sdc1               # This is done only the first time!
# mount -t ext3 /dev/mapper/sdc1 /mnt
# umount /mnt/
# cryptsetup remove sdc1                   # Detach the encrypted partition

  Do exactly the same (without the mkfs part!) to re-attach the partition. If the password is
  not correct, the mount command will fail. In this case simply remove the map sdc1
  (cryptsetup remove sdc1) and create it again.

FreeBSD

  The two popular FreeBSD disk encryption modules are gbde and geli. I now use geli because
  it is faster and also uses the crypto device for hardware acceleration. See The FreeBSD
  handbook Chapter 18.6http://www.freebsd.org/handbook/disks-encrypting.html for all the
  details. The geli module must be loaded or compiled into the kernel:
options GEOM_ELI
device crypto                                       # or as module:
# echo 'geom_eli_load="YES"' >> /boot/loader.conf   # or do: kldload geom_eli

Use password and key

  I use those settings for a typical disk encryption, it uses a passphrase AND a key to
  encrypt the master key. That is you need both the password and the generated key
  /root/ad1.key to attach the partition. The master key is stored inside the partition and is
  not visible. See below for typical USB or file based image.

Create encrypted partition

# dd if=/dev/random of=/root/ad1.key bs=64 count=1  # this key encrypts the mater key
# geli init -s 4096 -K /root/ad1.key /dev/ad1       # -s 8192 is also OK for disks
# geli attach -k /root/ad1.key /dev/ad1             # DO make a backup of /root/ad1.key
# dd if=/dev/random of=/dev/ad1.eli bs=1m           # Optional and takes a long time
# newfs /dev/ad1.eli                                # Create file system
# mount /dev/ad1.eli /mnt

Attach

# geli attach -k /root/ad1.key /dev/ad1
# fsck -ny -t ffs /dev/ad1.eli                      # In doubt check the file system
# mount /dev/ad1.eli /mnt

Detach

  The detach procedure is done automatically on shutdown.
# umount /mnt
# geli detach /dev/ad1.eli

/etc/fstab

  The encrypted partition can be configured to be mounted with /etc/fstab. The password will
  be prompted when booting. The following settings are required for this example:
# grep geli /etc/rc.conf
geli_devices="ad1"
geli_ad1_flags="-k /root/ad1.key"
# grep geli /etc/fstab
/dev/ad1.eli         /home/private              ufs             rw      0       0

Use password only

  It is more convenient to encrypt a USB stick or file based image with a passphrase only and
  no key. In this case it is not necessary to carry the additional key file around. The
  procedure is very much the same as above, simply without the key file. Let's encrypt a file
  based image /cryptedfile of 1 GB.
# dd if=/dev/zero of=/cryptedfile bs=1M count=1000  # 1 GB file
# mdconfig -at vnode -f /cryptedfile
# geli init /dev/md0                                # encrypts with password only
# geli attach /dev/md0
# newfs -U -m 0 /dev/md0.eli
# mount /dev/md0.eli /mnt
# umount /dev/md0.eli
# geli detach md0.eli

  It is now possible to mount this image on an other system with the password only.
# mdconfig -at vnode -f /cryptedfile
# geli attach /dev/md0
# mount /dev/md0.eli /mnt

OS X Encrypted Disk Image

  Don't know by command line only. See OS X Encrypted Disk
  Imagehttps://wiki.thayer.dartmouth.edu/display/computing/Creating+a+Mac+OS+X+Encrypted+Disk
  +Image and Apple supporthttp://support.apple.com/kb/ht1578