File: INSTALL.md

package info (click to toggle)
cryptmount 6.3.0-1
  • links: PTS
  • area: main
  • in suites: forky, sid, trixie
  • size: 1,208 kB
  • sloc: ansic: 6,249; sh: 2,478; makefile: 159; sed: 16
file content (203 lines) | stat: -rw-r--r-- 6,849 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
 
Installing cryptmount
=====================

There are three main routes by which cryptmount can be installed
on a Linux-based system:

  * Using a pre-compiled package provided by your flavour of Linux
  * Compiling from a source bundle containing the "configure" script
  * Compiling from a clone of the GitHub repository and using "autoconf" tools

All of these options will, at some stage, require root-level permissions,
such as "sudo".


Distro-provided packages
------------------------

A variety of flavours of Linux provide official pre-built cryptmount packages,
and these can be installed using normal package-management tools. In general,
this is by far the easiest method of installing cryptmount. For example,
on Debian or Ubuntu systems, one can simply run

    sudo apt-get install cryptmount


Manual compilation
------------------

If you want to compile cryptmount from its source-code, perhaps because
you want to customize some of its features, then this may require additional
packages to be available, and should be driven by the "configure" script.

If the configure script is missing, for example if working with a clone of
cryptmount's [GitHub repository](https://github.com/rwpenney/cryptmount),
then you may need to set up [autoconf](https://www.gnu.org/software/autoconf/)
(version 2.61 or later), and run

    autoreconf -v -i


Dependencies
------------

A number of development packages will need to be pre-installed in order
to provide library functions on which cryptmount depends. (The precise
naming of these packages may differ between Linux systems.)
The following packages are essential:

  * kernel-headers (matching the running linux-image)
  * libdevmapper (version 1.02 or later)

The following packages are also strongly recommended, and allow a wider
range of much stronger cryptographic tools:

  * libcryptsetup (version 1.6 or later; this is essential for LUKS support)
  * libgcrypt (version 1.8 or later)
  * libudev (version 232 or later)
  * pkgconf or pkg-config

You will also need to ensure that your system has support for the
loopback and device-mapper devices, which may require loading
of kernel modules when you first use cryptmount, e.g.

    sudo modprobe -a loop dm-crypt

This is automatically performed on system reboot by setup scripts
supplied with cryptmount.


Source configuration
--------------------

The "configure" script will automatically identify the location of
key libraries and header files needed by cryptmount, and allow customization
of the directory locations where cryptmount will be installed.
Typically, one can simply run:

    ./configure

although additional command-line options can also be supplied, such as:

    --prefix=/usr
        # To install beneath /usr rather than /usr/local

    --sysconfdir=/etc/cryptmount
        # To specify the directory where the "cmtab" will be stored

    --disable-luks
        # Turn-off support for LUKS encrypted containers

    --with-systemd
        # Use systemd boot-up configuration, rather than sysvinit

A full list of options can be obtained by running

    ./configure --help


Compilation and installation
----------------------------

If "configure" has run successfully (generating a `config.h` file),
it should now be sufficient to run:

    make
    sudo make install

This should install both the `cryptmount` and `cryptmount-setup` executables,
together with manual pages and an empty filesystem configuration file. Running

    sudo cryptmount-setup

will allow interactive creation of a basic encrypted filesystem
(using LUKS, if available). More sophisticated scenarios can be handled
by manual editing of the `cmtab`, following the guidance in the manual pages:

    man cryptmount
    man 5 cmtab

In outline, if not using the cryptmount-setup script, one can add an
entry to /etc/cryptmount/cmtab that describes the encrypted filesystem
that we want to create:

    crypt {
        dev=/home/crypt.fs dir=/mnt/crypt
        fstype=ext4 mountoptions=defaults
        keyformat=luks
    }

Thereafter, one can prepare the key-file and filing system as follows:

    test -e /home/crypt.fs || sudo dd if=/dev/zero of=/home/crypt.fs bs=1M count=128
    sudo mkdir /mnt/crypt
    sudo cryptmount --generate-key 32 crypt
    sudo cryptmount --prepare crypt
    sudo mke2fs -t ext4 /dev/disk/by-id/dm-name-crypt
    sudo cryptmount --release crypt


Configuring filesystems at system bootup
----------------------------------------

If you want to have encrypted filesystems setup at system boot-up,
this can be achieved using either 'systemd' or the supplied 'initscript'
program which is normally automatically installed as /etc/init.d/cryptmount .
Both of these mechanisms use the `bootaction` parameter within
`/etc/cryptmount/cmtab` to adjust how each filesystem is
handled on system bootup.

If using the `initscript` program, you may need to create symbolic links
from /etc/rc?.d to `/etc/init.d/cryptmount` (in a way that depends
on the precise details of your distribution), with something like

    sudo update-rc.d cryptmount defaults 28

being suitable under Debian systems.


Common problems
---------------

When configuring the system devices needed to support an encrypted filesystem,
cryptmount will issue various requests through the device-mapper library.
Unfortunately, some of the error messages issued by that library
(as of version 1.02) are not easy to interpret.

In situations where the device-mapper is compiled as a kernel module,
an error of the form

    /proc/misc: No entry for device-mapper found
    Is device-mapper driver missing from kernel?
    Failure to communicate with kernel device-mapper driver.

then this may indicate that the dm-mod kernel-module is not loaded.
This can be (temporarily) solved by issuing the command:

    sudo modprobe -a dm-mod dm-crypt

In order to ensure that this happens automatically when you reboot,
you can add a line containing
`dm-mod` to `/etc/modules`, or add a line of the form

    modprobe -q -a dm-mod dm-crypt || true

to `/etc/rc.local`, or ensure that the cryptmount-startup scripts installed
in /etc/init.d are run on system startup (e.g. by installing suitable
symbolic-links from /etc/rc\*.d).

When setting up a new encrypted filing system, typically when issuing a
`cryptmount --prepare` command, you may receive an error message of the form

    device-mapper ioctl cmd 9 failed: Invalid argument

which may mean that you have chosen a key-size that isn't supported by your
chosen cipher algorithm. You can get some information about suitable key-sizes
by checking the output from `more /proc/crypto`, and looking at the
'min keysize' and 'max keysize' fields.)


** *** ***** *******

Please note that cryptmount comes with NO WARRANTY - see the "COPYING" file
in the top-level directory for further details.