François-René ÐVB Rideau asked:
Interesting. Can you publish your configuration files and the list of packages used? Do you carry the key on a floppy? On a USB key? Or do you type a long key at boot up? Is all of the disk encrypted, or only the user partition? etc.
The configuration files are minimal. The important Debian package to install is cryptsetup. In the /usr/share/doc/cryptsetup directory are HOWTOs for setting up encryption on root and swap partitions. Those files are short and the instructions worked perfectly for me. I compiled my own kernel using make-kpkg from the kernel-package package. You'll need a 2.6.4 or later kernel with cryptographic routines and LVM enabled. While I use a monolithic kernel, using modules and mkinitrd works fine as well.
My key is a fairly long passphrase. It can be whatever length you want, but you need to type it into the prompt at boot time. Reading from USB keys is not supported by the startup script, but I imagine you can hack it without much difficulty if you wanted to read from a USB mount at boot time.
You setup encryption by partition. My laptop partition structure is:
| /dev/hda1 | /boot | 200MB | ext3 | unencrypted |
| /dev/hda2 | / | 19GB | xfs | AES encrypted |
| /dev/hda3 | swap | 1GB | swap | AES encrypted |
| /dev/hda4 | LVM | 60GB | LVM PV | AES encrypted |
I created several logical volumes on the encrypted /dev/hda4 while leaving 5GB available for temporary snapshots volumes.
root /dev/hda2 cswap /dev/hda3 /dev/random swap mainpv /dev/hda4
Besides the very helpful HOWTOs in the Debian package, I also referred to this useful guide.
I hope that helps, let me know if you have more questions.
