Overview...

This project, erf-dm, enables using encrypted partitions using the device-mapper facility built into the Linux kernel, v.2.6.x. I announced this project here. This introduction is taken from that newsgroup posting.

This project is titled, erf-dm, or encrypted root filesystem via device-mapper. This project is a startup environment which allows using an "encrypted root filesystem," or an erf. A GNU/Linux distribution can be booted using an erf mainly because the Linux kernel includes the device-mapper interface (included in kernel versions 2.6.x).

Device-mapper is one method which enables the use of encrypted partitions. It is built into the standard Linux kernel tree, and is used as key element of this project. Device-mapper's interface works by adding extensions to the /dev tree. It simply adds names to the tree:

/dev/mapper/{dev_name}

For example, the device hda1 can be mapped though device-mapper and it will appear in the device tree using the name you have assigned. It appears like this when assigned using an obvious name:

/dev/mapper/hda1

When activated, the new device-mapper devices are available and they will work just like any other standard device. They can be mounted and manipulated in the standard way. There are several device-mapper modules used for various purposes. This project uses the dm-crypt module which allows for encryption/decryption as a pipeline stage in the standard IO to the device. It's fast and transparent. This appears to be the canonical link for the device-mapper project.

Project Components...

This project uses the venerable Slackware Linux Project as its basis. See the README file for a full list of the other subcomponents that were necessary to build this project. Thanks to everyone who helps to make building free software projects possible.

All partitions encrypted...

Encrypting your partitions is one way to protect your data. Device-mapper allows all disk partitions to be encrypted: root, swap, and even other types, too. That means total protection for your system.

Using encryption is becoming more and more important because of the potential for data loss. Many organizations are now mandating encryption, because they have finally realized that non-encrypted disk partitions puts their data at risk. In the recent high profile laptop and associated data losses, I'm sure they wish they had it to do over- this time they would use encryption, for sure. This project is in the spirit of locking the horse in the barn now, not after he's already out.

This project is designed to make building an encrypted system easier, but it remains somewhat tricky- there is still a fair amount of "doing it for yourself" that is required. Study the README file before starting. The README file is still at the first draft stage, unfortunately. Any feedback on the code or documentation would be greatly appreciated.

A "Two Factor" mode of Operation...

One interesting environment which can be setup using my project is to build a system which has a "two factor" startup requirement. The system could be installed such that two factors are necessary to boot the system: the computer itself and a separate boot drive. The boot drive can be a CD or USB flash drive. My project fits within 64M, so almost any small flash drive will work. This two-factor requirement is analogous to the requirements for starting a car. To start a car, normally two things are required: the car and the ignition key. If you have a car, but are missing the key, then it is still possible to "hot wire" the car. My project is similar, except that even when the system is "hot wired," the thief is still faced with the problem of breaking the encryption key.

Limitations...