dm-crypt and LUKS

Floyd42 · May 8, 2016 at 7:27 PM

Hi,

any plans to support dm-crypt and LUKS, so external disks and USB drives can also be used when they are encrypted?

**chewitt** · May 8, 2016 at 7:50 PM Official Post

No plans.

Floyd42 · May 8, 2016 at 8:29 PM

Quote from chewitt

No plans.

I wonder, are the any known technical reasons blocking this? Did anybody tries this already?

**chewitt** · May 9, 2016 at 3:05 AM Official Post

There's no technical reason why it couldn't be added, but to avoid "the death of a thousand cuts" we tend to shy away from complex niche things that a tiny majority of people will ever use. That said, there will be a "feature requests" voting capability on the website soon where you can deposit the request and if it became a highly voted for feature, we'd reconsider.

NB: vpeter created a TrueCrypt addon for OE in the past which can probably be resurected for LE (or it still just works) or this is something that you or someone in the community could package into a similar add-on format. We welcome public add-on contributions, as long as people maintain them.

Floyd42 · May 9, 2016 at 11:19 AM

No (known) technical blocker, that is good news. So I'm going to spend some more time on this then, let's see how far I get.

I've looked at the TrueCrypt addon, but given the recent develoments about it (and the successors) I'm not too keen to spend time on this for now. However, it seems this is the most convenient solution for people sharing disks between WIndows and Linux.

**chewitt** · May 9, 2016 at 1:01 PM Official Post

The most convenient way to share between Windows and Linux is exFAT (natively supported by both) so I hope that wasn't the only reason.

Floyd42 · May 9, 2016 at 1:48 PM

Quote from chewitt

The most convenient way to share between Windows and Linux is exFAT (natively supported by both) so I hope that wasn't the only reason.

I should have said: "...most convenient way to share encrypted disks...". They can still run any file system in the container.
Anyway, I've come to like dm-crypt, that my motivation.

Morbid Angel · August 29, 2017 at 12:05 PM

it would be nice to have the possibility to crypt /storage on libreelec boxes... is there a feature request for it? any plans to integrate it?

**escalade** · August 29, 2017 at 3:40 PM

You're in luck, I've added cryptsetup and lvm2 tools to my latest community build. You could either use my build, roll your own or create addons using my packages as a starting point. LE versions >9 do not include the necessary kernel modules though, but in the next major version there will be kernel module overlay support thanks to HiassofT.

Encrypting /storage would require quite the rework of the initramfs /init, and I'm pretty sure nobody would be interested in that. What usecases is there for encrypting /storage?

nightflame · November 26, 2017 at 10:14 AM

Hi,

I am looking to just add dm-crypt to the 8.2.1 MR version for ODROID C2.

Are these commits all I need:

commit 0b53fdaff5ad0bd3a16734e406dd82edd61784c8

Author: escalade <[email protected]>

Date: Tue Aug 29 15:54:06 2017 +0200

Generic: add dm/md kernel config

And

commit cf7ca1676270bb63a10dca5b99bac78752e1416e

Author: escalade <[email protected]>

Date: Tue Aug 29 15:54:39 2017 +0200

oem: include cryptsetup

Or do I need more?

Grateful if you could give me come pointers.

Thanks

**escalade** · November 26, 2017 at 5:20 PM

You need of course to adapt the Generic kernel config to your Odroid config, then you also need these commits:

commit 1ebf517162e33212ff02f04364ecf9ab90770d92

Date: Tue Aug 29 13:15:19 2017 +0000

cryptsetup: initial package

commit 0771ca7982259313324c4729504e84bf181185d5

Date: Tue Aug 29 13:15:10 2017 +0000

lvm2: initial package

Also, you don't want my "oem" commit, I've adapted the oem package to fit my needs. You'll probably want to add the tools as a dependency of the oem package.

nightflame · December 10, 2017 at 10:07 AM

Thanks for the pointers I managed to get dm-crypt and LUKS working on my custom OdroidC2 build (which has custom splash screen, different ssh password and b00st centre channel patch from RPi included).

I took the details of the package.mk of two commits you mentioned (cryptsetup and lvm2) and put them in packages/sysutils under directories cryptsetup and lvm2.

Was a bit tricky to get them included in the build. I tried messing around with OEM, but got issues with no Makefile for OdroidC2. In the end I added "cryptsetup lvm2" to dependencies PKG_DEPENDS_TARGET in packages/virtual/toolchain. But unless I removed PKG_DEPENDS_TARGET from cryptsetup and lvm2 package.mk I got caught in an infinite build loop.

Next was sorting out which parameters I needed in projects/Odroid_C2/linux/linux.aarch64.conf

Took a bit of trial and error:

CONFIG_CRYPTO_AML=y
CONFIG_DM_BUFIO=m

CONFIG_DM_BIO_PRISON=m

CONFIG_DM_PERSISTENT_DATA=m

CONFIG_DM_CRYPT=m

CONFIG_DM_SNAPSHOT=m

CONFIG_DM_THIN_PROVISIONING=m

CONFIG_DM_MIRROR=m

CONFIG_DM_RAID=m

CONFIG_BLK_DEV_DM_BUILTIN=y

CONFIG_BLK_DEV_DM=y

CONFIG_MD=y

Probably all are not needed.

The other thing I learned the hard way is do not build on anything other than Ubuntu 16 LTS. Too many issues with the build environment on later versions of Ubuntu. Oh and do not try to build using a samba share, virtualbox shared folder, of sshfs. Too many problems with soft links, hard links, and other strange stuff. In the end I just made sure my Ubuntu 16 LTS virtual box had enough disk space allocated.

I can now mount an encrypted USB drive on my OdroidC2 and play back HEVC files. Didn't even need a powered hub!

Thanks again.