Simplified dm-crypt & btrfs disc creation

Most Linux users recognize the importance of data protection and security. Many of us will be familiar with encrypted partitions, almost all of the time these encrypted partitions will be managed, mounted and created with dm-crypt. A key or password will be used to decrypt the partition and mount the contents within. In an ideal world the data would be safe against many forms of unfortunate and maleficent intent. However traditional filesystems like Ext3, Ext4, NTFS, and HFS+ have a serious flaw.

This flaw can lead to incorrect or damaged files being treated as undamaged and correct files. These filesystems fail to account for the physical phenomena known as bit-rot. Bit-rot is when bits on physical media or ssd’s flip from 0 to 1 or from 1 to 0 over time. In modern filesystems this is accounted for by creating checksums which can verify that the contents of files is unchanged from when the checksum was created. In this example the modern btrfs filesystem is used which supports forms of self-healing as well as manual data integrity checking and uses checksumming to realize these features.

Using btrfs requires some knowledge about Linux and although relatively stable I cannot recommend this filesystem to unexperienced users.
Skip to the good part

Requirements

General

A operating system using the Linux kernel is required (although btrfs is listed as supported filesystem in ReactOS). A kernel version of 2.6 is a bare minimum but it is strongly recommended to use at least 3.2

Depending on your distribution some additional packages may be required. For some common Linux distributions the required packages can be installed with the following commands:

Ubuntu, Devuan & Debian

sudo apt install btrfs-tools cryptsetup lvm2

Arch

pacman -S btrfs-progs cryptsetup lvm2

The installed boatloader will also need to be able to work with dm-crypt and btrfs. With grub this can be verified by the existence of modules:

  • btrfs.mod
  • crypto.mod
  • luks.mod
  • cryptodisk.mod
  • lvm.mod

These files should be located in the /boot/grub/i386-pc/ folder.

The lvm2 package and lvm.mod file are only required when working with a logical volume group(LVG). A LVG can create multi partitions inside a partition, for example: A LVG can be used to create a swap and a data partition within a dm-crypt partition thereby eliminating having to fill in 2 passwords during boot to mount all partitions. A LVG can also help circumvent the maximum of 4 partitions on an storage medium with a MBR boot-sector.

With all the mandatory requirements available to the system the partitions can now be created. It is important to reboot before continuing since these packages do install kernel modules. The existence of the kernel modules can be verified by running the following bash command:
cat /proc/modules | grep -E "btrfs|dm_crypt"

The output should return 2 lines each starting with one of the two keywords in the grep command.
To verify the installation of LVM we could have run a similar command, if it was still LVM1 that is. LVM2 is no longer a kernel module and uses device-mapper instead. Most configurations of the Linux kernel have device-mapper build in. To verify that LVM works run lvmdiskscan this should not return any warnings, failures or similar but may have to been run as root depending on the configuration of your system.

Successful example output:

USER@SYSTEM:~$ sudo lvmdiskscan
[sudo] password for USER:
/dev/mapper/sdb5_crypt [ 929,60 GiB]
/dev/sda1 [ 100,00 MiB]
/dev/sda2 [ 488,95 GiB]
/dev/sdb1 [ 128,00 MiB]
/dev/sdb2 [ 2,73 TiB]
1 disk
4 partitions
0 LVM physical volume whole disks
0 LVM physical volumes

Failed example output:

USER@SYSTEM:~$ lvmdiskscan
/run/lvm/lvmetad.socket: connect failed: Permission denied
WARNING: Failed to connect to lvmetad. Falling back to internal scanning.
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
Incompatible libdevmapper (unknown version) and kernel driver (unknown version).
0 disks
0 partitions
0 LVM physical volume whole disks
0 LVM physical volumes

Creation

The creation of the dm-crypt full encrypted disc with btrfs formatting is done with just 5 commands. Be sure to replace $DEVICE with the actual device name (sda,sdb,mmcblk0). First the device will be formatted a confirmation will be required since this action is irreversible. A password needs to be supplied to use for encrypting & decrypting the dm-crypt partition. The second command will mount the new dm-crypt partition. The third command will wipe the disc of any existing data. Then the partition is btrfs formatted. Finally we unmount the dm-crypt partition.

cryptsetup -y -v luksFormat /dev/$DEVICE
cryptsetup luksOpen /dev/$DEVICE TEMP_MAP
dd if=/dev/zero of=/dev/mapper/TEMP_MAP
mkfs.btrfs /dev/mapper/TEMP_MAP
cryptsetup luksClose TEMP_MAP

With the partition made and formatted it can be mounted and used by executing cryptsetup luksOpen /dev/$DEVICE DESIRED_MAPPING, The mountpoint will be /dev/mapper/DESIRED_MAPPING. The password will need to be supplied every time the dm-crypt device is opened. This is a very basic configuration for both dm-crypt and btrfs many configurations options could be made to improve this setup. This basic setup allows for full disc encryption and file + meta-data checksumming. In some cases damaged files can be recovered and restored, be sure to check out the Maintenance section to see how to properly take care of a btrfs partition.

Maintenance

Btrfs can validate data on disc and correct errors it is by far the most important feature of Btrfs(in my opinion). There is one caveat to this however: the validation of data on disc needs to be started by executing a command. This procress is called scrubbing and it can be performed by executing btrfs scrub start /mount-point-of-disc on a mounted Btrfs partition.

Another maintenance feature of btrfs is that it can perform defragmentation while being mounted, in much a similar manner this process can be started by executing btrfs filesystem defragment -r /mount-point-of-disc.

Setting up a crontab to scrub the drive once every three months is recommend and can easily by done by executing: sudo crontab -e and paste the following line into the editor 0 0 1 1,3,6,9,12 * /usr/bin/btrfs scrub start /media/USER/BTRFSPARTITION. Be sure to replace the USER and BTRFSPARTITION parameters to fit the path to your own btrfs mount point.

TL;DR

Use this bash script to format a /dev/$DEVICE into a dm-crypt encrypted and btrfs formatted device, these actions cannot be undone. Nothing else will be done; no cron job to scrub the drive or anything of that matter. If the distribution is Ubuntu, Debian, Devuan or Arch an attempt to install dependencies will be made.
Download the scriptGithub

References

  1. HFS+ & bit-rot
  2. About btrfs
  3. dm-crypt FAQ
  4. Encrypting swap partitions
  5. Repairing btrfs filesystems
  6. Btrfs arch wiki

Comments

All comments by the author will be marked with the emblem: author
  1. Dantali0n author
    -

    Both dm-crypt and btrfs support far more features that weren’t covered here. In the future I would like to do a follow up on interesting features such as dm-crypt its ability to have multiple passwords unlock a single volume, effectively allowing multiple users to safely share an encrypted volume. Btrfs also has interesting features such as support for software raid and even separate raid modes for data & parity.

Leave a Reply

Your email address will not be published. Required fields are marked *

*