2. Creating the encrypted root filesystem

Fill the target partition with random data:

shred -n 1 -v /dev/hda2

Setup the encrypted loopback device:

losetup -e aes256 -S xxxxxx /dev/loop0 /dev/hda2

To prevent optimized dictionary attacks, it is recommended to add the -S xxxxxx option, where "xxxxxx" is your randomly chosen seed (for example, you might choose "gPk4lA"). Write down your seed on a piece of paper so that you don't loose it afterwards. Also, in order to avoid boot-time problems with the keyboard map, do not use non-ASCII characters (accents, etc.) in your password. The Diceware site offers a simple way to create strong, yet easy to remember, passphrases.

Now create the ext3 filesystem:

mke2fs -j /dev/loop0

Check that the password you entered is correct:

losetup -d /dev/loop0
losetup -e aes256 -S xxxxxx /dev/loop0 /dev/hda2

mkdir /mnt/efs
mount /dev/loop0 /mnt/efs

You can compare the encrypted and unencrypted data:

xxd /dev/hda2  | less
xxd /dev/loop0 | less

It's time to install your encrypted Linux system. If you use a GNU/Linux distribution (such as Debian, Slackware, Gentoo, Mandrake, RedHat/Fedora, SuSE, etc.), run the following command:

cp -avx / /mnt/efs

If you use the Linux From Scratch book, proceed as described in the manual, with the modifications below:

• Chapter 6 - Installing util-linux:

  Apply the loop-AES patch after unpacking the sources.

• Chapter 8 - Making the LFS system bootable:

  Refer to the next section (Setting up the boot device).