Difference between revisions of "Luks Disk Encryption"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) (Created page with "Previously I had found a really good article going over the options, but have since lost it and I failed to record it here. Instead I have very basic instructions to work off...") |
Michael.mast (talk | contribs) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
Previously I had found a really good article going over the options, but have since lost it and I failed to record it here. Instead I have very basic instructions to work off of, though they are good enough for general use.<ref>https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption</ref> | Previously I had found a really good article going over the options, but have since lost it and I failed to record it here. Instead I have very basic instructions to work off of, though they are good enough for general use.<ref>https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption</ref> | ||
+ | ==Basic Setup== | ||
+ | NOTE : You should not apply encryption directly to the disk, instead it should be applied to a partition. I will update accordingly when testing is finished. | ||
+ | <br> | ||
+ | <br> | ||
+ | Using the standard options to get up and running quickly. This is more to prevent most people from accessing the data, but will not be sufficient to a determined attacker. | ||
+ | *In this example I will encrypt a large drive used for temporary backups. It will be auto-mounted with the OS at boot as the encryption is simply to make it easier to dispose of the drive if it fails. | ||
+ | #Setup luks on the disk. | ||
+ | #Create a key file | ||
+ | #Add key file to the luks partition. | ||
+ | #Test to make sure the key file works. | ||
+ | #Close the partition and update crypttab. | ||
+ | <pre> | ||
+ | [ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksFormat -v /dev/sdb | ||
+ | |||
+ | WARNING! | ||
+ | ======== | ||
+ | This will overwrite data on /dev/sdb irrevocably. | ||
+ | |||
+ | Are you sure? (Type uppercase yes): YES | ||
+ | Enter passphrase for /dev/sdb: | ||
+ | Verify passphrase: | ||
+ | Command successful. | ||
+ | |||
+ | [ michael-ws Mon Jul 23 cert ] $ cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 128 | head -n 1 > key.file | ||
+ | [ michael-ws Mon Jul 23 cert ] $ chmod 400 key.file | ||
+ | [ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksAddKey /dev/sdb key.file | ||
+ | Enter any existing passphrase: | ||
+ | |||
+ | [ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup open /dev/disk/by-uuid/$(ls -al /dev/disk/by-uuid/ | grep sdb | awk '{print $9}') backupdisk_enc --key-file=key.file | ||
+ | [ michael-ws Mon Jul 23 cert ] $ ls -al /dev/mapper/backupdisk_enc | ||
+ | |||
+ | lrwxrwxrwx. 1 root root 7 Jul 23 08:15 /dev/mapper/backupdisk_enc -> ../dm-2 | ||
+ | |||
+ | [ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup close backupdisk_enc | ||
+ | [ michael-ws Mon Jul 23 cert ] $ sudo echo "backupdisk_enc UUID=$(ls -al /dev/disk/by-uuid/ | grep sdb | awk '{print $9}') key.file" >> /etc/crypttab | ||
+ | </pre> | ||
+ | ==Encrypting Multiple Drives at the Same Time== | ||
+ | <pre> | ||
+ | ls -1 /dev/sd* > /tmp/list2 | ||
+ | while read line; do vendor=$(smartctl -i $line | grep Vendor | awk '{print $2}'); echo "$line : $vendor"; done < /tmp/list2 > drivelist2 | ||
+ | while read line; do disk=$(echo $line | awk '{print $1}'); part=$disk\1; sn=$(smartctl -i $disk | grep Serial | awk '{print $3}'); cryptsetup -q luksFormat $part --key-file=/root/key.file; done < nonssd | ||
+ | while read line; do disk=$(echo $line | awk '{print $1}'); part=$disk\1; sn=$(smartctl -i $disk | grep Serial | awk '{print $3}'); cryptsetup -q open $part enc_$sn --key-file=/root/key.file; done < nonssd | ||
+ | </pre> | ||
+ | |||
==Some GTP stuff== | ==Some GTP stuff== | ||
<ref>https://www.linux.com/learn/using-new-guid-partition-table-linux-goodbye-ancient-mbr</ref> | <ref>https://www.linux.com/learn/using-new-guid-partition-table-linux-goodbye-ancient-mbr</ref> |
Latest revision as of 16:42, 21 August 2018
Previously I had found a really good article going over the options, but have since lost it and I failed to record it here. Instead I have very basic instructions to work off of, though they are good enough for general use.[1]
Basic Setup
NOTE : You should not apply encryption directly to the disk, instead it should be applied to a partition. I will update accordingly when testing is finished.
Using the standard options to get up and running quickly. This is more to prevent most people from accessing the data, but will not be sufficient to a determined attacker.
- In this example I will encrypt a large drive used for temporary backups. It will be auto-mounted with the OS at boot as the encryption is simply to make it easier to dispose of the drive if it fails.
- Setup luks on the disk.
- Create a key file
- Add key file to the luks partition.
- Test to make sure the key file works.
- Close the partition and update crypttab.
[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksFormat -v /dev/sdb WARNING! ======== This will overwrite data on /dev/sdb irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase for /dev/sdb: Verify passphrase: Command successful. [ michael-ws Mon Jul 23 cert ] $ cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 128 | head -n 1 > key.file [ michael-ws Mon Jul 23 cert ] $ chmod 400 key.file [ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksAddKey /dev/sdb key.file Enter any existing passphrase: [ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup open /dev/disk/by-uuid/$(ls -al /dev/disk/by-uuid/ | grep sdb | awk '{print $9}') backupdisk_enc --key-file=key.file [ michael-ws Mon Jul 23 cert ] $ ls -al /dev/mapper/backupdisk_enc lrwxrwxrwx. 1 root root 7 Jul 23 08:15 /dev/mapper/backupdisk_enc -> ../dm-2 [ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup close backupdisk_enc [ michael-ws Mon Jul 23 cert ] $ sudo echo "backupdisk_enc UUID=$(ls -al /dev/disk/by-uuid/ | grep sdb | awk '{print $9}') key.file" >> /etc/crypttab
Encrypting Multiple Drives at the Same Time
ls -1 /dev/sd* > /tmp/list2 while read line; do vendor=$(smartctl -i $line | grep Vendor | awk '{print $2}'); echo "$line : $vendor"; done < /tmp/list2 > drivelist2 while read line; do disk=$(echo $line | awk '{print $1}'); part=$disk\1; sn=$(smartctl -i $disk | grep Serial | awk '{print $3}'); cryptsetup -q luksFormat $part --key-file=/root/key.file; done < nonssd while read line; do disk=$(echo $line | awk '{print $1}'); part=$disk\1; sn=$(smartctl -i $disk | grep Serial | awk '{print $3}'); cryptsetup -q open $part enc_$sn --key-file=/root/key.file; done < nonssd