Difference between revisions of "Luks Disk Encryption"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
| Line 3: | Line 3: | ||
Using the standard options to get up and running quickly. This is more to prevent most people from accessing the data, but will not be sufficient to a determined attacker. | Using the standard options to get up and running quickly. This is more to prevent most people from accessing the data, but will not be sufficient to a determined attacker. | ||
*In this example I will encrypt a large drive used for temporary backups. It will be auto-mounted with the OS at boot as the encryption is simply to make it easier to dispose of the drive if it fails. | *In this example I will encrypt a large drive used for temporary backups. It will be auto-mounted with the OS at boot as the encryption is simply to make it easier to dispose of the drive if it fails. | ||
| + | #Setup luks on the disk. | ||
| + | #Create a key file | ||
| + | #Add key file to the luks partition. | ||
| + | #Test to make sure the key file works. | ||
| + | #Close the partition and update crypttab. | ||
<pre> | <pre> | ||
[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksFormat -v /dev/sdb | [ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksFormat -v /dev/sdb | ||
| Line 15: | Line 20: | ||
Command successful. | Command successful. | ||
| − | [ michael-ws Mon Jul 23 cert ] $ cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 128 | head -n 1 | + | [ michael-ws Mon Jul 23 cert ] $ cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 128 | head -n 1 > key.file |
| + | [ michael-ws Mon Jul 23 cert ] $ chmod 400 key.file | ||
| + | [ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksAddKey /dev/sdb key.file | ||
| + | Enter any existing passphrase: | ||
| + | |||
| + | [ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup open /dev/disk/by-uuid/$(ls -al /dev/disk/by-uuid/ | grep sdb | awk '{print $9}') backupdisk_enc --key-file=key.file | ||
| + | [ michael-ws Mon Jul 23 cert ] $ ls -al /dev/mapper/backupdisk_enc | ||
| + | |||
| + | lrwxrwxrwx. 1 root root 7 Jul 23 08:15 /dev/mapper/backupdisk_enc -> ../dm-2 | ||
| + | |||
| + | [ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup close backupdisk_enc | ||
| + | [ michael-ws Mon Jul 23 cert ] $ sudo echo "backupdisk_enc UUID=$(ls -al /dev/disk/by-uuid/ | grep sdb | awk '{print $9}') key.file" >> /etc/crypttab | ||
</pre> | </pre> | ||
==Some GTP stuff== | ==Some GTP stuff== | ||
<ref>https://www.linux.com/learn/using-new-guid-partition-table-linux-goodbye-ancient-mbr</ref> | <ref>https://www.linux.com/learn/using-new-guid-partition-table-linux-goodbye-ancient-mbr</ref> | ||
Revision as of 07:39, 23 July 2018
Previously I had found a really good article going over the options, but have since lost it and I failed to record it here. Instead I have very basic instructions to work off of, though they are good enough for general use.[1]
Basic Setup
Using the standard options to get up and running quickly. This is more to prevent most people from accessing the data, but will not be sufficient to a determined attacker.
- In this example I will encrypt a large drive used for temporary backups. It will be auto-mounted with the OS at boot as the encryption is simply to make it easier to dispose of the drive if it fails.
- Setup luks on the disk.
- Create a key file
- Add key file to the luks partition.
- Test to make sure the key file works.
- Close the partition and update crypttab.
[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksFormat -v /dev/sdb
WARNING!
========
This will overwrite data on /dev/sdb irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdb:
Verify passphrase:
Command successful.
[ michael-ws Mon Jul 23 cert ] $ cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 128 | head -n 1 > key.file
[ michael-ws Mon Jul 23 cert ] $ chmod 400 key.file
[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksAddKey /dev/sdb key.file
Enter any existing passphrase:
[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup open /dev/disk/by-uuid/$(ls -al /dev/disk/by-uuid/ | grep sdb | awk '{print $9}') backupdisk_enc --key-file=key.file
[ michael-ws Mon Jul 23 cert ] $ ls -al /dev/mapper/backupdisk_enc
lrwxrwxrwx. 1 root root 7 Jul 23 08:15 /dev/mapper/backupdisk_enc -> ../dm-2
[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup close backupdisk_enc
[ michael-ws Mon Jul 23 cert ] $ sudo echo "backupdisk_enc UUID=$(ls -al /dev/disk/by-uuid/ | grep sdb | awk '{print $9}') key.file" >> /etc/crypttab
