Luks Disk Encryption
Previously I had found a really good article going over the options, but have since lost it and I failed to record it here. Instead I have very basic instructions to work off of, though they are good enough for general use.[1]
Basic Setup
Using the standard options to get up and running quickly. This is more to prevent most people from accessing the data, but will not be sufficient to a determined attacker.
- In this example I will encrypt a large drive used for temporary backups. It will be auto-mounted with the OS at boot as the encryption is simply to make it easier to dispose of the drive if it fails.
- Setup luks on the disk.
- Create a key file
- Add key file to the luks partition.
- Test to make sure the key file works.
- Close the partition and update crypttab.
[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksFormat -v /dev/sdb
WARNING!
========
This will overwrite data on /dev/sdb irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdb:
Verify passphrase:
Command successful.
[ michael-ws Mon Jul 23 cert ] $ cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 128 | head -n 1 > key.file
[ michael-ws Mon Jul 23 cert ] $ chmod 400 key.file
[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksAddKey /dev/sdb key.file
Enter any existing passphrase:
[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup open /dev/disk/by-uuid/$(ls -al /dev/disk/by-uuid/ | grep sdb | awk '{print $9}') backupdisk_enc --key-file=key.file
[ michael-ws Mon Jul 23 cert ] $ ls -al /dev/mapper/backupdisk_enc
lrwxrwxrwx. 1 root root 7 Jul 23 08:15 /dev/mapper/backupdisk_enc -> ../dm-2
[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup close backupdisk_enc
[ michael-ws Mon Jul 23 cert ] $ sudo echo "backupdisk_enc UUID=$(ls -al /dev/disk/by-uuid/ | grep sdb | awk '{print $9}') key.file" >> /etc/crypttab
