Luks Disk Encryption
Previously I had found a really good article going over the options, but have since lost it and I failed to record it here. Instead I have very basic instructions to work off of, though they are good enough for general use.[1]
Basic Setup
NOTE : You should not apply encryption directly to the disk, instead it should be applied to a partition. I will update accordingly when testing is finished.
Using the standard options to get up and running quickly. This is more to prevent most people from accessing the data, but will not be sufficient to a determined attacker.
- In this example I will encrypt a large drive used for temporary backups. It will be auto-mounted with the OS at boot as the encryption is simply to make it easier to dispose of the drive if it fails.
- Setup luks on the disk.
- Create a key file
- Add key file to the luks partition.
- Test to make sure the key file works.
- Close the partition and update crypttab.
[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksFormat -v /dev/sdb WARNING! ======== This will overwrite data on /dev/sdb irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase for /dev/sdb: Verify passphrase: Command successful. [ michael-ws Mon Jul 23 cert ] $ cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 128 | head -n 1 > key.file [ michael-ws Mon Jul 23 cert ] $ chmod 400 key.file [ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksAddKey /dev/sdb key.file Enter any existing passphrase: [ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup open /dev/disk/by-uuid/$(ls -al /dev/disk/by-uuid/ | grep sdb | awk '{print $9}') backupdisk_enc --key-file=key.file [ michael-ws Mon Jul 23 cert ] $ ls -al /dev/mapper/backupdisk_enc lrwxrwxrwx. 1 root root 7 Jul 23 08:15 /dev/mapper/backupdisk_enc -> ../dm-2 [ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup close backupdisk_enc [ michael-ws Mon Jul 23 cert ] $ sudo echo "backupdisk_enc UUID=$(ls -al /dev/disk/by-uuid/ | grep sdb | awk '{print $9}') key.file" >> /etc/crypttab
Encrypting Multiple Drives at the Same Time
while read line; do disk=$(echo $line | awk '{print $1}'); part=$disk\1; sn=$(smartctl -i $disk | grep Serial | awk '{print $3}'); cryptsetup -q luksFormat $part enc_$sn --key-file=/root/key.file; done < nonssd