Luks Disk Encryption

From Michael's Information Zone
Jump to navigation Jump to search

Previously I had found a really good article going over the options, but have since lost it and I failed to record it here. Instead I have very basic instructions to work off of, though they are good enough for general use.[1]

Basic Setup

NOTE : You should not apply encryption directly to the disk, instead it should be applied to a partition. I will update accordingly when testing is finished.

Using the standard options to get up and running quickly. This is more to prevent most people from accessing the data, but will not be sufficient to a determined attacker.

  • In this example I will encrypt a large drive used for temporary backups. It will be auto-mounted with the OS at boot as the encryption is simply to make it easier to dispose of the drive if it fails.
  1. Setup luks on the disk.
  2. Create a key file
  3. Add key file to the luks partition.
  4. Test to make sure the key file works.
  5. Close the partition and update crypttab.
[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksFormat -v /dev/sdb

WARNING!
========
This will overwrite data on /dev/sdb irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdb: 
Verify passphrase: 
Command successful.

[ michael-ws Mon Jul 23 cert ] $ cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 128 | head -n 1 > key.file
[ michael-ws Mon Jul 23 cert ] $ chmod 400 key.file
[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup luksAddKey /dev/sdb key.file
Enter any existing passphrase: 

[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup open /dev/disk/by-uuid/$(ls -al /dev/disk/by-uuid/ | grep sdb | awk '{print $9}') backupdisk_enc --key-file=key.file 
[ michael-ws Mon Jul 23 cert ] $ ls -al /dev/mapper/backupdisk_enc 

lrwxrwxrwx. 1 root root 7 Jul 23 08:15 /dev/mapper/backupdisk_enc -> ../dm-2

[ michael-ws Mon Jul 23 cert ] $ sudo cryptsetup close backupdisk_enc
[ michael-ws Mon Jul 23 cert ] $ sudo echo "backupdisk_enc UUID=$(ls -al /dev/disk/by-uuid/ | grep sdb | awk '{print $9}') key.file" >> /etc/crypttab

Encrypting Multiple Drives at the Same Time

while read line; do disk=$(echo $line | awk '{print $1}'); part=$disk\1; sn=$(smartctl -i $disk | grep Serial | awk '{print $3}'); cryptsetup -q luksFormat $part enc_$sn --key-file=/root/key.file; done < nonssd 

Some GTP stuff

[2]