Hard-disk Encryption

Links

First Time Usage

Install the software, on Debian

# apt-get install cryptsetup

Create a test file to play with and mount it via loopback

# dd if=/dev/urandom of=testfile bs=1M count=100
# losetup /dev/loop/0 testfile

Now encrypt it with LUKS

# cryptsetup luksFormat /dev/loop/0
WARNING!
========
This will overwrite data on /dev/loop/0 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: GEHEIM
Verify passphrase: GEHEIM
Command successful.

# cryptsetup luksOpen /dev/loop/0 mytestfs
Enter LUKS passphrase: GEHEIM
key slot 0 unlocked.
Command successful.
# mkfs.ext3 /dev/mapper/mytestfs
# mount /dev/mapper/mytestfs /mnt/mnt/
# umount /dev/mapper/mytestfs
# cryptsetup luksClose /dev/mapper/mytestfs

You may even use a file with a secret to avoid the need to enter the password on each mount.

# pwgen -s 500 > /mnt/usbstick/mykeyfile
# cryptsetup luksFormat /dev/loop/0 /mnt/usbstick/mykeyfile

WARNING!
========
This will overwrite data on /dev/loop/0 irrevocably.

Are you sure? (Type uppercase yes): YES
Command successful.

# cryptsetup -d /mnt/usbstick/mykeyfile luksOpen /dev/loop/0 mytestfs
# mkfs.ext3 /dev/mapper/mytestfs
# mount /dev/mapper/mytestfs /mnt/mnt/
# umount /dev/mapper/mytestfs
# cryptsetup luksClose /dev/mapper/mytestfs

Even when you started with a keyfile you can always add a manual password

# cryptsetup -d /mnt/usbstick/mykeyfile luksAddKey /dev/loop0
key slot 0 unlocked.
Enter new passphrase for key slot: FOOBAR
Verify passphrase: FOOBAR
Command successful.

You can always add additional passwords (e.g. for different users)

# cryptsetup luksAddKey /dev/loop0
Enter any LUKS passphrase: FOOBAR
key slot 1 unlocked.
Enter new passphrase for key slot: SECRET
Verify passphrase: SECRET
Command successful.

Once you configured everything you have to decrypt the data first. Either with the keyfile

# cryptsetup -d /mnt/usbstick/mykeyfile luksOpen /dev/loop/0 mytestfs
key slot 0 unlocked.
Command successful.

or with the password

# cryptsetup luksOpen /dev/loop/0 mytestfs
Enter LUKS passphrase: SECRET
key slot 1 unlocked.
Command successful.

Now everyone can mount and access it

# mount /dev/mapper/mytestfs /mnt/mnt/

until you unmount and close it again

# umount /dev/mapper/mytestfs
# cryptsetup luksClose /dev/mapper/mytestfs

Normal Usage with Keyfile

You probably want to use real devices, e.g one for swap and one for the crypt partition swap: /dev/hdz6 crypt: /dev/hdz7 Encrypt the crypt partition (fill it with random data first is probably better)

cryptsetup luksFormat /dev/hdz7 /mnt/usbstick/mykeyfile

Optionally add an encrypted swap partition, will be formated on each reboot automatically /etc/crypttab

# <target device> <source device> <key file> <options>
myswap /dev/hdz6 /dev/random swap
mycrypt /dev/hdz7 /mnt/usbstick/mykeyfile luks

Opened device should appear after reboot and has to be formated (once).

mkfs.ext3 /dev/mapper/mycrypt

Now it can be mounted via normal fstab entry /etc/fstab

# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/mycrypt /mnt/mycrypt1 ext3 defaults 0 2
/dev/mapper/myswap none swap sw 0 0

Don't loose the keyfile ;-)