75% developed


From Wikibooks, open books for an open world
Jump to navigation Jump to search

In this book, I will explain how to encrypt your partitions using Linux Unified Key Setup-on-disk-format (LUKS) on your Linux based computer or laptop.

Linux encryption methods[edit | edit source]

There are two methods to encrypt your data:

Filesystem stacked level encryption[edit | edit source]

  1. eCryptfs - It is a cryptographic stacked Linux filesystem. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. This solution is widely used, as the basis for Ubuntu's Encrypted Home Directory, natively within Google's ChromeOS, and transparently embedded in several network attached storage (NAS) devices.
  2. EncFS -It provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. You can find links to source and binary releases below. EncFS is open source software, licensed under the GPL.

Block device level encryption[edit | edit source]

  1. Loop-AES - Fast and transparent file system and swap encryption package for linux. No source code changes to linux kernel. Works with 3.x, 2.6, 2.4, 2.2 and 2.0 kernels.
  2. Truecrypt - It is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X and Linux. (Deprecated)
  3. dm-crypt+LUKS - dm-crypt is a transparent disk encryption subsystem in Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, removable media, partitions, software RAID volumes, logical volumes, and files.

Install cryptsetup utility[edit | edit source]

You need to install the following package. It contains cryptsetup, a utility for setting up encrypted filesystems using Device Mapper and the dm-crypt target. Debian / Ubuntu Linux user type the following apt-get command:

# apt-get install cryptsetup

Sample outputs:

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  cryptsetup-bin libcryptsetup4
Suggested packages:
The following NEW packages will be installed:
  cryptsetup cryptsetup-bin libcryptsetup4
0 upgraded, 3 newly installed, 0 to remove and 7 not upgraded.
Need to get 168 kB of archives.
After this operation, 669 kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://ap-northeast-1.ec2.archive.ubuntu.com/ubuntu/ precise/main libcryptsetup4 amd64 2:1.4.1-2ubuntu4 [55.8 kB]
Get:2 http://ap-northeast-1.ec2.archive.ubuntu.com/ubuntu/ precise/main cryptsetup-bin amd64 2:1.4.1-2ubuntu4 [32.2 kB]
Get:3 http://ap-northeast-1.ec2.archive.ubuntu.com/ubuntu/ precise/main cryptsetup amd64 2:1.4.1-2ubuntu4 [80.0 kB]
Fetched 168 kB in 0s (268 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libcryptsetup4.
(Reading database ... 25374 files and directories currently installed.)
Unpacking libcryptsetup4 (from .../libcryptsetup4_2%3a1.4.1-2ubuntu4_amd64.deb) ...
Selecting previously unselected package cryptsetup-bin.
Unpacking cryptsetup-bin (from .../cryptsetup-bin_2%3a1.4.1-2ubuntu4_amd64.deb) ...
Selecting previously unselected package cryptsetup.
Unpacking cryptsetup (from .../cryptsetup_2%3a1.4.1-2ubuntu4_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up libcryptsetup4 (2:1.4.1-2ubuntu4) ...
Setting up cryptsetup-bin (2:1.4.1-2ubuntu4) ...
Setting up cryptsetup (2:1.4.1-2ubuntu4) ...
update-initramfs: deferring update (trigger activated)
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Processing triggers for initramfs-tools ...
update-initramfs: Generating /boot/initrd.img-3.2.0-31-virtual

RHEL / CentOS / Fedora Linux user type the following yum command:

# yum install cryptsetup-luks

Configure LUKS partition[edit | edit source]

In this example, I'll use partition called /dev/xvdc, and our first task will be to overwrite that partition 3 times with random data, that's enough to protect you against forensic investigation. It took me nearly 30 minutes for 20 GB partition to be overwritten 3 times.

# shred --verbose --random-source=/dev/urandom --iterations=3 /dev/xvdc

Next, I'm going to encrypt /dev/xvdc. Type the following command:

# cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat /dev/xvdc

Sample outputs:

This will overwrite data on /dev/xvdc irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

This command initializes the volume, and sets an initial key or passphrase. Please note that the passphrase is not recoverable so do not forget it.Type the following command create a mapping:

# cryptsetup luksOpen /dev/xvdc backup2

Sample outputs:

Enter passphrase for /dev/xvdc:

You can see a mapping name /dev/mapper/backup2 after successful verification of the supplied key material which was created with luksFormat command extension:

# ls -l /dev/mapper/backup2

Sample outputs:

lrwxrwxrwx 1 root root 7 Oct 19 19:37 /dev/mapper/backup2 -> ../dm-0

You can use the following command to see the status for the mapping:

# cryptsetup -v status backup2

Sample outputs:

/dev/mapper/backup2 is active.
  type:    LUKS1
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/xvdc
  offset:  4096 sectors
  size:    419426304 sectors
  mode:    read/write
Command successful.

You can dump LUKS headers using the following command:

# cryptsetup luksDump /dev/xvdc

Format LUKS partition[edit | edit source]

First, you need to write zeros to /dev/mapper/backup2 encrypted device. This will allocate block data with zeros. This ensures that outside world will see this as random data i.e. it protect against disclosure of usage patterns:

# dd if=/dev/zero of=/dev/mapper/backup2

The dd command may take many hours to complete. I suggest that you use pv command to monitor the progress:

# pv -tpreb /dev/zero | dd of=/dev/mapper/backup2 bs=128M

To create a filesystem i.e. format filesystem, enter:

# mkfs.ext4 /dev/mapper/backup2

To mount the new filesystem at /backup2, enter:

# mkdir /backup2
# mount /dev/mapper/backup2 /backup2
# df -H
# cd /backup2
# ls -l

How do I unmount and secure data?[edit | edit source]

Type the following commands:

# umount /backup2
# cryptsetup luksClose backup2

How do I mount or remount encrypted partition?[edit | edit source]

Type the following command:

# cryptsetup luksOpen /dev/xvdc backup2
# mount /dev/mapper/backup2 /backup2
# df -H
# mount

See shell script wrapper that opens LUKS partition and sets up a mapping for nas devices.

Can I run fsck on LUKS based partition / LVM volume?[edit | edit source]

Yes, you can use the fsck command on LUKS based systems:

# umount /backup2
# fsck -vy /dev/mapper/backup2
# mount /dev/mapper/backup2 /backup2

See how to run fsck On LUKS (dm-crypt) based LVM physical volume for more details.

How do I change LUKS passphrase (password) for encrypted partition?[edit | edit source]

Type the following command

### see key slots, max -8 i.e. max 8 passwords can be setup for each device ####
# cryptsetup luksDump /dev/xvdc
# cryptsetup luksAddKey /dev/xvdc
Enter any passphrase:
Enter new passphrase for key slot:
Verify passphrase:

Remove or delete the old password:

# cryptsetup luksRemoveKey /dev/xvdc

Please note that you need to enter the old password / passphrase.