Important: This
is not a definite guide. Use LUKS with caution and always have
a backup before you modify anything. Improper use of LUKS may
destroy all your data and I do not take any responsibility of that. You
were warned.
Check if a partition is already encrypted with LUKS
[root@cmstorm home]# cryptsetup isLuks /dev/sda1 && echo Yes
[root@cmstorm home]#
Fill the device with random data
# dd if=/dev/urandom of=/dev/sda1
or
# badblocks -c 10240 -s -w -t random -v /dev/sda1
Encrypt the partition
[root@cmstorm home]# cryptsetup luksFormat /dev/sda1
WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
[root@cmstorm home]# cryptsetup isLuks /dev/sda1 && echo Yes
Yes
[root@cmstorm home]# cryptsetup luksDump /dev/sda1
LUKS header information for /dev/sda1
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: b9 2d fd e6 d2 ab 1b 83 9c 4e 26 36 ba b7 a0 62 a9 49 b7 59
MK salt: 35 79 84 53 ce 26 0a 3c da 1a cc a0 c0 fc 4f 1f
c1 82 91 2e 3c df f2 44 63 e7 f2 b6 42 a6 11 3b
MK iterations: 72875
UUID: cba6febb-91cb-456e-afcf-0a16e89e4cae
Key Slot 0: ENABLED
Iterations: 291655
Salt: fd e6 dc 28 4f 68 ed 56 10 19 80 2c 74 33 1b 55
e9 8e 12 7c 08 be 24 0d 97 f5 f2 fd fb 21 65 01
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Open the encrypted device and create mapping
[root@cmstorm home]# cryptsetup luksUUID /dev/sda1
cba6febb-91cb-456e-afcf-0a16e89e4cae
[root@cmstorm home]# cryptsetup luksOpen /dev/sda1 luks-cba6febb-91cb-456e-afcf-0a16e89e4cae
Enter passphrase for /dev/sda1:
[root@cmstorm home]# ll /dev/mapper/luks-*
lrwxrwxrwx. 1 root root 7 Apr 25 23:40 /dev/mapper/luks-cba6febb-91cb-456e-afcf-0a16e89e4cae -> ../dm-4
lrwxrwxrwx. 1 root root 7 Apr 25 22:54 /dev/mapper/luks-e78b92c8-26a5-415b-9f95-c56aa9e511ca -> ../dm-2
[root@cmstorm home]# dmsetup info luks-cba6febb-91cb-456e-afcf-0a16e89e4cae
Name: luks-cba6febb-91cb-456e-afcf-0a16e89e4cae
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 0
Event number: 0
Major, minor: 253, 4
Number of targets: 1
UUID: CRYPT-LUKS1-cba6febb91cb456eafcf0a16e89e4cae-luks-cba6febb-91cb-456e-afcf-0a16e89e4cae
[root@cmstorm ~]# vim /etc/crypttab
luks-e78b92c8-26a5-415b-9f95-c56aa9e511ca UUID=e78b92c8-26a5-415b-9f95-c56aa9e511ca none
luks-cba6febb-91cb-456e-afcf-0a16e89e4cae UUID=cba6febb-91cb-456e-afcf-0a16e89e4cae none
Now you can use your newly encrypted device, in this case /dev/mapper/luks-cba6febb-91cb-456e-afcf-0a16e89e4cae, to create file system or use it with LVM for instance.
No comments:
Post a Comment