Thursday, April 25, 2013

LUKS : How to encrypt a partition?

Important: This is not a definite guide. Use LUKS with caution and always have a backup before you modify anything. Improper use of LUKS may destroy all your data and I do not take any responsibility of that. You were warned.

Check if a partition is already encrypted with LUKS

[root@cmstorm home]# cryptsetup isLuks /dev/sda1 && echo Yes
[root@cmstorm home]#

Fill the device with random data

# dd if=/dev/urandom of=/dev/sda1
# badblocks -c 10240 -s -w -t random -v /dev/sda1

Encrypt the partition

[root@cmstorm home]# cryptsetup luksFormat /dev/sda1

This will overwrite data on /dev/sda1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:

[root@cmstorm home]# cryptsetup isLuks /dev/sda1 && echo Yes

[root@cmstorm home]# cryptsetup luksDump /dev/sda1
LUKS header information for /dev/sda1

Version:           1
Cipher name:       aes
Cipher mode:       cbc-essiv:sha256
Hash spec:         sha1
Payload offset:    4096
MK bits:           256
MK digest:         b9 2d fd e6 d2 ab 1b 83 9c 4e 26 36 ba b7 a0 62 a9 49 b7 59
MK salt:           35 79 84 53 ce 26 0a 3c da 1a cc a0 c0 fc 4f 1f
                   c1 82 91 2e 3c df f2 44 63 e7 f2 b6 42 a6 11 3b
MK iterations:     72875
UUID:              cba6febb-91cb-456e-afcf-0a16e89e4cae
Key Slot 0: ENABLED
    Iterations:             291655
    Salt:                   fd e6 dc 28 4f 68 ed 56 10 19 80 2c 74 33 1b 55
                              e9 8e 12 7c 08 be 24 0d 97 f5 f2 fd fb 21 65 01
    Key material offset:    8
    AF stripes:                4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Open the encrypted device and create mapping

[root@cmstorm home]# cryptsetup luksUUID /dev/sda1

[root@cmstorm home]# cryptsetup luksOpen /dev/sda1 luks-cba6febb-91cb-456e-afcf-0a16e89e4cae
Enter passphrase for /dev/sda1:

[root@cmstorm home]# ll /dev/mapper/luks-*
lrwxrwxrwx. 1 root root 7 Apr 25 23:40 /dev/mapper/luks-cba6febb-91cb-456e-afcf-0a16e89e4cae -> ../dm-4
lrwxrwxrwx. 1 root root 7 Apr 25 22:54 /dev/mapper/luks-e78b92c8-26a5-415b-9f95-c56aa9e511ca -> ../dm-2

[root@cmstorm home]# dmsetup info luks-cba6febb-91cb-456e-afcf-0a16e89e4cae
Name:              luks-cba6febb-91cb-456e-afcf-0a16e89e4cae
State:             ACTIVE
Read Ahead:        256
Tables present:    LIVE
Open count:        0
Event number:      0
Major, minor:      253, 4
Number of targets: 1
UUID: CRYPT-LUKS1-cba6febb91cb456eafcf0a16e89e4cae-luks-cba6febb-91cb-456e-afcf-0a16e89e4cae

[root@cmstorm ~]# vim /etc/crypttab
luks-e78b92c8-26a5-415b-9f95-c56aa9e511ca UUID=e78b92c8-26a5-415b-9f95-c56aa9e511ca none
luks-cba6febb-91cb-456e-afcf-0a16e89e4cae UUID=cba6febb-91cb-456e-afcf-0a16e89e4cae none

Now you can use your newly encrypted device, in this case /dev/mapper/luks-cba6febb-91cb-456e-afcf-0a16e89e4cae, to create file system or use it with LVM for instance.