Distroname and release: Debian Wheezy
Encrypt disk with DM-Crypt LuksIn this short guide we will encrypt a disk with DM-Crypt and Luks.
This guide is not very detailed, but only shows in short terms, how this can be done.
Make sure you have backup, if something terrible happen and you cannot boot the system.
Adding DM-Crypt with LUKS-Header on an disk/partition which contains data will erase ALL the data!
Use a usb disk to hold the boot, then the complete harddisk is encryptet, and we can ensure that noone "injects" hacked code to our libraries.
See here for more information why this is a good idea!
This procedure still requires local access to the server, and the password for the keyfile is entered after the "patched" software have been applied.
Installation and setupIn these examples /dev/sdc is a new unformated disk from which we will create a new key protected full disk encryption.
Whipe the disk...
This is done, so there is all random data on the partition, even on a new disk. This could take quite some time, depending on the disk size.
Doing this will "create data" on a new disk, so it becomes must more difficult to decrypt an encryptet disk with data recovery tools.
cat /dev/zero > /dev/sdcOr using dd_resuce, requires the ddrescue package, which shows a nice progressbar available in versions later than 1.17-
dd_rescue -f /dev/zero /dev/md0
aptitude install cryptsetup-luks modprobe dm_modMake sure that dm_mod loads at boot!
echo 'dm_mod' >> /etc/modulesCreate the needed partiton(s) or just use the whole device.
cryptsetup luksFormat /dev/sdc (answer YES, NOTE UPPERCASE)Create mapper
cryptsetup luksOpen /dev/sdc sdc_encryptetCreate filesystem, and optional partitions.
mkfs.ext4 /dev/mapper/sdc_encryptetCreate mountpoint and mount
mkdir /mnt/sdc_encryptetNow mount the encryptet filesystem
mount /dev/mapper/sdc_encryptet /mnt/sdc_encryptetNow you can do work in the filesystem! To close/lock the encryptet filesystem use the parameter luksClose
umount /mnt/sdc_encryptet cryptsetup luksClose sdc_encryptet
Using a keyfile:Create Key:
Use /dev/random, because it will not reuse the entropy pool, this can leed to locks while creating the key which would take longer time, but much safer.
dd if=/dev/random of=root/test.key bs=256 count=8Add key:
cryptsetup luksAddKey /dev/sdc /root/test.key (enter passphrase)Mapping with keyfile instead of passphrasels:
cryptsetup luksOpen /dev/sdc sdc_encryptet --keyfile /root/test.key
Managing Key-Slots!I cannot clarify how dangerous this could be, you could end up with an harddisk that you have no chance to access if you delete the wrong entry!!
A little safety notice, you will still require, in case you kill the keyslot to enter a valid passphrase, and in case you want to kill the passphrase to enter a valid keyslot. First view used keyslots. In this case, there should only be two used slots.
cryptsetup luksDump /dev/sdc 0) The passphrase because we started with this! 1) The keyfile because we added this as nr. 2.Kill the key When this is done ONLY the passphrase will be able to decrypt.:
cryptsetup luksKillSlot /dev/sdc 1Kill the passphrase When this is done ONLY the KEY will be able to decrypt.:
cryptsetup luksKillSlot /dev/sdc 0 --key-file /root/test.keyAdding new passphrase, when ONLY key is currently available:
cryptsetup luksAddkey /dev/sdc --key-file /root/test.key
BackupCreate a backup of the header. This is needed, in case a disks dies, the partition table becomes corrupt, or incedentical overwrite of first sectors, which makes LUKS inaccessible.
/dev/sdc is the LUKS partition in this case.
cryptsetup luksHeaderBackup /dev/sdc --header-backup-file headerbackup.imgIf one of the passphrases is changed remember to create a new backup
Determine if the device contains LUKS headerOn the device. Without the "-v" it just signals its result via exit-status.
cryptsetup -v isLuks /dev/sdcYou can also use the more general test
blkid -p /dev/sdc
Removing luksSimple: WARNING: This will delete all data on the harddisk
cryptsetup remove /dev/mapper/sdc_encryptet /dev/sdcNext fdisk+format the device /dec/sdc
- mdadm expanding!?
- Using a USB Dongle, with the key, to auto decrypt the device together with udev