/make a LUKS encrypted drive
From Infected Technologies
LUKS is the Linux Unified Key Setup.
LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly.
While LUKS is a standard on-disk format, there is also a reference implementation. LUKS for dm-crypt is implemented in an enhanced version of cryptsetup.
Read more about LUKS here.
Contents |
Preparing the device
First thing to do is to prepare the device, there are many ways to do this, or perhaps not at all even..
badblocks
The quickest and dirtiest way to prepare a device is to use badblocks to fill the device with random garbage, this is generally a good solution considering how CPU intensive it is to create gigabytes or perhaps even more random garbage. To fill the device using badblocks use the following command
badblocks -c 10240 -s -w -t random -v /dev/sdX
Replace /dev/sdX with the repspective device you want to fill with random entropy. It should be needless to say, but obviously all data on the device will be completley destroyed. (thats kind of the point, is it not?)
dd
If you are lucky enough to posess a method to produce large amounts of "truly" random entropy, you may want to use another more "random" generator instead. I use a HiFn 7956 crypto accelerator to produce random entropy, it is still a lengthy process. To speed it up a little without compromizing too much on security, perhaps using urandom instead of random is a good idea.
time dd if=/dev/urandom of=/dev/sdX bs=1M
Wait for it to finish, this may take a very long time. No matter if you decide to use badblocks or a dd dump from /dev/random this is a very time consuming process, make sure you have something to spend a few hours on :)
Partitioning
Open the drive with fdisk and create partitions as per normal procedure.
fdisk /dev/sdX
Password
Setting up a password protected volume.
cryptsetup --verbose --verify-passphrase -c serpent luksFormat /dev/sdX1
Note that you must spesify the newly created partition, and not the entire device. thus sdX1, not sdX. In the example Serpent is used. AES is used as default, to use AES, just run luksFormat without the -c parameter.
Opening device
Run the following command to open the luks device, at this point you will be requested for the password.
cryptsetup luksOpen /dev/sdX1 sdX
Key file
Setting up a volume using a key-file
Generating key file
In theory, any file can be used. However, to generate a "sane" password file, it may be wise to generate one at random.
dd if=/dev/random of=mykey.key bs=512 count=16
This will generate a 8192 byte key file, alter the bs and count values to generate a file of the appropriate length.
Creating the volume
After the keyfile has been generated, or selected, we can create the volume.
cryptsetup luksFormat /dev/sdX1 /home/user/mykey.key
Choose -c to select a different cipher, like Serpent instead of the default AES one.
Opening device
After the device has been created, it must be opened and then monunted on the system.
cryptsetup -d /home/user/mykey.key luksOpen /dev/sdX1 sdX
Creating a filesystem
Either if you have selected key file or password, a filesystem is required. Run this command on the opened device.
mkfs.ext3 -j /dev/mapper/sdX
Notice the /dev/mapper location of the device, you may use another filesystem than ext3 if so is desired.
Mounting device
Mounting device
LUKS devices that are opened on the system can be found in the /dev/mapper/ directory. After the device has been opened (and contain a filesystem) it can be mounted as any regular device.
mount /dev/mapper/sdX /mnt/mycrypt
