Linux disk encryption

Дусал нэвтэрхий толь-с
19:54, 24 Аравдугаар сар 2020-ий байдлаарх Almas (Яриа | оруулсан хувь нэмэр) хэрэглэгчийн хийсэн залруулга


2. Create the key file in the unencrypted /boot partition

  1. dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4

or # dd bs=256 count=1 if=/dev/random | base64 > keyfile

3. Set permissions

  1. chmod 0400 /boot/keyfile

Step 3: Encrypt the disk using LUKS

We’re now ready to get to the fun part, and encrypt the disk or partition.

To start, check the name of the disk you want to use, using lsblk:

$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 30G 0 disk ├─sda1 8:1 0 29.9G 0 part / ├─sda14 8:14 0 4M 0 part └─sda15 8:15 0 106M 0 part /boot/efi sdb 8:16 0 4G 0 disk └─sdb1 8:17 0 4G 0 part /mnt sdc 8:32 0 32G 0 disk

In this example, I’m going to use the sdc disk. This is likely going to be different for you, so make sure you replace the disk name in all the commands below.

   Watch out! The commands below will delete all files on the drive you select.

Before we start, install the cryptsetup utility:

  1. Debian, Ubuntu, Raspbian…

apt install -y cryptsetup

  1. CentOS, Fedora, RedHat

yum install -y cryptsetup-luks

First, if your disk doesn’t have a partition yet (like mine), create a GPT partition table and a partition (without formatting it):

  1. Replace sdc with the drive you want to use

parted /dev/sdc mklabel gpt parted -a opt /dev/sdc mkpart datadisk ext4 0% 100%

Encrypt the sdc1 partition using LUKS, create an ext4 volume in that partition, and then close the encrypted volume. In all commands that require a keyfile, we’re invoking the /etc/luks/ script that we created before, and telling cryptsetup to read the keyfile from stdin.

  1. Encrypt the disk
  2. Replace sdc1 with the correct partition!

/etc/luks/ | cryptsetup -d - -v luksFormat /dev/sdc1

  1. Open the encrypted volume, with the name "data"
  2. Replace sdc1 with the correct partition!

/etc/luks/ | cryptsetup -d - -v luksOpen /dev/sdc1 data

  1. Create a filesystem on the encrypted volume

mkfs.ext4 -F /dev/mapper/data

  1. Close the encrypted volume

cryptsetup -v luksClose data

4. Add the new file as unlock key to the encrypted volume

  1. cryptsetup -v luksAddKey /dev/sda5 /boot/keyfile

Enter any passphrase:

Enter your old/existing passphrase here. Expected output:

Key slot 0 unlocked. Command successful.

Note:The device names may vary depending on the hypervisor: XenServer would assign "xvda", Proxmox would assign "vda", while VMware would stick to "sda". 5. Find the UUID of /dev/sda1

  1. ls -l /dev/disk/by-uuid/

6. Edit /etc/crypttab

Edit the contents of file /etc/crypttab (use the UUID of /dev/sda1 from the previous step)

  1. vi /etc/crypttab

This contents should be:

sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee none luks

(The UUID may be different)

The changes we'll be making:

   Replace the 3rd parameter ‐ none ‐ with /dev/disk/by-uuid/<uuid>:/keyfile with the UUID for sda1
   Replace the 4th parameter ‐ luks‐ with luks,keyscript=/lib/cryptsetup/scripts/passdev

The final result:

sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee /dev/disk/by-uuid/2a5e9b7f-2128-4a50-83b6-d1c285410145:/keyfile luks,keyscript=/lib/cryptsetup/scripts/passdev

In this case the UUID for our /dev/sda1 UUID was 2a5e9b7f....

If you run into any issues with file permissions, run:

  1. chmod 0777 /etc/crypttab

After editing, run the following to reset the permissions:

  1. chmod 0440 /etc/crypttab

7. Generate a new initramfs disk

  1. mkinitramfs -o /boot/initrd.img-4.9.0-7-amd64 \

(Make sure 4.9.0-7 is your version, as on step 1)

8. Cross your fingers and reboot

  1. reboot

Congratulations: You have effectively short-circuited the security of the encrypted drive. Be careful now!