How To Linux Hard Disk Encryption With LUKS

Configurare noua (How To)

Situatie

Many enterprises, small businesses, and government users need to encrypt their laptops to protect confidential information such as customer details, files, contact information, and much more. Linux supports the following cryptographic techniques to protect a hard disk, directory, and partition. All data that is written on any one of the following techniques will be automatically encrypted and decrypted on the fly.

Linux encryption methods

There are two methods to encrypt your data:

Filesystem stacked level encryption
  1. eCryptfs – It is a cryptographic stacked Linux filesystem. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. This solution is widely used, as the basis for Ubuntu’s Encrypted Home Directory, natively within Google’s ChromeOS, and transparently embedded in several network attached storage (NAS) devices.
  2. EncFS -It provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. You can find links to source and binary releases below. EncFS is open source software, licensed under the GPL.
Block device level encryption
  1. Loop-AES – Fast and transparent file system and swap encryption package for linux. No source code changes to linux kernel. Works with 3.x, 2.6, 2.4, 2.2 and 2.0 kernels.
  2. VeraCrypt – It is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X and Linux based on TrueCrypt codebase.
  3. dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, removable media, partitions, software RAID volumes, logical volumes, and files.

In this tutorial, I will explain how to encrypt your partitions using Linux Unified Key Setup-on-disk-format (LUKS) on your Linux based computer or laptop.

Solutie

Pasi de urmat
Install cryptsetup utility on Linux

You need to install the following package. It contains cryptsetup, a utility for setting up encrypted filesystems using Device Mapper and the dm-crypt target. Debian / Ubuntu Linux user type the following apt-get command or apt command:

# apt-get install cryptsetup
OR
$ sudo apt install cryptsetup

Configure LUKS partition

WARNING! The following command will remove all data on the partition that you are encrypting. You WILL lose all your information! So make sure you backup your data to an external source before typing any one of the following commands.

Open the terminal to list all Linux partitions/disks and then use the cryptsetup command:
# fdisk -l
The syntax is:
cryptsetup luksFormat --type luks1 /dev/DEVICE
cryptsetup luksFormat --type luks2 /dev/DEVICE

In this example, I’m going to encrypt /dev/xvdc. Type the following command:
# cryptsetup -y -v luksFormat /dev/xvdc

For example, set up cryptsetup on /dev/sdc with luks2 format, run:
Sample outputs:

WARNING!
========
This will overwrite data on /dev/xvdc irrevocably.
 
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
Command successful.

# cryptsetup -y -v --type luks2 luksFormat /dev/sdc
This command initializes the volume, and sets an initial key or passphrase. Please note that the passphrase is not recoverable so do not forget it.Type the following command create a mapping:
# cryptsetup luksOpen /dev/xvdc backup2
Sample outputs:

Enter passphrase for /dev/xvdc:

You can see a mapping name /dev/mapper/backup2 after successful verification of the supplied key material which was created with luksFormat command extension:
# ls -l /dev/mapper/backup2

You can use the following command to see the status for the mapping:
# cryptsetup -v status backup2

You can dump LUKS headers using the following command:
# cryptsetup luksDump /dev/xvdc

Step 3: Format Linux LUKS partition

First, you need to write zeros to /dev/mapper/backup2 encrypted device. This will allocate block data with zeros. This ensures that outside world will see this as random data i.e. it protect against disclosure of usage patterns:
# dd if=/dev/zero of=/dev/mapper/backup2
The dd command may take many hours to complete. I suggest that you use pv command to monitor the progress:
# pv -tpreb /dev/zero | dd of=/dev/mapper/backup2 bs=128M

You can also pass the status=progress option to the dd command:
# dd if=/dev/zero of=/dev/mapper/backup2 status=progress

Next, create a filesystem i.e. format filesystem, enter:
# mkfs.ext4 /dev/mapper/backup2

To mount the new filesystem at /backup2, enter:
# mkdir /backup2
# mount /dev/mapper/backup2 /backup2
# df -H
# cd /backup2
# ls -l

How do I unmount and secure data?

Type the following commands:
# umount /backup2
# cryptsetup luksClose backup2

How do I mount or remount encrypted partition?

Type the following command:
# cryptsetup luksOpen /dev/xvdc backup2
# mount /dev/mapper/backup2 /backup2
# df -H
# mount

How do I change LUKS passphrase (password) for encrypted partition?

Type the following command
### see key slots, max -8 i.e. max 8 passwords can be setup for each device ####
# cryptsetup luksDump /dev/xvdc
# cryptsetup luksAddKey /dev/xvdc

Enter any passphrase: 
Enter new passphrase for key slot: 
Verify passphrase: 

Remove or delete the old password:
# cryptsetup luksRemoveKey /dev/xvdc

Tip solutie

Permanent

Voteaza

(11 din 26 persoane apreciaza acest articol)

Despre Autor

Leave A Comment?