-
Notifications
You must be signed in to change notification settings - Fork 0
LUKS
Vlad edited this page May 28, 2020
·
2 revisions
# Install packages
sudo apt install cryptsetup
# List disks
sudo lsblk
# OR
sudo fdisk -l | grep ^Disk
# Format disk
sudo cryptsetup luksFormat /dev/sdc
# Open disk (will create /dev/mapper/encrypted_drive)
sudo cryptsetup luksOpen /dev/sdc encrypted_drive
# Set up LVM on the disk with EXT4 file system
sudo pvcreate /dev/mapper/encrypted_drive
sudo vgcreate encrypted /dev/mapper/encrypted_drive
sudo lvcreate -l 100%FREE -n data /dev/encrypted
sudo mkfs.ext4 /dev/encrypted/data
# Generate keyfile
sudo dd bs=1024 count=4 if=/dev/urandom of=/root/keyfile
sudo chmod 0400 /root/keyfile
# Add keyfile to LUKS device
sudo cryptsetup luksAddKey /dev/sdc /root/keyfile
# Get device UUID
sudo blkid /dev/sdc
# Unlock partition on boot
echo 'encrypted_drive UUID=f481c1ee-0ebe-43eb-9833-faa6e86d5484 /root/keyfile luks,discard' | sudo tee -a /etc/crypttab
# Mount the disk
sudo mkdir -p /encrypted_data
echo '/dev/encrypted/data /encrypted_data ext4 defaults 0 2' | sudo tee -a /etc/fstab
sudo mount -a
# Misc
## Open and mount
sudo cryptsetup --key-file /root/keyfile luksOpen /dev/sdb encrypted_drive
sudo vgchange -a y encrypted
sudo mount /dev/encrypted/data /data/encrypted
## Close and unmount
sudo umount /data/encrypted
sudo vgchange -a n encrypted
sudo cryptsetup luksClose /dev/mapper/encrypted_drive
## Change passphrase (disk must not be mounted or open)
sudo cryptsetup luksChangeKey /dev/sdb -S 0
## Custom ciphers
sudo cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 luksFormat /dev/sdb
## Benchmark different ciphers
sudo cryptsetup benchmark- https://devopspoints.com/ubuntu-server-18-04-encrypting-and-decrypting-disks-with-luks.html
- https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption
- https://www.erianna.com/adding-an-secondary-encrypted-drive-with-lvm-to-ubuntu-linux/
- https://www.cyberciti.biz/security/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/