Distroname and release: Debian Wheezy

Encrypt disk with DM-Crypt Luks

In this short guide we will encrypt a disk with DM-Crypt and Luks.
This guide is not very detailed, but only shows in short terms, how this can be done.

Make sure you have backup, if something terrible happen and you cannot boot the system.
Adding DM-Crypt with LUKS-Header on an disk/partition which contains data will erase ALL the data!

Use a usb disk to hold the boot, then the complete harddisk is encryptet, and we can ensure that noone "injects" hacked code to our libraries.
See here for more information why this is a good idea!
This procedure still requires local access to the server, and the password for the keyfile is entered after the "patched" software have been applied.

Installation and setup

In these examples /dev/sdc is a new unformated disk from which we will create a new key protected full disk encryption.

Whipe the disk...
This is done, so there is all random data on the partition, even on a new disk. This could take quite some time, depending on the disk size.
Doing this will "create data" on a new disk, so it becomes must more difficult to decrypt an encryptet disk with data recovery tools.

cat /dev/zero > /dev/sdc
Or using dd_resuce, requires the ddrescue package, which shows a nice progressbar available in versions later than 1.17-
dd_rescue -f /dev/zero /dev/md0


aptitude install cryptsetup-luks
modprobe dm_mod
Make sure that dm_mod loads at boot!
echo 'dm_mod' >> /etc/modules
Create the needed partiton(s) or just use the whole device.
cryptsetup luksFormat /dev/sdc (answer YES, NOTE UPPERCASE)
Create mapper
cryptsetup luksOpen /dev/sdc sdc_encryptet
Create filesystem, and optional partitions.
mkfs.ext4 /dev/mapper/sdc_encryptet
Create mountpoint and mount
mkdir /mnt/sdc_encryptet
Now mount the encryptet filesystem
mount /dev/mapper/sdc_encryptet /mnt/sdc_encryptet
Now you can do work in the filesystem! To close/lock the encryptet filesystem use the parameter luksClose
umount /mnt/sdc_encryptet
cryptsetup luksClose sdc_encryptet

Using a keyfile:

Create Key:
Use /dev/random, because it will not reuse the entropy pool, this can leed to locks while creating the key which would take longer time, but much safer.
dd if=/dev/random of=root/test.key bs=256 count=8
Add key:
cryptsetup luksAddKey /dev/sdc /root/test.key
(enter passphrase)
Mapping with keyfile instead of passphrasels:
cryptsetup luksOpen /dev/sdc sdc_encryptet --keyfile /root/test.key

Managing Key-Slots!

I cannot clarify how dangerous this could be, you could end up with an harddisk that you have no chance to access if you delete the wrong entry!!
A little safety notice, you will still require, in case you kill the keyslot to enter a valid passphrase, and in case you want to kill the passphrase to enter a valid keyslot. First view used keyslots. In this case, there should only be two used slots.
cryptsetup luksDump /dev/sdc

0) The passphrase because we started with this!
1) The keyfile because we added this as nr. 2.
Kill the key When this is done ONLY the passphrase will be able to decrypt.:
cryptsetup luksKillSlot /dev/sdc 1
Kill the passphrase When this is done ONLY the KEY will be able to decrypt.:
cryptsetup luksKillSlot /dev/sdc 0 --key-file /root/test.key
Adding new passphrase, when ONLY key is currently available:
cryptsetup luksAddkey /dev/sdc --key-file /root/test.key


Create a backup of the header. This is needed, in case a disks dies, the partition table becomes corrupt, or incedentical overwrite of first sectors, which makes LUKS inaccessible.
/dev/sdc is the LUKS partition in this case.
cryptsetup luksHeaderBackup /dev/sdc --header-backup-file headerbackup.img
If one of the passphrases is changed remember to create a new backup

Determine if the device contains LUKS header

On the device. Without the "-v" it just signals its result via exit-status.
cryptsetup -v isLuks /dev/sdc
You can also use the more general test
blkid -p /dev/sdc

Removing luks

Simple: WARNING: This will delete all data on the harddisk
cryptsetup remove /dev/mapper/sdc_encryptet /dev/sdc
Next fdisk+format the device /dec/sdc

To come..

  • mdadm expanding!?
  • Using a USB Dongle, with the key, to auto decrypt the device together with udev

Do not trust the authors words! POC, tests and experience is key

Copyright LinuxLasse.net 2009 - 2024 All Rights Reserved.

Valid HTML 4.01 Strict Valid CSS!