Linux Hard Disk Encryption With LUKS
What LUKS is:
LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions,
but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in
the partition header, enabling the user to transport or migrate his data seamlessly.
What LUKS does:
- • LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop
disk drives.
- • The underlying contents of the encrypted block device are arbitrary. This makes it useful for encrypting swap devices. This can also be useful with certain
databases that use specially formatted block devices for data storage.
- • LUKS uses the existing device mapper kernel subsystem.
- • LUKS provides passphrase strengthening which protects against dictionary attacks.
- • LUKS devices contain multiple key slots, allowing users to add backup keys/passphrases.
HowTo: Linux Hard Disk Encryption With LUKS:
Step #1: Configure LUKS partition
WARNING! The following command will remove all data on the partition that you are encrypting. You WILL lose all your information! So make sure you backup
your data to an external source such as NAS or hard disk before typing any one of the following command.
In this example, I'm going to encrpt /dev/xvdc. Type the following command:
# cryptsetup -y -v luksFormat /dev/xvdc
Sample outputs:
WARNING!
========
This will overwrite data on /dev/xvdc irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
This command initializes the volume, and sets an initial key or passphrase. Please note that the passphrase is not recoverable so do not forget it.Type
the following command create a mapping:
# cryptsetup luksOpen /dev/xvdc backup2
Sample outputs:
Enter passphrase for /dev/xvdc:
You can see a mapping name /dev/mapper/backup2 after successful verification of the supplied key material which was created with luksFormat command extension:
# ls -l /dev/mapper/backup2
Sample outputs:
lrwxrwxrwx 1 root root 7 Oct 19 19:37 /dev/mapper/backup2 -> ../dm-0
You can use the following command to see the status for the mapping:
# cryptsetup -v status backup2
Sample outputs:
/dev/mapper/backup2 is active.
type: LUKS1
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/xvdc
offset: 4096 sectors
size: 419426304 sectors
mode: read/write
Command successful.
You can dump LUKS headers using the following command:
# cryptsetup luksDump /dev/xvdc
Step #2: Format LUKS partition
First, you need to write zeros to /dev/mapper/backup2 encrypted device. This will allocate block data with zeros. This ensures that outside world will see
this as random data i.e. it protect against disclosure of usage patterns:
# dd if=/dev/zero of=/dev/mapper/backup2
The dd command may take many hours to complete..
Step #3: create a filesystem
enter:
# mkfs.ext4 /dev/mapper/backup2
step #4: mount the new filesystem at /backup2
, enter:
# mkdir /backup2
# mount /dev/mapper/backup2 /backup2
# df -H
# cd /backup2
# ls -l
If you want unmount and secure data
Type the following commands:
# umount /backup2
If you want remount encrypted partition
Type the following command:
# cryptsetup luksOpen /dev/xvdc backup2
# mount /dev/mapper/backup2 /backup2
# df -H
# mount
change LUKS passphrase (password) for encrypted partition:
If you want change LUKS passphrase
Type the following command
# cryptsetup luksDump /dev/xvdc
# cryptsetup luksAddKey /dev/xvdc
Enter any passphrase:
Enter new passphrase for key slot:
Verify passphrase:
Remove or delete the old password:
# cryptsetup luksRemoveKey /dev/xvdc
Please note that you need to enter the old password / passphrase.