Linux Unified Key Setup

From frogzie
Jump to navigation Jump to search

Linux Unified Key Setup (LUKS)

1 Overview

The Linux Unified Key Setup (LUKS) allows disk [partition] encryption. It requires a paraphrase to access the encrypted data. That paraphrase can be stored on storage media so that the decryption is automatic with no user input required. This setup could be useful for an encrypted removable disk with the paraphrase stored on another (fixed) device.

Note: encryption has a cost in terms of performance (cf. benchmark), so should only been performed on sensitive data.

2 Environment

Laptop set up with CentOS-8.1 and its 120-GiB SSD partioned as follows (cf. LVM)

  • /dev/sda1       1 GiB   ext4         /boot
  • /dev/sda2   118 GiB   lvm2_pv   cl     (cl: volume group name)
    • /dev/mapper/cl-swap     8 GiB     swap
    • /dev/mapper/cl-root     50 GiB   XFS   /
    • /dev/mapper/cl-home   20 GiB   XFS   /home
    • /dev/mapper/cl-data1   20 GiB   ext4   /data1
    • /dev/mapper/cl-data2   20 GiB   ext4   /data2

3 Objective

  • Set up Linux Unified Key Setup (LUKS) encryption on the ext4 partition /data1

4 How to

  • Initialise data1 as a LUKS-encrypted ext4 partition
    • umount /dev/mapper/cl-data1
    • cryptsetup --force-password --type luks2 luksFormat /dev/mapper/cl-data1
      • Password? e.g. encrypted
    • cryptsetup open /dev/mapper/cl-data1 encrypted     ("encrypted": given mapping name)
      • Paraphrase? e.g. encrypted
    • mkfs.ext4 /dev/mapper/cl-encrypted
    • cryptsetup close encrypted

Now the ext4 partition is encrypted. Next step is to store the paraphrase in a file so we don't have to re-enter it at each reboot.

  • Generate a paraphrase into a file (e.g /root/lukskey)
    • dd if=/dev/random bs=32 count=1 of=/root/lukskey
  • Tell LUKS where the paraphrase is stored
    • cryptsetup --force-password --type luks2 luksAddKey /dev/mapper/cl-data1 /root/lukskey
      • Any existing paraphrase? encrypted
    • edit /etc/crypttab
      • encrypted /dev/mapper/cl-data1 /root/lukskey
  • Get the encrypted partition mounted at boot time
    • edit /etc/fstab
      • /dev/mapper/encrypted /data1 ext4 defaults 0 0

5 Reset the system and check

  • init 6
  • cryptsetup status /dev/mapper/encrypted

6 See also

Retrieved from "https://frogzie.duckdns.org/mediawiki/index.php?title=Linux_Unified_Key_Setup&oldid=706"