{"id":22,"date":"2006-11-08T21:15:15","date_gmt":"2006-11-08T19:15:15","guid":{"rendered":"http:\/\/blogs.igalia.com\/berto\/2006\/11\/08\/disk-encryption-in-linux-iv-encrypting-a-full-partition-with-luks\/"},"modified":"2006-11-08T21:15:15","modified_gmt":"2006-11-08T19:15:15","slug":"disk-encryption-in-linux-iv-encrypting-a-full-partition-with-luks","status":"publish","type":"post","link":"https:\/\/blogs.igalia.com\/berto\/2006\/11\/08\/disk-encryption-in-linux-iv-encrypting-a-full-partition-with-luks\/","title":{"rendered":"Disk encryption in Linux (IV): Encrypting a full partition with LUKS"},"content":{"rendered":"

LUKS<\/a> is a hard disk encryption standard for Linux created by Clemens Fruhwirth. Althought the reference implementation is based on dm-crypt<\/a>, it has several improvements over plain dm-crypt (as seen in the third post in this series), including support for multiple keys and passphrase revocation.<\/p>\n

To use LUKS you’ll need a recent cryptsetup<\/em> package (Debian sarge users can get it from backports.org<\/a>). You will also need an empty partition to encrypt. You should fill it with random data before beginning:<\/p>\n

\n$ shred -v \/dev\/hdaX\n<\/pre>\n
Now you have to initialize that partition with LUKS:<\/p>\n
\n$ cryptsetup luksFormat \/dev\/hdaX\n<\/pre>\n
A random key will be generated and you will be asked a passphrase to encrypt it. Now you can decrypt<\/em> your newly created LUKS partition and begin to use it:<\/p>\n
\n$ cryptsetup luksOpen \/dev\/hdaX myname\n<\/pre>\n
Here, myname<\/tt> is the name of the device that will be created under \/dev\/mapper<\/tt>. Now it’s time to create a filesystem:<\/p>\n
\n$ mke2fs \/dev\/mapper\/myname\n<\/pre>\n
Now you can mount and use \/dev\/mapper\/myname<\/tt> just like any other filesystem. When you’re done, unmount it and close<\/em> the LUKS device so it won’t be accessible anymore until you open it again:<\/p>\n
\n$ cryptsetup luksClose myname\n<\/pre>\n
So far so good, but how do you mount that partition automatically on boot? Just put this in your \/etc\/crypttab<\/tt> (and don’t forget to add \/dev\/mapper\/myname<\/tt> to your \/etc\/fstab<\/tt> file!):<\/p>\n
\nmyname    \/dev\/hdaX    none    luks,check=ext2\n<\/pre>\n
myname<\/tt> is the encrypted device that will appear under \/dev\/mapper<\/tt> and \/dev\/hdaX<\/tt> is the original device.<\/p>\n
The third field, none<\/tt>, means that the key to decrypt the filesystem is not stored anywhere, so cryptsetup<\/em> will ask you during boot.<\/p>\n
The fourth field lists misc options: luks<\/tt> means that the partition is encrypted with LUKS format (as opposed to plain dm-crypt format). check=ext2<\/tt> will make cryptsetup<\/em> look for an ext2\/ext3 filesystem on the decrypted partition. That way, cryptsetup<\/em> will notice whether you introduced the right passphrase and ask it again in case you typed it incorrectly. There are several partition checks (not just ext2), and you can write your own scripts. Just have a look at \/lib\/cryptsetup\/checks\/<\/tt>.<\/p>\n
And that’s all for the basic usage, but there are some other nice things that you can do, such as adding more valid passphrases to a LUKS partition:<\/p>\n
\n$ cryptsetup luksAddKey \/dev\/hdaX\n<\/pre>\n
You can see some information about the partition (including the number of valid passphrases available):<\/p>\n
\n$ cryptsetup luksDump \/dev\/hdaX\n<\/pre>\n
And obviously you can remove any passphrase:<\/p>\n
\n$ cryptsetup luksDelKey \/dev\/hdaX slot\n<\/pre>\n
Where slot<\/em> is the number of the key slot you want to remove (you can see it with luksDump<\/tt>).<\/p>\n
And that’s enough by now. As you can see, it’s not that hard to keep your data secure. Keep in mind, however, that encrypting a whole partition introduces some extra overhead, so your system will be slower. You don’t have to encrypt everything (i.e. under \/usr<\/tt> you probably don’t have any confidential data). Choose wisely and enjoy!.<\/p>\n","protected":false},"excerpt":{"rendered":"
LUKS is a hard disk encryption standard for Linux created by Clemens Fruhwirth. Althought the reference implementation is based on dm-crypt, it has several improvements over plain dm-crypt (as seen in the third post in this series), including support for multiple keys and passphrase revocation. To use LUKS you’ll need a recent cryptsetup package (Debian […]<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,9,10,12],"tags":[],"class_list":["post-22","post","type-post","status-publish","format-standard","hentry","category-english","category-gpul","category-igalia","category-free-software"],"_links":{"self":[{"href":"https:\/\/blogs.igalia.com\/berto\/wp-json\/wp\/v2\/posts\/22","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.igalia.com\/berto\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.igalia.com\/berto\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.igalia.com\/berto\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.igalia.com\/berto\/wp-json\/wp\/v2\/comments?post=22"}],"version-history":[{"count":0,"href":"https:\/\/blogs.igalia.com\/berto\/wp-json\/wp\/v2\/posts\/22\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.igalia.com\/berto\/wp-json\/wp\/v2\/media?parent=22"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.igalia.com\/berto\/wp-json\/wp\/v2\/categories?post=22"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.igalia.com\/berto\/wp-json\/wp\/v2\/tags?post=22"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}