LUKS - Linux Unified Key Setup

Encrypted Disk

How I set up my external backup drive with encryption.

Install

# install package
apt-get install cryptsetup
 
# partition the drive
parted /dev/sde
>mklabel gtp
>mkpart primary 1 -1
 
Model: ATA WDC WD40EZRX-00S (scsi)
Disk /dev/sde: 4001GB
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
 
Number  Start   End     Size    File system  Name     Flags
 1      1049kB  4001GB  4001GB               primary
 
# initialize partition for encryption with a passphrase
# will destroy all data that might exist on that partition!
 
cryptsetup --verify-passphrase --verbose luksFormat /dev/sde1
 
# open device and use a mapping 
cryptsetup luksOpen /dev/sde1 esata
 
ls -l /dev/mapper/esata
lrwxrwxrwx 1 root root 7 Sep 18 10:11 /dev/mapper/esata -> ../dm-3
 
cryptsetup -v status esata
/dev/mapper/esata is active.
  type:    LUKS1
  cipher: 
  [...]
 
cryptsetup luksDump /dev/sde1
LUKS header information for /dev/sde1
 
Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha1
[...]
 
# create a filesystem within encrypted partition
mkfs.ext4 /dev/mapper/esata
 
# mount and use:
mount /dev/mapper/esata /media/esata
 
# unmount, close and remove external drive:
umount /media/esata
cryptsetup luksClose esata
 
# optional, but recommended: backup LUKS header
cryptsetup luksHeaderBackup /dev/sde1 --header-backup-file esata.luks

Just for Reference

# restore LUKS header
cryptsetup luksHeaderRestore /dev/sde1 --header-backup-file esata.luks
 
# change LUKS passphrase
cryptsetup luksChangeKey /dev/sde1 [--key-slot 0]

Mount or Unmount

#!/bin/bash
 
 
case "$1" in
    open)
        cryptsetup luksOpen /dev/sde1 esata
        mount /dev/mapper/esata /media/esata
        ;;
    close)
        umount /media/esata
        cryptsetup luksClose esata
        ;;
    *)
        echo "Usage: $0 open|close"
        ;;
esac

Container File

# create 128MB container file
dd if=/dev/urandom of=datastore bs=1M count=128
cryptsetup -c aes-xts-plain64 -s 512 -h sha512 -y luksFormat datastore
sudo cryptsetup luksOpen datastore container
sudo mkfs.ext4 /dev/mapper/container 
mkdir ~/mnt
sudo mount -t ext4 /dev/mapper/container ~/mnt
sudo chown -R username ~/mnt 
 
# open
sudo cryptsetup luksOpen datastore container
sudo mount -t ext4 /dev/mapper/container ~/mnt
 
# close
sudo umount ~/mnt
sudo cryptsetup luksClose container 
linux/luks.txt · Last modified: 2016-11 by tb
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready