Archive for July, 2014

Posted by keith.wirch at July 23, 2014

Category: Cryptography, Linux

In this tutorial I will cover how to setup a LUKS encrypted drive to be mounted with a keyfile and then have it mounted at boot.  It is recommended that you keep the keyfile on an encrypted drive but that’s your business, not mine.  For the purposes of the tutorial I will be using /dev/sdb to be my example drive.

CREATE KEYFILE

You will need to pick a folder to keep your keyfile.  Fill that file with what ever you want or run this command to make one pull of random data.  It does not need to be /etc/secretfoldder/keyfile

sudo dd if=/dev/urandom of=/etc/secretfolder/keyfile bs=1024 count=6

DRIVE FORMAT

First you will need to setup the encrypted drive.  For this part we will use fdisk because it it quite easy to use. Type m if you need some help.  My example below the general flow you need.  Delete all the partitions on the drive and then create a partition.  WARNING!  THIS WILL DELETE ALL DATA ON THE DRIVE

sudo fdisk /dev/sdb

Command (m for help): d
 Selected partition 1

Command (m for help): d
 No partition is defined yet!

Command (m for help): p

Disk /dev/sdb: 250.1 GB, 250059348992 bytes
 255 heads, 63 sectors/track, 30401 cylinders, total 488397166 sectors
 Units = sectors of 1 * 512 = 512 bytes
 Sector size (logical/physical): 512 bytes / 512 bytes
 I/O size (minimum/optimal): 512 bytes / 512 bytes
 Disk identifier: 0x000be3dd

Device Boot      Start         End      Blocks   Id  System

Command (m for help): b
 There is no *BSD partition on /dev/sdb.

Command (m for help): n
 Partition type:
 p   primary (0 primary, 0 extended, 4 free)
 e   extended
 Select (default p): p
 Partition number (1-4, default 1):
 Using default value 1
 First sector (2048-488397165, default 2048):
 Using default value 2048
 Last sector, +sectors or +size{K,M,G} (2048-488397165, default 488397165):
 Using default value 488397165

Command (m for help): w
 The partition table has been altered!

Encryption Filesystem

You are going to need a few kernel modules in order to properly get some encryption out of cryptsetup.

</pre>
sudo modprobe dm-crypt
 sudo modprobe sha256
 sudo modprobe aes

If you get an error with these modules.  Refer to this bug report.  You may need to utilize their workaround.

sudo cryptsetup luksAddKey /dev/sdX /etc/secretfolder/keyfile -c aes -s 256 -h sha256

Now mount your new encrypted partition and create a filesystem.

</pre>
sudo cryptsetup luksOpen /dev/sdb1 crypt
 sudo mkfs -t ext3 /dev/mapper/crypt

This part could take a while if you have a slow computer.

CREATE STARTUP ITEMS

Open up /etc/crypttab and add a line like this.

crypt     /dev/sdb1     /etc/secretfolder/keyfile     luks

If you want to, you used the UUID of your drive instead of the above option.

Now open up fstab.  /etc/fstab and add a new entry at bottom like so.

# Mount Encrypted FileSystem</pre>
/dev/mapper/crypt     /media/sdb1     ext3

BOOM!  You are done son!  Reboot and see that it mounts.  or you can do a mount -a to remount all filesystems.