Tips and Instructional topics. Not for support questions.
Post a reply

cryptsetup

Fri Nov 30, 2012 9:19 pm

by fsmithred, i only copy it to here so i got it at hand.



his guide assumes that you have some familiarity with using the command line, know how to become root, and know how to partition a drive. (You might not need to partition the drive, but it's better if you know how.)


Preparation


Install cryptsetup with your favorite package manager.
If you're using cryptsetup immediately after installing it (without rebooting first) then also do:

Code:
    modprobe -v dm-mod




I'll assume that the external drive is /dev/sdb, and you're going to encrypt the first partition on the drive (/dev/sdb1). You'll need to replace that with the correct name for your drive. To find out the correct device name for your drive, run one or both of these commands after you plug the drive into your computer. You should check this right before you do the encryption, in case the drive does not get the same name every time you plug it in. (I've seen that happen.)
(as normal user)

Code:
    dmesg



(as root)

Code:
    fdisk -l





IMPORTANT: The next commands will erase any data on the drive. Do not err.

If there's already data on the drive that you want to keep, you'll need to copy it to another drive first.

You need a linux partition on the drive. If you don't have one already, you can partition the drive with gparted (graphical) or cfdisk (in a terminal) or your favorite partitioning tool. If you've never partitioned a drive, search the web for gparted instructions, and you'll find nice pictures for all the steps. Don't worry about which filesystem format to use now. That'll get done with a command in a later step.


Wipe the drive

There are a couple of considerations here. If you previously had sensitive data on the drive, you need to do something to obscure that data. Deleting it is not enough. You need to overwrite it with something. The fast and easy way is to write zeros to the drive, and the more secure way is to write random data. Using random data will make it so that nobody can tell where the files are on the drive. If you don't do this, your data will still be encrypted, but anyone trying to decrypt the data will have a less work to do. And if you have more than one partition, moving the data from the unencrypted partition to the encrypted one is not good enough. You'd still need to wipe the data that was on the unencrypted part.

You can just overwrite a partition, or you could overwrite the entire drive. If you do the latter, you'll need to repartition the drive afterward. To overwrite an entire drive, leave the partition number off of the device name in one of the following dd commands (e.g. /dev/sdb instead of /dev/sdb1).

Writing zeros to a partition (faster, less secure):


Code:
    dd if=/dev/zero of=/dev/sdb1




Writing random data (slower, more secure)


Code:
    dd if=/dev/urandom of=/dev/sdb1



This will take awhile. If the partition is measured in hundreds of gigabytes, find something else to do until tomorrow, or maybe longer. (Not kidding.)



Create an encrypted volume

(as root):

Code:
    cryptsetup luksFormat /dev/sdb1



You'll be asked for a pass phrase at this point. Make sure you remember it. There's no way to retrieve or change a lost pass phrase.

Open the encrypted volume:

Code:
    cryptsetup luksOpen /dev/sdb1 <name>



<name> is a temporary name you give to the partition. It only exists until you close the volume. Avoid special characters and spaces.

Create a filesystem:


Code:
    mke2fs -t ext4 /dev/mapper/<name>



You can use ext3 if you prefer, or even ext2 if it's a small thumb drive.

Mount the filesystem:

Code:
    mount /dev/mapper/<name> /mnt



/mnt could be any mountpoint you want.

Give yourself ownership of the filesystem


Code:
    chown -R user:user /mnt



where "user" is your user name.

You can now copy files to the encrypted drive.

When you're finished, unmount the drive and close the encrypted volume.


Code:
    umount /mnt
    cryptsetup luksClose <name>



You're done.


Using it

Next time you want to use the drive, plug it in. If you're lucky, your desktop environment will pop up a window asking for the pass phrase. Then you can mount/unmount it with a file manager. (Usually by right-clicking on the icon for the drive)

If you need to do it from command line, you already know the commands (as root):

Code:
    cryptsetup luksOpen /dev/sdb1 <name>
    mount /dev/mapper/<name> /mnt


Code:
    umount /mnt
    cryptsetup luksClose <name>

Re: cryptsetup

Sat Dec 01, 2012 3:53 pm

Thanks nadir, a good reference.

Note you can use also a Luks loopback file without need to repartition a disk. I use mostly ext2 because flash drives get hammered less. The file can be copied and used in other places, even a FAT formatted flash drive

Here's a script I use to make one (because I can never remember each step):
Code:
#!/bin/bash

###### editable ########

# size in MB
SIZE="500"

LUKS_FILENAME="luks-data"

LUKSMOUNTPOINT="/media/luksmount"

FILESYSTEM="ext2"

#######################

mkdir $LUKSMOUNTPOINT && chown 1000:1000 $LUKSMOUNTPOINT

dd if=/dev/zero of=$LUKS_FILENAME bs=1M count=$SIZE && chown 1000:1000 $LUKS_FILENAME

losetup -f > /tmp/nextloop

LOOPDEV=$(cat /tmp/nextloop)

losetup $LOOPDEV $LUKS_FILENAME

cryptsetup luksFormat $LOOPDEV

cryptsetup luksOpen $LOOPDEV $LUKS_FILENAME

mkfs.$FILESYSTEM /dev/mapper/$LUKS_FILENAME

cryptsetup luksClose $LOOPDEV $LUKS_FILENAME

losetup -d $LOOPDEV

rm -f /tmp/nextloop


To use it in future, simply:
Code:
(su)

# find next available loop device (usually  /dev/loop0 but might not be)
losetup -f

losetup /dev/loop_whatever path_to_luks_filename


then use is as nadir says from /dev/loop_whatever

Re: cryptsetup

Sun Feb 10, 2013 6:12 pm

pmount 0.9.99-alpha-1 in experimental can now mount image files, without root. LUKS ones as well. It even installs in squeeze with no extra deps. A simple manual tweak of pmount.conf and pmount.allow is needed because of losetup permissions.

"loopback files" can be rather useful as (unlike entire partitions) they are easily transferrable and can be used from removables with any FS format.

Code:
# prompt for key then mount it on, e.g. /media/zzz
pmount path/to/file zzz


This has been stuck in experimental quite a long time probably because of wheezy freeze.

BTW pmount =>squeeze can already open actual LUKS partitions on removables or (depending what is in pmount.allow) fixed-disk
Post a reply