Encrypting a Disk Partition with LUKS

I need to encrypt the contents of my Drobo – at least the Drobo partitions that are going to contain my personal data. The Drobo is too old to natively support encryption.

Article about hard disk partition encryption using LINUX Unified Key Setup (LUKS). Herein, I will copy portions of this article, and adjust it for my own purposes. Thanks to nixCraft for a great article, their source data is gratefully acknowledged.

Prerequisite: cryptsetup utility

To do LUKS, you need cryptsetup package. Use apt-get or apt command.

Configure LUKS partition

WARNING! The following command will remove all data on the partition that you are encrypting. You WILL lose all your information! So make sure you backup your data to an external source such as NAS or hard disk before typing any one of the following command.

In this example, I’m going to encrpt /dev/sdj1. Type the following command:
# cryptsetup -y -v luksFormat /dev/sdj1

Sample outputs:

WARNING!
========
This will overwrite data on /dev/sdj1 irrevocably.
 
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
Command successful.

This command initializes the volume, and sets an initial key or passphrase. Please note that the passphrase is not recoverable so do not forget it.

Switching to UUID Instead of Block Device Name

At this point, you can switch to using UUID reference, so the mapping won’t change if, say, your block devices show up in a different sequence.  To find the UUID for a given partition, do the following:

# lsblk -f 

Sample output:

NAME               FSTYPE      LABEL           UUID                                 MOUNTPOINT
...
sdj                                                                                 
└─sdj1             crypto_LUKS                 85af2419-bde3-49e7-939a-2f231532a8b2 
...

Now, wherever you would see “/dev/sdj1”, you put UUID=<the UUID number copied from above>.

Open the Crypto Block Device

Type the following command create a mapping:
# cryptsetup luksOpen /dev/sdj1 crypt_drobo2-5

Or, using UUID:
# cryptsetup luksOpen UUID=85af2419-bde3-49e7-939a-2f231532a8b2 crypt_drobo2-5

Sample outputs:

Enter passphrase for /dev/sdj1:

You can see a mapping name /dev/mapper/crypt_drobo2-5 after successful verification of the supplied key material which was created with luksFormat command extension:
# ls -l /dev/mapper/crypt_drobo2-5

Sample outputs:

lrwxrwxrwx 1 root root 7 Oct 19 19:37 /dev/mapper/crypt_drobo2-5 -> ../dm-0

You can use the following command to see the status for the mapping:
# cryptsetup -v status crypt_drobo2-5

Sample outputs:

/dev/mapper/crypt_drobo2-5 is active.
  type:    LUKS1
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/sdj1
  offset:  4096 sectors
  size:    419426304 sectors
  mode:    read/write
Command successful.

You can dump LUKS headers using the following command:
# cryptsetup luksDump /dev/sdj1

Or, using UUID:
# cryptsetup luksDump UUID=85af2419-bde3-49e7-939a-2f231532a8b2

Sample outputs:

LUKS header information for /dev/sdj1
 
Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha256
Payload offset:	4096
MK bits:       	256
MK digest:     	21 07 68 54 77 96 11 34 f2 ec 17 e9 85 8a 12 c3 1f 3e cf 5f 
MK salt:       	8c a6 3d 8c e9 de 16 fb 07 fd 8e d3 72 d7 db 94 
               	7e e0 75 f9 e0 23 24 df 50 26 fb 92 f8 b5 dd 70 
MK iterations: 	222000
UUID:          	4dd563a9-5bff-4fea-b51d-b4124f7185d1
 
Key Slot 0: ENABLED
	Iterations:         	2245613
	Salt:               	05 a8 b4 a2 54 f7 c6 ee 52 db 60 b6 12 7f 2f 53 
	                      	3f 5d 2d 62 fb 5a b1 c3 52 da d5 5f 7b 2d 38 32 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Optional: Wipe LUKS partition

First, you need to write zeros to /dev/mapper/crypt_drobo2-5 encrypted device. This will allocate block data with zeros. This ensures that outside world will see this as random data i.e. it protect against disclosure of usage patterns:
# dd if=/dev/zero of=/dev/mapper/crypt_drobo2-5

The dd command may take many hours to complete. I suggest that you use pv command to monitor the progress:
# pv -tpreb /dev/zero | dd of=/dev/mapper/crypt_drobo2-5 bs=128M

Sample outputs:

dd: error writing '/dev/mapper/crypt_drobo2-5': No space left on device                                                                                                            ]
 200GiB 0:16:47 [ 203MiB/s] [                      <=>                                                                                                                      ]
1600+1 records in
1599+1 records out
214746267648 bytes (215 GB, 200 GiB) copied, 1008.19 s, 213 MB/s

You can also pass the status=progress option to the dd command:
# dd if=/dev/zero of=/dev/mapper/crypt_drobo2-5 status=progress

Sample outputs:

2133934592 bytes (2.1 GB, 2.0 GiB) copied, 142 s, 15.0 MB/s

Create Filesystem on LUKS partition

Next, create a filesystem i.e. format filesystem, enter:
# mkfs.ext4 /dev/mapper/crypt_drobo2-5

Or, using UUID:
# mkfs.ext4 UUID=85af2419-bde3-49e7-939a-2f231532a8b2

Sample outputs:

mke2fs 1.42.13 (17-May-2015)
Creating filesystem with 52428288 4k blocks and 13107200 inodes
Filesystem UUID: 1c71b0f4-f95d-46d6-93e0-cbd19cb95edb
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
	4096000, 7962624, 11239424, 20480000, 23887872

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

Mounting Partition

To mount the new filesystem at /backup2, enter:
# mkdir /mnt/drobo2-5
# mount /dev/mapper/crypt_drobo2-5 /mnt/drobo2-5
# df -H
# cd /mnt/drobo2-5
# ls -l

Closing the Paritition

Type the following commands:
# umount /mnt/drobo2-5
# cryptsetup luksClose backup2

Re-Opening the Paritition

Type the following command:
# cryptsetup luksOpen /dev/sdj1 backup2
# mount /dev/mapper/crypt_drobo2-5 /mnt/drobo2-5
# df -H
# mount

Sample outputs:

Fig.01: Encrypted partition mounted on /mnt/drobo2-5
Fig.01: Encrypted partition mounted on /mnt/drobo2-5

See shell script wrapper that opens LUKS partition and sets up a mapping for nas devices.

Changing Passphrase (password) on the Partition

Type the following command
### see key slots, max -8 i.e. max 8 passwords can be setup for each device ####
# cryptsetup luksDump /dev/sdj1
# cryptsetup luksAddKey /dev/sdj1

Enter any passphrase: 
Enter new passphrase for key slot: 
Verify passphrase: 

Remove or delete the old password:
# cryptsetup luksRemoveKey /dev/sdj1
Please note that you need to enter the old password / passphrase.

Using the Encrypted Partition

This article outlines how to run fsck on an encrypted partition.

Check out the man page for cypttab. It’s a bit cryptic, heh heh.

A shell script for automating the mount/unmount process.

Here’s some further information on configuration and management of encrypted drives. And, a Red Hat Tutorial that gives step-by-step setup and use.

Leave a Reply