I need to encrypt the contents of my Drobo – at least the Drobo partitions that are going to contain my personal data. The Drobo is too old to natively support encryption.
Article about hard disk partition encryption using LINUX Unified Key Setup (LUKS). Herein, I will copy portions of this article, and adjust it for my own purposes. Thanks to nixCraft for a great article, their source data is gratefully acknowledged.
Prerequisite: cryptsetup utility
To do LUKS, you need cryptsetup package. Use apt-get or apt command.
Configure LUKS partition
WARNING! The following command will remove all data on the partition that you are encrypting. You WILL lose all your information! So make sure you backup your data to an external source such as NAS or hard disk before typing any one of the following command.In this example, I’m going to encrpt /dev/sdj1. Type the following command:
# cryptsetup -y -v luksFormat /dev/sdj1
Sample outputs:
WARNING! ======== This will overwrite data on /dev/sdj1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful. |
This command initializes the volume, and sets an initial key or passphrase. Please note that the passphrase is not recoverable so do not forget it.
Switching to UUID Instead of Block Device Name
At this point, you can switch to using UUID reference, so the mapping won’t change if, say, your block devices show up in a different sequence. To find the UUID for a given partition, do the following:
# lsblk -f
Sample output:
NAME FSTYPE LABEL UUID MOUNTPOINT ... sdj └─sdj1 crypto_LUKS 85af2419-bde3-49e7-939a-2f231532a8b2 ... |
Now, wherever you would see “/dev/sdj1”, you put UUID=<the UUID number copied from above>.
Open the Crypto Block Device
Type the following command create a mapping:
# cryptsetup luksOpen /dev/sdj1 crypt_drobo2-5
Or, using UUID:
# cryptsetup luksOpen UUID=85af2419-bde3-49e7-939a-2f231532a8b2 crypt_drobo2-5
Sample outputs:
Enter passphrase for /dev/sdj1:
You can see a mapping name /dev/mapper/crypt_drobo2-5 after successful verification of the supplied key material which was created with luksFormat command extension:
# ls -l /dev/mapper/crypt_drobo2-5
Sample outputs:
lrwxrwxrwx 1 root root 7 Oct 19 19:37 /dev/mapper/crypt_drobo2-5 -> ../dm-0
You can use the following command to see the status for the mapping:
# cryptsetup -v status crypt_drobo2-5
Sample outputs:
/dev/mapper/crypt_drobo2-5 is active. type: LUKS1 cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/sdj1 offset: 4096 sectors size: 419426304 sectors mode: read/write Command successful.
You can dump LUKS headers using the following command:
# cryptsetup luksDump /dev/sdj1
Or, using UUID:
# cryptsetup luksDump UUID=85af2419-bde3-49e7-939a-2f231532a8b2
Sample outputs:
LUKS header information for /dev/sdj1
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 256
MK digest: 21 07 68 54 77 96 11 34 f2 ec 17 e9 85 8a 12 c3 1f 3e cf 5f
MK salt: 8c a6 3d 8c e9 de 16 fb 07 fd 8e d3 72 d7 db 94
7e e0 75 f9 e0 23 24 df 50 26 fb 92 f8 b5 dd 70
MK iterations: 222000
UUID: 4dd563a9-5bff-4fea-b51d-b4124f7185d1
Key Slot 0: ENABLED
Iterations: 2245613
Salt: 05 a8 b4 a2 54 f7 c6 ee 52 db 60 b6 12 7f 2f 53
3f 5d 2d 62 fb 5a b1 c3 52 da d5 5f 7b 2d 38 32
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
|
Optional: Wipe LUKS partition
First, you need to write zeros to /dev/mapper/crypt_drobo2-5 encrypted device. This will allocate block data with zeros. This ensures that outside world will see this as random data i.e. it protect against disclosure of usage patterns:
# dd if=/dev/zero of=/dev/mapper/crypt_drobo2-5
The dd command may take many hours to complete. I suggest that you use pv command to monitor the progress:
# pv -tpreb /dev/zero | dd of=/dev/mapper/crypt_drobo2-5 bs=128M
Sample outputs:
dd: error writing '/dev/mapper/crypt_drobo2-5': No space left on device ] 200GiB 0:16:47 [ 203MiB/s] [ <=> ] 1600+1 records in 1599+1 records out 214746267648 bytes (215 GB, 200 GiB) copied, 1008.19 s, 213 MB/s
You can also pass the status=progress option to the dd command:
# dd if=/dev/zero of=/dev/mapper/crypt_drobo2-5 status=progress
Sample outputs:
2133934592 bytes (2.1 GB, 2.0 GiB) copied, 142 s, 15.0 MB/s
Create Filesystem on LUKS partition
Next, create a filesystem i.e. format filesystem, enter:
# mkfs.ext4 /dev/mapper/crypt_drobo2-5
Or, using UUID:
# mkfs.ext4 UUID=85af2419-bde3-49e7-939a-2f231532a8b2
Sample outputs:
mke2fs 1.42.13 (17-May-2015) Creating filesystem with 52428288 4k blocks and 13107200 inodes Filesystem UUID: 1c71b0f4-f95d-46d6-93e0-cbd19cb95edb Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872 Allocating group tables: done Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done
Mounting Partition
To mount the new filesystem at /backup2, enter:
# mkdir /mnt/drobo2-5
# mount /dev/mapper/crypt_drobo2-5 /mnt/drobo2-5
# df -H
# cd /mnt/drobo2-5
# ls -l
Closing the Paritition
Type the following commands:
# umount /mnt/drobo2-5
# cryptsetup luksClose backup2
Re-Opening the Paritition
Type the following command:
# cryptsetup luksOpen /dev/sdj1 backup2
# mount /dev/mapper/crypt_drobo2-5 /mnt/drobo2-5
# df -H
# mount
Sample outputs:
See shell script wrapper that opens LUKS partition and sets up a mapping for nas devices.
Changing Passphrase (password) on the Partition
Type the following command
### see key slots, max -8 i.e. max 8 passwords can be setup for each device ####
# cryptsetup luksDump /dev/sdj1
# cryptsetup luksAddKey /dev/sdj1
Enter any passphrase: Enter new passphrase for key slot: Verify passphrase:
Remove or delete the old password:
# cryptsetup luksRemoveKey /dev/sdj1
Please note that you need to enter the old password / passphrase.
Using the Encrypted Partition
This article outlines how to run fsck on an encrypted partition.
Check out the man page for cypttab. It’s a bit cryptic, heh heh.
A shell script for automating the mount/unmount process.
Here’s some further information on configuration and management of encrypted drives. And, a Red Hat Tutorial that gives step-by-step setup and use.