Lesson 15

Date: 7/5/2017
Encrypted file systems
Linux System Administration


Exercise: DM-Crypt+LUKS

DM-Crypt works by transparently translating (in the kernel) between a physical on-disk partition (which is encrypted) and a logical partition which you can then mount and use as normal. Linux Unified Key Setup or LUKS is a disk encryption specification.
  • Install cryptsetup:
    apt-get install cryptsetup
    
    Zero out the storage devices, label and partition.
    dd if=/dev/zero of=/dev/sdb2 bs=1M count=10
    
    Create a LUKS container:
    cryptsetup -y -v luksFormat /dev/sdb2
    
    Open the LUKS container:
    cryptsetup luksOpen /dev/sdb2 secure 
    
    Check the device mapping for drive secure:
    cryptsetup status secure
    
    Create a file system, a mounting point and mount the device:
    mkfs.ext4  /dev/mapper/secure
    mkdir /secure
    mount /dev/mapper/secure /secure
    
    Verify that the file system is mounted:
    df -h
    
    Unmount the drive:
    umount /secure
    
    Delete the device mapper:
    cryptsetup luksClose secure
    

  • To mount the device, first, setup the device mapper:
    cryptsetup luksOpen /dev/sdb2 secure
    
    Mount the device
    mount /dev/mapper/secure /secure
    

  • You can add an additional passphrase (password) for encrypted partition:
    cryptsetup luksDump /dev/sdb2
    cryptsetup luksAddKey /dev/sdb2
    
    Maximum 8 passwords can be setup for each device.
    To remove one of the passwords:
    cryptsetup luksRemoveKey /dev/sdb2
    
    Enter the old passphrase to remove.

    If the drive is stolen, it won't be mountable without the device mapper setup, which requires the password.


  • Take me to the Course Website