Personal tools
You are here: Home Complex Instructions Encyrption LUKS Encyrption
 

LUKS Encyrption

Instruction for setting up LUKS (Linux Unified Key Setup) encryption in Debian.

Before you begin using LUKS in Debian, you should install the following packages:

cryptsetup
cryptmount
dmsetup

There are two types of LUKS encryption: encrypting a container within an existing filesystem and encrypting an entire partition.

Encrypting a container within an existing filesystem

The first thing we need to do is create the encrypted container.  The following command creates an 2GB file, named "container1", which is full of random data:

dd if=/dev/urandom of=container1 bs=1024 count=2000000

Now we need to create a mapping between this file and a free loop device.  This step is needed because at the moment cryptsetup cannot use a file as a block device directly.  We can use losetup (part of util-linux) to find out which loop device is free with the command:

losetup -f

For me it was /dev/loop0. So, I map the "container1" file to /dev/loop0.

losetup /dev/loop0 /path/to/container1

Once the loop device is mapped, we can encrypt the container.

cryptsetup --verbose --cipher "aes-cbc-essiv:sha256" --key-size 256 --verify-passphrase luksFormat /dev/loop0 

--cipher sets the cipher to be used by the encryption.  --key-size sets the encrypted key size.  256 is twice the default of 128.  --verify-passphrase causes luksFormat to ask for a passphrase twice, which is a good idea when formating to avoid typos.  luksFormat formats /dev/loop0.

Now that the contaner has been encrypted, we need to open it up and create an ext3 partition inside it.

cryptsetup luksOpen /dev/loop0 encr-container1
mkfs.ext3 /dev/mapper/encr-container1

luksOpen will create a device under /dev/mapper named encr-container1 that we can use to access our container.  To facilitate easy mounting of the container we can create an entry in fstab.

/dev/mapper/encr-container1        /mnt/encr-mount1       ext3            user,noauto             0       0

You can, of course, use any options that you desire in your fstab entry.  In the future, to connect to the encrypted container, the following three commands must be run.

losetup /dev/loop0 /path/to/container1
cryptsetup luksOpen /dev/loop0 encr-container1
mount /dev/mapper/encr-container1

luksOpen will prompt you for your password before proceeding.  To disconnect from the encrypted container, undo the commands in reverse.

umount /dev/mapper/encr-container1
cryptsetup luksClose encr-container1
losetup -d /dev/loop0

These commands can be scripted to facilitate easy access.

 

Encrypting an entire partition

The first step is to optionally fill the disk with random data, which is a good practice if it is likely that someone knowledgable is actually going to crack your encrypted data.  The downside is that it can take a long time if the partition is large.  For example, filling a 500 GB partition over a SATA II connection with a relatively fast CPU takes over 24 hours.  If you don’t have the time you can simply skip this step.  The worst part of the process is that there is no progress indicator, so you just wait for it to finish.

dd if=/dev/urandom of=/dev/sdb

Substitute /dev/sdb with the path to your device node.

Now we can create the LUKS partition.

cryptsetup --verbose --cipher "aes-cbc-essiv:sha256" --key-size 256 --verify-passphrase luksFormat /dev/sdb

--cipher sets the cipher to be used by the encryption.  --key-size sets the encrypted key size.  256 is twice the default of 128.  --verify-passphrase causes luksFormat to ask for a passphrase twice, which is a good idea when formating to avoid typos.  luksFormat formats the partition /dev/sdb.

Now that the partition has been formated, we need to open it up and create an ext3 partition inside it.

cryptsetup luksOpen /dev/sdb encr-sdb
mkfs.ext3 /dev/mapper/encr-sdb
luksOpen will create a device under /dev/mapper named encr-sdb that we can use to access our encrypted partition.  To facilitate easy mounting of the container we can create an entry in fstab. 
/dev/mapper/encr-sdb        /mnt/encr-sdb       ext3            user,noauto             0       0

You can, of course, use any options that you desire in your fstab entry.  In the future, to connect to the encrypted container, the following commands must be run.

cryptsetup luksOpen /dev/sdb encr-sdb
mount /dev/mapper/encr-sdb

luksOpen will prompt you for your password before proceeding.  To disconnect from the encrypted container, undo the commands in reverse.

umount /dev/mapper/encr-sdb
cryptsetup luksClose encr-sdb

These commands can be scripted to facilitate easy access.

 

*These instructions are a modified version of instructions that used to be found at http://www.g-loaded.eu.

Document Actions