The standard for Linux block level encryption is LUKS ( Linux Unified Key Setup ). DM-Crypt is the Linux kernel's device mapper module for transparently encrypting and decrypting block devices. To make use of these features, install cryptsetup package.
safeer@lin01:~$yum install cryptsetup-luks
First, format the LUKS encryption layer (on the partition). This is for standardizing the partition header and the format of the bulk data.
safeer@lin01:~$sudo /sbin/cryptsetup luksFormat /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): yes
Enter LUKS passphrase:
Verify passphrase:
Command successful.
The command will ask for a passphrase, make sure you remember the passphrase you provide, as this will be later used to mount the partition. Optionally you can directly provide a filename containing the passphrase as argument of above command with "--key-file <file-name>".
Open LUKS encryption layer ( device map the encrypted disk )
safeer@lin01:~$sudo /sbin/cryptsetup luksOpen /dev/sdb1 secretDisk
Enter passphrase for /dev/sdb1:
Provide the password you created during the first setup. Once authenticated, /dev/sdb1 will be devise mapped to the name you provided in the last command ( secretDisk ). To verify, run:
safeer@lin01:~$ls -l /dev/mapper/secretDisk
lrwxrwxrwx 1 root root 7 Apr 14 11:10 /dev/mapper/secretDisk -> ../dm-0
Now format the device mapper with appropriate files system, here am chosing ext3.
safeer@lin01:~$sudo /sbin/mkfs.ext3 /dev/mapper/secretDisk
I want to mount this device to /home/safeer/secretDisk. To mount it permanently, add following line to /etc/fstab
/dev/mapper/secretDisk /home/safeer/secretDisk ext3 defaults 0 0
safeer@lin01:~$sudo mount -a
df -h /home/safeer/secretDisk
During boot up, the devise mapping of encrypted disk should happen prior to mounting, this is achieved by registering the device in the file /etc/crypttab
For each crypt device, there should be one line in this file. Aminimum of two fileds is necessary here, first is the mapper name without "/dev/mapper" prefix and the second is the actual encrypted block device. The third field is passphrase file and if left empy or the value "none" is given, user will be prompted for the passphrase prior to mounting. If this has to be automated, create a file with the passphrase ( non newline character at the end) and provide the file name as the third field. The fourth field is options, which can be used to speficy encryption algorithms etc... This can be left blank in most cases.
safeer@lin01:~$grep secret /etc/crypttab
secretDisk /home/safeer/secretDisk none
To ensure things are working properly, reboot the host once.
A couple of things to know if you want more advansed setup.
LUKS allows having 8 passphrases for a partition, this means 8 users can mount the filesystem with passphrases of their own choice and eliminates the need to share a common passphrase. Check out the cryptsetup man page for options luksAddKey,luksRemoveKey and luksDump.
No comments:
Post a Comment