LUKS: Difference between revisions
| Line 69: | Line 69: | ||
==Scripts== | ==Scripts== | ||
{ hidden | mount_drives.sh | | {{ hidden | mount_drives.sh | | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
#!/bin/bash | #!/bin/bash | ||
| Line 87: | Line 87: | ||
mount_luks ext4 /dev/disk/by-id/<drive> lukscrypt1 /media/lukscrypt1 | mount_luks ext4 /dev/disk/by-id/<drive> lukscrypt1 /media/lukscrypt1 | ||
</syntaxhighlight> | |||
}} | |||
{{ hidden | unmount_drives.sh | | |||
<syntaxhighlight lang="bash"> | |||
#!/bin/bash | |||
function unmount_luks { | |||
local name=$1 | |||
local mountlocation=$2 | |||
sudo umount "$mountlocation" | |||
sudo cryptsetup close "$name" | |||
sudo rm -r "$mountlocation" | |||
} | |||
unmount_luks lukscrypt1 /media/lukscrypt1 | |||
</syntaxhighlight> | </syntaxhighlight> | ||
==Resources== | ==Resources== | ||
* [https://www.cyberciti.biz/hardware/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/ nixCraft How To Linux Hard Disk Encryption With LUKS] | * [https://www.cyberciti.biz/hardware/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/ nixCraft How To Linux Hard Disk Encryption With LUKS] | ||
Revision as of 22:03, 27 July 2020
LUKS encryption
Getting Started
See Archwiki: dm-crypt/Device encryption.
Encrypting a device
- Setup encryption
cryptsetup -v --type luks1 --cipher aes-xts-plain64 --key-size 512 --hash sha512 \
--iter-time 5000 --use-urandom --verify-passphrase luksFormat <device>
- Open encrypted drive
cryptsetup open <device> <name>
- Create a partition
mkfs.fstype /dev/mapper/<name> # E.g. # mkfs.ext4 /dev/mapper/luksdrive1
- Securely wipe the unused portion of the drive
- Do this to prevent cryptographic attacks and to overwrite existing data on the drive
dd if=/dev/zero of=<file_somewhere> status=progress # Delete the file afterwards
- Notes
- You can see defaults using
cryptsetup --help. --typeoptionsluksdefaults toluks1on cryptsetup < 2.1.0,luks2on cryptsetup >= 2.1.0luks1is the standard version of LUKS.luks2is a new version released in Dec 2017. Older versions of Grub (before 2.06 or June 2020) do not support booting from LUKS2.plainis dm-crypt plain mode. Avoid this unless you know what you're doing.loopaesAvoid this as well.tcryptUse this for mounting older truecrypt volumes.
defaults
defaults on Ubuntu 18.04
Default compiled-in device cipher parameters: loop-AES: aes, Key 256 bits plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160 LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
Mounting
# Open the encrypted drive cryptsetup open <device> <name> # Mount your partition mount -t <fstype> /dev/mapper/<name> <mountlocation>
Unmounting
# Unmount your partition umount <mountlocation> # Close the decrypted drive cryptsetup close <name>
Scripts
mount_drives.sh
#!/bin/bash
function mount_luks {
local fstype=$1
local device=$2
local name=$3
local mountpoint=$4
if [ ! -b /dev/mapper/"$name" ]
then
sudo cryptsetup open "$device" "$name"
fi
sudo mkdir -p "$mountpoint"
sudo mount -t $fstype /dev/mapper/"$name" "$mountpoint"
}
mount_luks ext4 /dev/disk/by-id/<drive> lukscrypt1 /media/lukscrypt1
{{ hidden | unmount_drives.sh |
#!/bin/bash
function unmount_luks {
local name=$1
local mountlocation=$2
sudo umount "$mountlocation"
sudo cryptsetup close "$name"
sudo rm -r "$mountlocation"
}
unmount_luks lukscrypt1 /media/lukscrypt1