Difference between revisions of "LUKS"

From David's Wiki
Jump to navigation Jump to search
Line 22: Line 22:
 
# mkfs.ext4 /dev/mapper/luksdrive1
 
# mkfs.ext4 /dev/mapper/luksdrive1
 
</pre>
 
</pre>
 +
 +
* Securely wipe the unused portion of the drive
 +
** Do this to prevent cryptographic attacks and to overwrite existing data on the drive
 +
<pre>
 +
dd if=/dev/zero of=<file_somewhere> status=progress
 +
# Delete the file afterwards
 +
</pre>
 +
 +
 +
;Notes
 +
* You can see defaults using <code>cryptsetup --help</code>.
 +
* <code>--type</code>
 +
**
 +
 +
{{ hidden | defaults |
 +
defaults on Ubuntu 18.04
 +
<pre>
 +
Default compiled-in device cipher parameters:
 +
loop-AES: aes, Key 256 bits
 +
plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
 +
LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
 +
</pre>
 +
}}
  
 
===Mounting===
 
===Mounting===

Revision as of 23:57, 25 July 2020

LUKS encryption

Getting Started

See Archwiki: dm-crypt/Device encryption.

Encrypting a device

  • Setup encryption
cryptsetup -v --type luks --cipher aes-xts-plain64 --key-size 512 --hash sha512 \
           --iter-time 3000 --use-urandom --verify-passphrase luksFormat <device>
  • Open encrypted drive
cryptsetup open <device> <name>
  • Create a partition
mkfs.fstype /dev/mapper/<name>
# E.g.
# mkfs.ext4 /dev/mapper/luksdrive1
  • Securely wipe the unused portion of the drive
    • Do this to prevent cryptographic attacks and to overwrite existing data on the drive
dd if=/dev/zero of=<file_somewhere> status=progress
# Delete the file afterwards


Notes
  • You can see defaults using cryptsetup --help.
  • --type
defaults

defaults on Ubuntu 18.04

Default compiled-in device cipher parameters:
	loop-AES: aes, Key 256 bits
	plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
	LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom

Mounting

# Open the encrypted drive
cryptsetup open <device> <name>
# Mount your partition
mount -t <fstype> /dev/mapper/<name> <mountlocation>

Unmounting

# Unmount your partition
umount <mountlocation>
# Close the decrypted drive
cryptsetup close <name>

Resources