Difference between revisions of "LUKS"

From David's Wiki
Jump to navigation Jump to search
Line 66: Line 66:
 
cryptsetup close <name>
 
cryptsetup close <name>
 
</pre>
 
</pre>
 +
 +
==Scripts==
 +
 +
{ hidden | mount_drives.sh |
 +
<syntaxhighlight lang="bash">
 +
#!/bin/bash
 +
 +
function mount_luks {
 +
    local fstype=$1
 +
    local device=$2
 +
    local name=$3
 +
    local mountpoint=$4
 +
    if [ ! -b /dev/mapper/"$name" ]
 +
    then
 +
        sudo cryptsetup open "$device" "$name"
 +
    fi
 +
    sudo mkdir -p "$mountpoint"
 +
    sudo mount -t $fstype /dev/mapper/"$name" "$mountpoint"
 +
}
 +
 +
mount_luks ext4 /dev/disk/by-id/<drive> lukscrypt1 /media/lukscrypt1
 +
</syntaxhighlight>
  
 
==Resources==
 
==Resources==
 
* [https://www.cyberciti.biz/hardware/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/ nixCraft How To Linux Hard Disk Encryption With LUKS]
 
* [https://www.cyberciti.biz/hardware/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/ nixCraft How To Linux Hard Disk Encryption With LUKS]

Revision as of 18:01, 27 July 2020

LUKS encryption

Getting Started

See Archwiki: dm-crypt/Device encryption.

Encrypting a device

  • Setup encryption
cryptsetup -v --type luks1 --cipher aes-xts-plain64 --key-size 512 --hash sha512 \
           --iter-time 5000 --use-urandom --verify-passphrase luksFormat <device>
  • Open encrypted drive
cryptsetup open <device> <name>
  • Create a partition
mkfs.fstype /dev/mapper/<name>
# E.g.
# mkfs.ext4 /dev/mapper/luksdrive1
  • Securely wipe the unused portion of the drive
    • Do this to prevent cryptographic attacks and to overwrite existing data on the drive
dd if=/dev/zero of=<file_somewhere> status=progress
# Delete the file afterwards


Notes
  • You can see defaults using cryptsetup --help.
  • --type options
    • luks defaults to luks1 on cryptsetup < 2.1.0, luks2 on cryptsetup >= 2.1.0
    • luks1 is the standard version of LUKS.
    • luks2 is a new version released in Dec 2017. Older versions of Grub (before 2.06 or June 2020) do not support booting from LUKS2.
    • plain is dm-crypt plain mode. Avoid this unless you know what you're doing.
    • loopaes Avoid this as well.
    • tcrypt Use this for mounting older truecrypt volumes.
defaults

defaults on Ubuntu 18.04

Default compiled-in device cipher parameters:
	loop-AES: aes, Key 256 bits
	plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
	LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom

Mounting

# Open the encrypted drive
cryptsetup open <device> <name>
# Mount your partition
mount -t <fstype> /dev/mapper/<name> <mountlocation>

Unmounting

# Unmount your partition
umount <mountlocation>
# Close the decrypted drive
cryptsetup close <name>

Scripts

{ hidden | mount_drives.sh |

#!/bin/bash

function mount_luks {
    local fstype=$1
    local device=$2
    local name=$3
    local mountpoint=$4
    if [ ! -b /dev/mapper/"$name" ]
    then
        sudo cryptsetup open "$device" "$name"
    fi
    sudo mkdir -p "$mountpoint"
    sudo mount -t $fstype /dev/mapper/"$name" "$mountpoint"
}

mount_luks ext4 /dev/disk/by-id/<drive> lukscrypt1 /media/lukscrypt1

Resources