Welcome
Welcome to refracta

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

cryptsetup

Tips and Instructional topics. Not for support questions.

cryptsetup

Postby nadir » Fri Nov 30, 2012 9:19 pm

by fsmithred, i only copy it to here so i got it at hand.



his guide assumes that you have some familiarity with using the command line, know how to become root, and know how to partition a drive. (You might not need to partition the drive, but it's better if you know how.)


Preparation


Install cryptsetup with your favorite package manager.
If you're using cryptsetup immediately after installing it (without rebooting first) then also do:

Code: Select all
    modprobe -v dm-mod




I'll assume that the external drive is /dev/sdb, and you're going to encrypt the first partition on the drive (/dev/sdb1). You'll need to replace that with the correct name for your drive. To find out the correct device name for your drive, run one or both of these commands after you plug the drive into your computer. You should check this right before you do the encryption, in case the drive does not get the same name every time you plug it in. (I've seen that happen.)
(as normal user)

Code: Select all
    dmesg



(as root)

Code: Select all
    fdisk -l





IMPORTANT: The next commands will erase any data on the drive. Do not err.

If there's already data on the drive that you want to keep, you'll need to copy it to another drive first.

You need a linux partition on the drive. If you don't have one already, you can partition the drive with gparted (graphical) or cfdisk (in a terminal) or your favorite partitioning tool. If you've never partitioned a drive, search the web for gparted instructions, and you'll find nice pictures for all the steps. Don't worry about which filesystem format to use now. That'll get done with a command in a later step.


Wipe the drive

There are a couple of considerations here. If you previously had sensitive data on the drive, you need to do something to obscure that data. Deleting it is not enough. You need to overwrite it with something. The fast and easy way is to write zeros to the drive, and the more secure way is to write random data. Using random data will make it so that nobody can tell where the files are on the drive. If you don't do this, your data will still be encrypted, but anyone trying to decrypt the data will have a less work to do. And if you have more than one partition, moving the data from the unencrypted partition to the encrypted one is not good enough. You'd still need to wipe the data that was on the unencrypted part.

You can just overwrite a partition, or you could overwrite the entire drive. If you do the latter, you'll need to repartition the drive afterward. To overwrite an entire drive, leave the partition number off of the device name in one of the following dd commands (e.g. /dev/sdb instead of /dev/sdb1).

Writing zeros to a partition (faster, less secure):


Code: Select all
    dd if=/dev/zero of=/dev/sdb1




Writing random data (slower, more secure)


Code: Select all
    dd if=/dev/urandom of=/dev/sdb1



This will take awhile. If the partition is measured in hundreds of gigabytes, find something else to do until tomorrow, or maybe longer. (Not kidding.)



Create an encrypted volume

(as root):

Code: Select all
    cryptsetup luksFormat /dev/sdb1



You'll be asked for a pass phrase at this point. Make sure you remember it. There's no way to retrieve or change a lost pass phrase.

Open the encrypted volume:

Code: Select all
    cryptsetup luksOpen /dev/sdb1 <name>



<name> is a temporary name you give to the partition. It only exists until you close the volume. Avoid special characters and spaces.

Create a filesystem:


Code: Select all
    mke2fs -t ext4 /dev/mapper/<name>



You can use ext3 if you prefer, or even ext2 if it's a small thumb drive.

Mount the filesystem:

Code: Select all
    mount /dev/mapper/<name> /mnt



/mnt could be any mountpoint you want.

Give yourself ownership of the filesystem


Code: Select all
    chown -R user:user /mnt



where "user" is your user name.

You can now copy files to the encrypted drive.

When you're finished, unmount the drive and close the encrypted volume.


Code: Select all
    umount /mnt
    cryptsetup luksClose <name>



You're done.


Using it

Next time you want to use the drive, plug it in. If you're lucky, your desktop environment will pop up a window asking for the pass phrase. Then you can mount/unmount it with a file manager. (Usually by right-clicking on the icon for the drive)

If you need to do it from command line, you already know the commands (as root):

Code: Select all
    cryptsetup luksOpen /dev/sdb1 <name>
    mount /dev/mapper/<name> /mnt


Code: Select all
    umount /mnt
    cryptsetup luksClose <name>
So i herd u liek mudkip?
User avatar
nadir
 
Posts: 1160
Joined: Wed Mar 09, 2011 4:18 am
Location: here

Re: cryptsetup

Postby dzz » Sat Dec 01, 2012 3:53 pm

Thanks nadir, a good reference.

Note you can use also a Luks loopback file without need to repartition a disk. I use mostly ext2 because flash drives get hammered less. The file can be copied and used in other places, even a FAT formatted flash drive

Here's a script I use to make one (because I can never remember each step):
Code: Select all
#!/bin/bash

###### editable ########

# size in MB
SIZE="500"

LUKS_FILENAME="luks-data"

LUKSMOUNTPOINT="/media/luksmount"

FILESYSTEM="ext2"

#######################

mkdir $LUKSMOUNTPOINT && chown 1000:1000 $LUKSMOUNTPOINT

dd if=/dev/zero of=$LUKS_FILENAME bs=1M count=$SIZE && chown 1000:1000 $LUKS_FILENAME

losetup -f > /tmp/nextloop

LOOPDEV=$(cat /tmp/nextloop)

losetup $LOOPDEV $LUKS_FILENAME

cryptsetup luksFormat $LOOPDEV

cryptsetup luksOpen $LOOPDEV $LUKS_FILENAME

mkfs.$FILESYSTEM /dev/mapper/$LUKS_FILENAME

cryptsetup luksClose $LOOPDEV $LUKS_FILENAME

losetup -d $LOOPDEV

rm -f /tmp/nextloop


To use it in future, simply:
Code: Select all
(su)

# find next available loop device (usually  /dev/loop0 but might not be)
losetup -f

losetup /dev/loop_whatever path_to_luks_filename


then use is as nadir says from /dev/loop_whatever
dzz
 
Posts: 647
Joined: Wed Apr 27, 2011 11:53 am
Location: Devon, England

Re: cryptsetup

Postby dzz » Sun Feb 10, 2013 6:12 pm

pmount 0.9.99-alpha-1 in experimental can now mount image files, without root. LUKS ones as well. It even installs in squeeze with no extra deps. A simple manual tweak of pmount.conf and pmount.allow is needed because of losetup permissions.

"loopback files" can be rather useful as (unlike entire partitions) they are easily transferrable and can be used from removables with any FS format.

Code: Select all
# prompt for key then mount it on, e.g. /media/zzz
pmount path/to/file zzz


This has been stuck in experimental quite a long time probably because of wheezy freeze.

BTW pmount =>squeeze can already open actual LUKS partitions on removables or (depending what is in pmount.allow) fixed-disk
dzz
 
Posts: 647
Joined: Wed Apr 27, 2011 11:53 am
Location: Devon, England


Return to How-to

Who is online

Users browsing this forum: No registered users and 0 guests

suspicion-preferred