LUKS can be used for seamless full-drive encryption under Linux and, in combination with dm-crypt and cryptsetup, encrypting a drive is fairly straightforward.
cryptsetup under Debian can be installed with:
aptitude install cryptsetup
Depending on the required balance between speed and security, you probably want to run:
cryptsetup benchmark
in order to benchmark the available ciphers and pick whatever is suitable.
Supposing that the partition you want to encrypt is located at /dev/sdb1, you would issue:
cryptsetup -v --cipher serpent-xts-plain64 --key-size 1024 --hash sha512 --iter-time 8000 --use-urandom --verify-passphrase luksFormat /dev/sdb1
this will wipe the partition and set-up LUKS. You can pick the cipher, key-size, hash, etc...
Now that the LUKS volume has been created, you need to instruct the kernel to mount the encrypted drive. In order to do that, issue:
cryptsetup luksOpen /dev/sdb1 sparse
where:
/dev/sdb1 is the partition where the LUKS volume has been created,sparse is a descriptive mount-point name.To create a filesystem after opening the LUKS volume, you now issue:
mkfs.ntfs /dev/mapper/sparse
where:
/dev/mapper/sparse is the path created by the luksOpen command.After the filesystem has been created, the easiest of all steps that remain now is to mount the partition:
mount /dev/mapper/sparse /mnt/sparse
and you can use the partition right away.
To clean-up and close the LUKS volume, you would have to first unmount the partition:
umount /mnt/sparse
followed by luksClose:
cryptsetup luksClose sparse
In some situation such as a RAID arrays, it may be desirable to expand the filesystem in case, say, a new drive has been added and needs to be used. The procedure is, in order:
luksOpen: cryptsetup luksOpen /dev/sdb1 sparseresize: cryptsetup resize sparseresize2fs for ext filesystems.Now that you have a password setup, you can additionally use a keyfile to avoid having to manually type the password and mount the LUKS volume every time you need to mount the filesystem.
The following command:
dd bs=1024 count=8 if=/dev/urandom of=/etc/store/sparse.key
will generate a random keyfile at /etc/store/sparse.key.
This keyfile can then be stored somewhere else securely.
With the keyfile generated, it has to be added to the volume as a valid key - this can be done by issuing:
cryptsetup luksAddKey /dev/sdb1 /etc/store/sparse.key
and you should be prompted for your password.
To check that the keyfile is working, issue:
cryptsetup luksOpen /dev/sdb1 sparse --key-file /etc/store/sparse.key
and the volume should be mounted and available at /etc/mapper/sparse.
To have the partition unlocked on boot, a new entry has to be added in /etc/crypttab:
# <target name> <source device> <key file> <options> sparse UUID="cf2e23f8-cf0d-4acf-8f88-be4deeaef958" /etc/store/sparse.key
where:
sparse is the LUKS volume name used in the previous sections.cf2e23f8-cf0d-4acf-8f88-be4deeaef958 is obtained by issuing blkid and looking for the partition UUID - an UUID is preferable due to the Linux device mapper that may suddenly change device names (such as /dev/sdb1)./etc/store/sparse.key is the path to the keyfile created in this section.
The final step is to add the LUKS mounted volume to the good old fstab to have the underlying filesystem mounted on boot:
UUID=0adc7b4e-14b1-4d19-abd1-2e7340f613fc /mnt/sparse ntfs defaults 0 2
Once again, you would have to issue blkid and search for /dev/mapper/sparse - it will be a different UUID than the one for the LUKS volume.