luks cryptsetup linux ubuntu harddisk encryption
Header Backup
https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/
cryptsetup luksHeaderBackup /dev/md1 --header-backup-file /root/luks-header-md1.backup
Change a password
- cryptsetup luksDump /dev/sda5
- Key Slot 0: ENABLED
Key Slot 1: DISABLED
...
- Key Slot 0: ENABLED
Add new password as second one (1) and then delete first one (0)
- cryptsetup luksAddKey --key-slot 1 /dev/sda5
- cryptsetup luksDump /dev/sda5
- cryptsetup luksRemoveKey --key-slot 0 /dev/sda5
- WARNING: IF YOU REMOVE THE LAST KEY VOLUME WILL BE INACCESSIBLE!
For automated script usage:
-
export $OLD_LUKS_KEY=foo
-
export $LUKS_KEY=bar
-
echo -e "$OLD_LUKS_KEY\n$LUKS_KEY\n$LUKS_KEY" | cryptsetup luksAddKey --key-slot=1 /dev/sda5
-
echo -e "$OLD_LUKS_KEY" | cryptsetup luksRemoveKey --key-slot 0 /dev/sda5
-
unset $OLD_LUKS_KEY
-
unset $LUKS_KEY
Encrypt external or separate harddisk
Example for /dev/sdd (use "blkid" to find the right harddisk)
- Delete partition table (make it like factory new)
- dd if=/dev/zero of=/dev/sdd bs=512 count=1
- or
- wipefs --all /dev/sdb
- dd if=/dev/zero of=/dev/sdd bs=512 count=1
- cfdisk /dev/sdd
- gpt
- create linux partition, full space
- or
- sgdisk --clear /dev/sdb
- sgdisk --new=1 --change-name 1:"my_partition" /dev/sdb
- cryptsetup luksFormat --cipher aes-xts-plain64 --verify-passphrase --key-size 256 /dev/sdd1
Open encrypted harddisk
- cryptsetup luksOpen /dev/sdd1 my-external-disk
- ls -la /dev/mapper
-
/dev/mapper/my-external-disk: LABEL="my-external-disk" UUID="....
-
-
mount /dev/mapper/my-external-disk /mnt
-
If lvm @see https://www.ullright.org/ullWiki/edit/lvm-cheatsheet
Close encrypted harddisk
- cryptsetup luksClose my-external-disk
Create filesystem on opened harddisk
For example "ext4"
- mkfs.ext4 /dev/mapper/my-external-disk
- mount /dev/mapper/my-external-disk /mnt
Auto Decrypt Harddisk upon Boot
- mkdir /root/.keyfiles
- dd if=/dev/urandom of=/root/.keyfiles/my-external-disk.key bs=1024 count=4
- chmod 400 /root/.keyfiles/my-external-disk.key
- cryptsetup luksAddKey /dev/sdd1 /root/.keyfiles/my-external-disk.key
- blkid -> note uuid
- vi /etc/crypttab
-
my-external-disk_crypt UUID=26d5247e-4358-4089-a4cc-f2f9c37b05be /root/.keyfiles/my-external-disk.key luks,discard
-
-
mkdir /my-external-disk
-
vi /etc/fstab
-
# my-external-disk
/dev/mapper/my-external-disk_crypt /my-external-disk ext4 defaults,noatime 0 2
-
Auto Decrypt Harddisk on a headless, encrypted Server via SSH
Szenario:
my-encrypted-server: A headless server with an encrypted harddisk "my-external-disk"
my-unlock-server: A secure secondary server which provides the decryption key
@my-encrypted-server
- create ssh key
- ssh-keygen -t rsa -b 4096 -o -a 64
- cat ~/.ssh/id_rsa.pub
- copy to clipboard
@my-unlock-server
- adduser unlock-luks
- vi /home/unlock-luks/.ssh/authorized_keys
- paste key from above
- prepend to the key; this restricts access to this specific ip, and to this specific command
- restrict,from=111.222.333.444,command="cat ~/.keyfiles/my-encrypted-server_my-external-disk.key"
- sudo -u unlock-luks mkdir /home/unlock-luks/.keyfiles
- sudo -u unlock-luks dd if=/dev/urandom of=/home/unlock-luks/.keyfiles/my-encrypted-server_my-external-disk.key bs=1024 count=4
- chmod o-rwx /home/unlock-luks/.keyfiles -R
@my-encrypted-server
- blkid
- /dev/sdd1: UUID="204c6379-f0ca-43ff-a0dd-f862528b5931" TYPE="crypto_LUKS" PARTUUID="411379ab-0b35-4f4c-9a51-bfe890c6f261"
- sshfs unlock-luks@my-unlock-server:/home/unlock-luks/.keyfiles /mnt
- cryptsetup luksAddKey /dev/sdd1 /mnt/my-encrypted-server_my-external-disk.key
- cryptsetup luksClose my-external-disk
- umount /mnt
-
#!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. ssh unlock-luks@my-unlock-server | cryptsetup luksOpen /dev/sdd1 my-external-disk -d - mount /dev/mapper/my-external-disk /my-external-disk exit 0
- vi /etc/rc.local
- chmod 700 /etc/rc.local
Get crypt partition/device for root filesystem
- lsblk --ascii --output='NAME,FSTYPE,MOUNTPOINT' | grep '/$' --before-context=2 | grep crypto_LUKS | tail --lines=1 | cut --characters='3-' | cut --delimiter=' ' --fields=1
Remove Luks Swap
- swapoff -a
- umount /dev/mapper/crypt-swap_1
- vi /etc/fstab
- remove or comment out swap entry
- lvremove /dev/mapper/crypt-swap_1
- vi /etc/initramfs-tools/conf.d/resume
- RESUME=
- update-initramfs -u
TODO: checkout "cryptsetup remove cryptswap1"
Mount encrypted kvm qcow2 image
- modprobe nbd max_part=8
- qemu-nbd --connect=/dev/nbd0 vaultfish-root.qcow2
- fdisk -l /dev/nbd0
- /dev/nbd0p1 * 2048 1499135 1497088 731M 83 Linux
/dev/nbd0p2 1501182 20969471 19468290 9.3G 5 Extended
/dev/nbd0p5 1501184 20969471 19468288 9.3G 83 Linux
- /dev/nbd0p1 * 2048 1499135 1497088 731M 83 Linux
- cryptsetup luksDump /dev/nbd0p5 foo
- blkid
- ...
/dev/nbd0p1: UUID="f852180e-dc37-4767-ab95-aabde55cfd1a" TYPE="ext4" PARTUUID="2ee1b789-01"
/dev/nbd0p5: UUID="4406d63e-ab16-4dca-b913-1f6cd7edc040" TYPE="crypto_LUKS" PARTUUID="2ee1b789-05"
/dev/mapper/foo: UUID="ihhKBo-v3ML-BTZI-c1Q7-yuEW-LxIR-9QLVFH" TYPE="LVM2_member"
/dev/mapper/crypt-root: UUID="d3f17767-d65e-4ace-b1e2-bc32a0c54dc6" TYPE="ext4"
...
- ...
- mount /dev/mapper/crypt-root /mnt
- ...
- umount /mnt
- qemu-nbd --disconnect /dev/nbd0