luks cryptsetup linux ubuntu harddisk encryption

https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/

Change a password

• cryptsetup luksDump /dev/sda5
  • Key Slot 0: ENABLED
    Key Slot 1: DISABLED
    ...

Add new password as second one (1) and then delete first one (0)

• cryptsetup luksAddKey --key-slot 1 /dev/sda5
• cryptsetup luksDump /dev/sda5
• cryptsetup luksRemoveKey --key-slot 0 /dev/sda5
  • WARNING: IF YOU REMOVE THE LAST KEY VOLUME WILL BE INACCESSIBLE!

Encrypt external or separate harddisk

Example for /dev/sdd (use "blkid" to find the right harddisk)

• Delete partition table (make it like factory new)
  • dd if=/dev/zero of=/dev/sdd bs=512 count=1
• cfdisk /dev/sdd
  • gpt
  • create linux partition, full space
• cryptsetup luksFormat --cipher aes-xts-plain64 --verify-passphrase --key-size 256 /dev/sdd1

Open encrypted harddisk

• cryptsetup luksOpen /dev/sdd1 my-external-disk
• ls -la /dev/mapper

  • /dev/mapper/my-external-disk: LABEL="my-external-disk" UUID="....

Create filesystem on opened harddisk

For example "ext4"

• mkfs.ext4 /dev/mapper/my-external-disk
• mount /dev/mapper/my-external-disk /mnt

Auto Decrypt Harddisk upon Boot

• mkdir /root/.keyfiles
• dd if=/dev/urandom of=/root/.keyfiles/my-external-disk.key bs=1024 count=4
• chmod 400 /root/.keyfiles/my-external-disk.key
• cryptsetup luksAddKey /dev/sdd1 /root/.keyfiles/my-external-disk.key
• blkid -> note uuid
• vi /etc/crypttab

  • my-external-disk_crypt UUID=26d5247e-4358-4089-a4cc-f2f9c37b05be /root/.keyfiles/my-external-disk.key luks,discard

• mkdir /my-external-disk

• vi /etc/fstab

  • # my-external-disk

    /dev/mapper/my-external-disk_crypt /my-external-disk ext4 defaults,noatime 0 2

Auto Decrypt Harddisk on a headless, encrypted Server via SSH

Szenario:

my-encrypted-server: A headless server with an encrypted harddisk "my-external-disk"

my-unlock-server: A secure secondary server which provides the decryption key

@my-encrypted-server

• create ssh key
  • ssh-keygen -t rsa -b 4096 -o -a 64
  • cat ~/.ssh/id_rsa.pub
    • copy to clipboard

@my-unlock-server

• adduser unlock-luks
• vi /home/unlock-luks/.ssh/authorized_keys
  • paste key from above
  • prepend to the key; this restricts access to this specific ip, and to this specific command
    • restrict,from=111.222.333.444,command="cat ~/.keyfiles/my-encrypted-server_my-external-disk.key"
• sudo -u unlock-luks mkdir /home/unlock-luks/.keyfiles
• sudo -u unlock-luks dd if=/dev/urandom of=/home/unlock-luks/.keyfiles/my-encrypted-server_my-external-disk.key bs=1024 count=4
• chmod o-rwx /home/unlock-luks/.keyfiles -R

@my-encrypted-server

• blkid
  • /dev/sdd1: UUID="204c6379-f0ca-43ff-a0dd-f862528b5931" TYPE="crypto_LUKS" PARTUUID="411379ab-0b35-4f4c-9a51-bfe890c6f261"
• sshfs unlock-luks@my-unlock-server:/home/unlock-luks/.keyfiles /mnt
• cryptsetup luksAddKey /dev/sdd1 /mnt/my-encrypted-server_my-external-disk.key
• cryptsetup luksClose my-external-disk
• umount /mnt

• #!/bin/sh -e
  #
  # rc.local
  #
  # This script is executed at the end of each multiuser runlevel.
  # Make sure that the script will "exit 0" on success or any other
  # value on error.
  
  ssh unlock-luks@my-unlock-server | cryptsetup luksOpen /dev/sdd1 my-external-disk -d -
  mount /dev/mapper/my-external-disk /my-external-disk
  
  exit 0

  •  
• vi /etc/rc.local
• chmod 700 /etc/rc.local

Remove Luks Swap

• swapoff -a
• umount /dev/mapper/crypt-swap_1
• vi /etc/fstab
  • remove or comment out swap entry
• lvremove /dev/mapper/crypt-swap_1
• vi /etc/initramfs-tools/conf.d/resume
  • RESUME=
• update-initramfs -u

TODO: checkout "cryptsetup remove cryptswap1"

Mount encrypted kvm qcow2 image

• modprobe nbd max_part=8
• qemu-nbd --connect=/dev/nbd0 vaultfish-root.qcow2
• fdisk -l /dev/nbd0
  • /dev/nbd0p1 *       2048  1499135  1497088  731M 83 Linux
    /dev/nbd0p2      1501182 20969471 19468290  9.3G  5 Extended
    /dev/nbd0p5      1501184 20969471 19468288  9.3G 83 Linux
• cryptsetup luksDump /dev/nbd0p5 foo
• blkid
  • ...

    /dev/nbd0p1: UUID="f852180e-dc37-4767-ab95-aabde55cfd1a" TYPE="ext4" PARTUUID="2ee1b789-01"
    /dev/nbd0p5: UUID="4406d63e-ab16-4dca-b913-1f6cd7edc040" TYPE="crypto_LUKS" PARTUUID="2ee1b789-05"
    /dev/mapper/foo: UUID="ihhKBo-v3ML-BTZI-c1Q7-yuEW-LxIR-9QLVFH" TYPE="LVM2_member"
    /dev/mapper/crypt-root: UUID="d3f17767-d65e-4ace-b1e2-bc32a0c54dc6" TYPE="ext4"
    ...

• mount /dev/mapper/crypt-root /mnt
• ...
• umount /mnt
• qemu-nbd --disconnect /dev/nbd0