Tag Archives: LUKS

Encrypted Backups 2: The Revenge

Posted on by

I just got an RMA code from ebuyer for my two 1Tb hard disks, so I decided I’d better nuke and encrypt my not-quite-dead-yet drive so when I send it back, they have no way to recover the data (e.g. read my emails/banking!) the totally-dead drive was already encrypted before it died.

The commands are slightly different on Fedora10 than Ubuntu9 so not entirely the same as this post, plus I’m only using a passphrase not a key. It went something like this:

1. Fill the disk with random data to make sure the unencrypted data is overwritten:

dd if=/dev/urandom of=/dev/sdb

2. Create a new partition table:

fdisk /dev/sdb

3. Encrypt the new partition:

cryptsetup luksFormat  /dev/sdb1

4. Open the encrypted partition, this also creates a device mapping:

cryptsetup luksOpen /dev/sdb1 data

5. Create a filesystem on the partition, give it a disk label:

mkfs.jfs -L data /dev/mapper/data

6. Update /etc/crypttab – if you use the same passphrase as the root volume, Fedora will automatically open all LUKS containers that match that passphrase at boot. To find the UUID look in /dev/disk/by-uuid/:

data UUID=123d1c3d-4b5b-4fed-b6a1-c1bbd45bb22b none

7. Update /etc/fstab, so the filesystem gets mounted at boot:

/dev/mapper/data /mnt/data jfs defaults 1 2

I’m now rsycing the data back onto the drive from the fileserver, 500Gb is going to take some time even over gigabit…..

I’ve also updated this blog to WordPress 2.8.5.

I’ve downloaded CentOS 5.4 ISO’s and am currently upgrading one of my Virtual Machines from 5.3

Disk encryption with USB drive as the key

Posted on by

I’ve been playing around with dm-crypt and LUKS.

I’ve come up with a 10-step process to encrypt a couple of hard disks (not the boot drive) and use a USB key plugged in at boot time to unlock them – boot without the USB key in, and you boot fine, but the drives aren’t mounted or readable.

Initially I was going to try some UDEV rules to unlock+mount the drives whenever a USB key was plugged in, but in true UDEV style, it didn’t work – we got an endless loop of cryptsetup processes, also there’s a method for reading the keyfile from the USB drive from Grub, but that didn’t seem to work either, so I’m sticking with my method below.

1. Create a partition on each disk, optionally filling with random data first:

dd if=/dev/urandom of=/dev/sdb
dd if=/dev/urandom of=/dev/sdc
 
fdisk /dev/sdb
fdisk /dev/sdc

2. Format and encrypt in one command:

luksformat -t ext3 /dev/sdb1
luksformat -t ext3 /dev/sdc1

3. Fill keyfile with random data:

dd if=/dev/urandom of=secretkey bs=512 count=4

4. Add keyfile to LUKS volumes:

cryptsetup luksAddKey /dev/sdb1 secretkey
cryptsetup luksAddKey /dev/sdc1 secretkey

5. Fill USB key with random data, an old 64Mb disk took a few minutes:

dd if=/dev/urandom of=/dev/disk/by-id/usb-Mobile_Drive_7777777777777777-0\:0

6. Write keyfile to USB key’s MBR, note this will be invisible as its outside the partition table, and there’s no partitions defined, so it won’t mount the drive either:

dd if=secretkey of=/dev/disk/by-id/usb-Mobile_Drive_7777777777777777-0\:0  bs=512 seek=4

7. Secure delete the keyfile from hard disk – note you still have the passphrase (created in #2) to unlock the volumes if things go wrong:

shred --remove --zero secretkey

8. Update /etc/crypttab (chown root:root, chmod 600):

data1 /dev/sdb1 /dev/disk/by-id/usb-Mobile_Drive_7777777777777777-0\:0 luks,keyscript=/usr/local/bin/unlock-luks
data2 /dev/sdc1 /dev/disk/by-id/usb-Mobile_Drive_7777777777777777-0\:0 luks,keyscript=/usr/local/bin/unlock-luks

9. Create /usr/local/bin/unlock-luks (chown root:root, chmod 700):

#!/bin/sh
 
if [ -e $1 ]
then
dd if=$1 bs=512 skip=4 count=4
fi

10. Mount the encrypted volume at boot.

We do this in /etc/rc.local (chown root:root, chmod 700) as its the last part of the boot process – testing to see if LUKS managed to map the volumes first:

#!/bin/sh -e
 
if [ -e /dev/mapper/data1 -a -e /dev/mapper/data2 ] 
then
mount /dev/mapper/data1 /export/data1
mount /dev/mapper/data2 /export/data2
fi
 
exit 0