Required Debian/Ubuntu Packages
dmsetup Linux Kernel Device Mapper userspace library
cryptsetup-bin Disk encryption support – command line tools
Filesystem Encryption
cryptsetup –cipher aes-xts-plain64 –key-size 512 –verify-passphrase luksFormat /dev/sdb1
–verify-passphrase – ensures the passphrase is entered twice to avoid an incorrect passphrase being used
-c aes -s 256 – uses 256-bit AES encryption
-h sha256 – uses the 256-bit SHA hashing algorithm
Creating a Filesystem
cryptsetup luksOpen /dev/sdb1 16GB
* The mkfs options above are as follows:
-t ext3 – create an ext3 filesystem
-m 1 – reduce the reserved super-user space down from the default of 5% to 1% of the total size – useful for large filesystems
-O dir_index – speed-up lookups in large directories
-O filetype – store filetype info in directories
-O sparse_super – create fewer superblock backup copies – useful for large filesystems
Mounting a Filesystem
cryptsetup luksOpen /dev/sdb1 16GB
mount /dev/mapper/16GB /mnt
tcplay -m 16GB -d /dev/sdc1
dmsetup remove 16GB
Change Passwords on a Filesystem
LUKS supports eight key slots per partition.
cryptsetup luksAddKey
/and/
cryptsetup luksRemoveKey
Which slots have keys:
cryptsetup luksDump
Headers on a Filesystem
cryptsetup luksHeaderBackup /dev/sdb1 –header-backup-file /tmp/somefile
* Note that the header backup should be saved to a secure place (preferably another LUKS partition on a USB stick)
Unmount a Filesystem
Use umount first then,
/or/
dmsetup remove 16GB
/or/
dmsetup remove_all
* dmsetup remove_all will flush all mapped block devices.
Source & Additional Documentation
https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage
http://superuser.com/questions/431820/how-to-change-pass-phrase-of-full-disk-encryption
http://askubuntu.com/questions/95137/how-to-change-luks-passphrase
http://www.linuxcommand.org/man_pages/cryptsetup8.html