18. August 2014 · Comments Off on LUKS Quick Examples · Categories: Linux Admin, Linux Security · Tags: , ,

Required Debian/Ubuntu Packages


dmsetup Linux Kernel Device Mapper userspace library
cryptsetup-bin Disk encryption support – command line tools
tcplay Free and simple TrueCrypt Implementation based on dm-crypt

Filesystem Encryption


cryptsetup –cipher aes-xts-plain64 –key-size 512 –verify-passphrase luksFormat /dev/sdb1
* The LUKS-formatting command above has the following options:

–verify-passphrase – ensures the passphrase is entered twice to avoid an incorrect passphrase being used
-c aes -s 256 – uses 256-bit AES encryption
-h sha256 – uses the 256-bit SHA hashing algorithm

Creating a Filesystem


cryptsetup luksOpen /dev/sdb1 16GB
mkfs -t ext3 -m 1 -O dir_index,filetype,sparse_super /dev/mapper/16GB

* The mkfs options above are as follows:

-t ext3 – create an ext3 filesystem
-m 1 – reduce the reserved super-user space down from the default of 5% to 1% of the total size – useful for large filesystems
-O dir_index – speed-up lookups in large directories
-O filetype – store filetype info in directories
-O sparse_super – create fewer superblock backup copies – useful for large filesystems

Mounting a Filesystem


cryptsetup luksOpen /dev/sdb1 16GB
mount /dev/mapper/16GB /mnt
* To mount a truecrypt partition:

tcplay -m 16GB -d /dev/sdc1
dmsetup remove 16GB

Change Passwords on a Filesystem


LUKS supports eight key slots per partition.
To add and remove keys from the slots:

cryptsetup luksAddKey
/and/
cryptsetup luksRemoveKey

Which slots have keys:

cryptsetup luksDump

Headers on a Filesystem


cryptsetup luksHeaderBackup /dev/sdb1 –header-backup-file /tmp/somefile
Replace luksHeaderBackup with luksHeaderRestore to restore the old keys again.

* Note that the header backup should be saved to a secure place (preferably another LUKS partition on a USB stick)

Unmount a Filesystem


Use umount first then,
cryptsetup luksClose 16GB
/or/
dmsetup remove 16GB
/or/
dmsetup remove_all

* dmsetup remove_all will flush all mapped block devices.

Source & Additional Documentation


https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage

http://superuser.com/questions/431820/how-to-change-pass-phrase-of-full-disk-encryption

http://askubuntu.com/questions/95137/how-to-change-luks-passphrase

http://www.linuxcommand.org/man_pages/cryptsetup8.html

Comments closed