Archive:Implementing LUKS Disk Encryption

From FedoraProject

Revision as of 12:36, 18 September 2008 by Limb (Talk | contribs)

Jump to: navigation, search


Chapter 4, Section 1 - Linux Unified Key Setup-on-disk-format (LUKS)

Introduction to LUKS

Linux Unified Key Setup-on-disk-format (or LUKS) allows you to encrypt partitions on your Linux computer. This is particularly important when it comes to mobile computers and removable media. LUKS allows multiple user keys to decrypt a master key which is used for the bulk encryption of the partition.

LUKS Implementation in Fedora 9

Fedora 9 utilizes LUKS to perform file system encryption. By default, the option to encrypt the file system is checked during the installation. You are prompted for a passphrase that will be asked every time you boot the computer. This passphrase "unlocks" the bulk encryption key that is used to decrypt your partition.

If you choose to modify the default partition table you can choose which partitions you want to encrypt. This is set in the partition table settings.

Fedora 9's default implementation of LUKS is AES 128 with a SHA256 hashing. Ciphers that are available are:

  • aes - Advanced Encryption Standard - FIPS PUB 197
  • twofish - Twofish: A 128-Bit Block Cipher
  • serpent
  • cast5 - RFC 2144
  • cast6 - RFC 2612

Encrypted Home Directories

Data erasure!
Following this procedure will remove all data on the partition that you are encrypting. You WILL lose all your information! Make sure you backup your data to an external source before beginning this procedure!

The following procedure will reconfigure and format your /home. The procedure is for single-user computers or computers that are shared between trusted users.

The following procedure will wipe all your existing data, so be sure to have a tested backup before you start. This also requires you to have a separate partition for /home (in my case that is /dev/VG00/LV_home). All the following must be done as root. Any of these steps failing means you must not continue until the step succeeded.

Step-by-Step Instructions

  1. enter runlevel 1: telinit 1
  2. unmount your existing /home: umount /home
  3. if it fails use fuser to find and kill processes hogging /home: fuser -mvk /home
  4. verify /home is not mounted any longer: cat /proc/mounts | grep home
  5. fill your partition with random data: dd if=/dev/urandom of=/dev/VG00/LV_home
You're looking at a process that takes many hours, but it is imperative to do this in order to have good protection against break-in attempts. Just let it run overnight.
  1. initialize your partition: cryptsetup --verbose --verify-passphrase luksFormat /dev/VG00/LV_home
  2. open the newly encrypted device: cryptsetup luksOpen /dev/VG00/LV_home home
  3. check it's there: ls -l /dev/mapper | grep home
  4. create a filesystem: mkfs.ext3 /dev/mapper/home
  5. mount it: mount /dev/mapper/home /home
  6. check it's visible: df -h | grep home
  7. add the following to /etc/crypttab: home /dev/VG00/LV_home none
  8. edit your /etc/fstab, removing the old entry for /home and adding /dev/mapper/home /home ext3 defaults 1 2
  9. verify your fstab entry: mount /home
  10. restore default SELinux security contexts: /sbin/restorecon -v -R /home
  11. reboot: shutdown -r now
  12. The entry into /etc/crypttab makes your computer ask your luks passphrase on boot.
  13. Log in as root and restore your backup.

What you have just accomplished.

Congratulations, you now have an encrypted partition for all of your data to safely rest while the computer is off.

Links of Interest / For More Information

4. Encryption Table of Contents 4.2 GnuPG