Archive:Implementing LUKS Disk Encryption

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(replace a slow dd command with just as effective shred command but much faster. Both are coreutils commands)
(Give reasons why the "shred" step is required)
Line 39: Line 39:
 
# fill your partition with random data: <code>shred -v -n1 /dev/VG00/LV_home</code>  (Other packages that perform a similar function are "scrub" and "wipe")
 
# fill your partition with random data: <code>shred -v -n1 /dev/VG00/LV_home</code>  (Other packages that perform a similar function are "scrub" and "wipe")
  
{{admon/note || This process can take some time and proceeds at the sequential write speed of your device, but it is imperative to do this in order to have good protection against break-in attempts.
+
{{admon/note || This process can take some time and proceeds at the sequential write speed of your device. It's an important step to ensure no unencrypted data is left on a used device,
 +
and to obfuscate which parts of the device contain encrypted as opposed to just random data.
 
}}
 
}}
 
# initialize your partition: <code>cryptsetup --verbose --verify-passphrase luksFormat /dev/VG00/LV_home</code>
 
# initialize your partition: <code>cryptsetup --verbose --verify-passphrase luksFormat /dev/VG00/LV_home</code>

Revision as of 23:11, 27 March 2012

Contents

Chapter 4, Section 1 - Linux Unified Key Setup-on-disk-format (LUKS)

Introduction to LUKS

Linux Unified Key Setup-on-disk-format (or LUKS) allows you to encrypt partitions on your Linux computer. This is particularly important when it comes to mobile computers and removable media. LUKS allows multiple user keys to decrypt a master key which is used for the bulk encryption of the partition.

LUKS Implementation in Fedora

Fedora 9, and later, utilizes LUKS to perform file system encryption. By default, the option to encrypt the file system is unchecked during the installation. If you select the option to encrypt you hard drive, you will be prompted for a passphrase that will be asked every time you boot the computer. This passphrase "unlocks" the bulk encryption key that is used to decrypt your partition.

If you choose to modify the default partition table you can choose which partitions you want to encrypt. This is set in the partition table settings.

Fedora 9's default implementation of LUKS is AES 128 with a SHA256 hashing. Ciphers that are available are:

Manually Encrypting Directories

Warning (medium size).png
Data erasure!
Following this procedure will remove all data on the partition that you are encrypting. You WILL lose all your information! Make sure you backup your data to an external source before beginning this procedure!

If you are running a version of Fedora prior to Fedora 9 and want to encrypt a partition or you want to encrypt a partition after the fact in Fedora 9, or later, the following directions are for you. The below example demonstrates encrypting your /home partition but any partition can be used.

The following procedure will reconfigure and format your /home. The procedure is for single-user computers or computers that are shared between trusted users.

The following procedure will wipe all your existing data, so be sure to have a tested backup before you start. This also requires you to have a separate partition for /home (in my case that is /dev/VG00/LV_home). All the following must be done as root. Any of these steps failing means you must not continue until the step succeeded.

Step-by-Step Instructions

  1. enter runlevel 1: telinit 1
  2. unmount your existing /home: umount /home
  3. if it fails use fuser to find and kill processes hogging /home: fuser -mvk /home
  4. verify /home is not mounted any longer: cat /proc/mounts | grep home
  5. fill your partition with random data: shred -v -n1 /dev/VG00/LV_home (Other packages that perform a similar function are "scrub" and "wipe")
Note.png
This process can take some time and proceeds at the sequential write speed of your device. It's an important step to ensure no unencrypted data is left on a used device, and to obfuscate which parts of the device contain encrypted as opposed to just random data.
  1. initialize your partition: cryptsetup --verbose --verify-passphrase luksFormat /dev/VG00/LV_home
  2. open the newly encrypted device: cryptsetup luksOpen /dev/VG00/LV_home home
  3. check it's there: ls -l /dev/mapper | grep home
  4. create a filesystem: mkfs.ext3 /dev/mapper/home
  5. mount it: mount /dev/mapper/home /home
  6. check it's visible: df -h | grep home
  7. add the following to /etc/crypttab: home /dev/VG00/LV_home none
  8. edit your /etc/fstab, removing the old entry for /home and adding /dev/mapper/home /home ext3 defaults 1 2
  9. verify your fstab entry: mount /home
  10. restore default SELinux security contexts: /sbin/restorecon -v -R /home
  11. reboot: shutdown -r now
  12. The entry into /etc/crypttab makes your computer ask your luks passphrase on boot.
  13. Log in as root and restore your backup.

What you have just accomplished.

Congratulations, you now have an encrypted partition for all of your data to safely rest while the computer is off.

Links of Interest / For More Information