From FedoraProject

Jump to: navigation, search


Encrypted Storage Tutorial



Fedora offers a variety of utilities for strong encryption, and file system layers that support encrypted storage. This tutorial explains how to set up some of these capabilities on a Fedora system.

Encrypted Hotplug Storage

One of the most popular use cases is encrypting a USB flash disk, or other external device such as a USB, eSATA, or FireWire disk. These devices are called "hotplug" devices because they are often inserted or removed while the Fedora system is running.

To encrypt a hotplug device, follow this procedure.

This procedure destroys all data on your hotplug disk.

Partition the disk using fdisk. Use the standard partition type ID for the file system you intend to create. For example, use type ID 83 for a Linux ext3 partition.

su -c "/sbin/fdisk /dev/disk/by-id/<disk_device>"

Overwrite the entire partition with pseudo-random data. Although truly random data is preferable, writing truly random data to all but the smallest devices takes far too long.

su -c "dd if=/dev/urandom of=/dev/disk/by-id/<partition_device> bs=1K"

Create a LUKS marker on the new partition using the cryptsetup command. Follow the prompts, and provide a passphrase of your choice. Remember that a strong passphrase is lengthy, contains alphanumeric and symbol characters, and is not based on a real word.

su -c "/sbin/cryptsetup luksFormat /dev/disk/by-id/<partition_device>"

Assign a simple temporary name for the LUKS volume you created. The device mapper provides this name as a device for use in the next step.

su -c "/sbin/cryptsetup luksOpen /dev/disk/by-id/<partition_device> guardVol"

Format the LUKS volume with the appropriate file system. Use a label for convenience.

su -c "/sbin/mkfs.vfat -F 32 -n MyGuard /dev/mapper/guardVol"  # OR...
su -c "/sbin/mke2fs -j -L MyGuard /dev/mapper/guardVol"

Close the LUKS device.

su -c "/sbin/cryptsetup luksClose /dev/mapper/guardVol"

Detach and reattach the disk device. If you are using the GUI desktop, a dialog appears asking for the passphrase to the encrypted file system. If you are using the command line, you can use the following command and provide the passphrase at the prompt.

gnome-mount -d /dev/disk/by-id/<partition_device>

To unmount the disk from the GUI desktop, right click the disk and choose "Unmount Volume." To unmount the disk at the command line, use the following command with the name you gave the file system.

gnome-umount -p MyGuard

Encrypted Per-User File Storage

Encrypted Internal Disk Partition