Linux Hard Disk Partition Encryption with LUKS
Recently, I needed to backup some very sensitive files from a few of my CentOS servers to move offsite. This was a large amount of information and it needed to be stored on an encrypted device, so I decided try out the LUKS format.
LUKS stands for 'Linux Unified Key Setup', and uses the dm-crypt back-end that is available starting in version 2.6 Linux kernels. As the name states, one major advantage of using LUKS is the ability to access your encrypted data via numerous Linux distributions without using any 3rd party tools. LUKS also has the ability to have numerous passwords assigned to the same block of encrypted data for user management. There is also the ability to use keyfiles instead of passphrases to unlock encrypted partitions.
For a list of all features and the FAQ's, here is the official website:
LUKS Official Website
My simple example
As I mentioned before, the whole point of me doing this was to safely bring sensitive data out of a secure environment. Therefor, my encrypted device is a 2TB external disk drive. I didn't really need any of the advanced features of LUKS, only one large partition with one passphrase.
Make sure the following package is installed:
cryptsetup-luks.i386 : A utility for setting up encrypted filesystems
Plug in your device
If needed, use fdisk to create your desired partition. I used the entire device, here is a snip from fdisk:
/dev/sdb1 1 243201 1953512001 83 Linux
Initialize the LUKS partition
Here is the real meat of the process, creating the encrypted partition and the initial key. I should warn you that this WILL WIPE OUT all information on the specified partition. The -s option sets the key size to 256 bits, and the -y option requires the passphrase to be entered twice for error checking:
cryptsetup -v -y -s 256 luksFormat /dev/sdb1
Congratulations, you now have an encrypted partition. Check that the above actually worked with something like this:
cryptsetup isLuks /dev/sdb1 && echo Yes!
It is also worth pointing out that you can check all the details of your encrypted partition (such as number of keys, encryption type, UUID, etc) by running the following:
cryptsetup luksDump /dev/sdb1
Creating the filesystem
In order to open your partition, we need to use the device-mapper framework of Linux. The line below allows us to open the LUKS block, and specify any name as a mapping label. I used the label "crypt-external". This is where the passphrase you set in the steps above is required:
cryptsetup luksOpen /dev/sdb1 crypt-external
You should now see your device if you run:
ls -l /dev/mapper
For informational purposes, use the following to get information about the device we just mapped:
dmsetup info crypt-external
You can use any file system you desire. I chose standard ext3. It is worth mentioning that there are also LUKS cross-platform standards for Windows, in which case you would need a compatible filesystem such as FAT. Here I created an ext3 filesystem on my external drive:
mke2fs -j /dev/mapper/crypt-external
Mount your new filesystem
Mount it where ever you want. I chose the standard /mnt directory:
mount -o rw /dev/mapper/crypt-external /mnt
Copy over all your DATAAA!
Unmount and close the device
This is more for an external USB drive, as I am always mount/unmounting the device and physically removing it.
cryptsetup luksClose /dev/mapper/crypt-external
So there is my little experience with LUKS encryption. Obviously this is not just for external disks. There are references online for using the /etc/crypttab and /etc/fstab configurations to auto mount encrypted partitions on internal disk drives upon booting your system (this is where keyfiles would help instead of passphrases!).