Tabla de contenido
Welcome to the fascinating world of partition and disk encryption on Linux using LUKS (Linux Unified Key Setup). In this chapter, we will explore in detail how to use LUKS to protect your sensitive data by encrypting your disks and partitions. From installing necessary tools to handling specialized commands, I will guide you step by step through this crucial process for your data security.
Installing Necessary Tools
Before diving into the world of encryption with LUKS, it is essential to ensure you have the appropriate tools installed on your system. Generally, most Linux distributions include these encryption tools by default, but it’s always good to verify.
You can install the necessary tools using your distribution’s package manager. In Debian-based distributions, like Ubuntu, you can run the following command in the terminal:
sudo apt install cryptsetup
If you are using a Red Hat-based distribution, like Fedora or CentOS, you can install the encryption tools with the following command:
sudo dnf install cryptsetup
Once you have installed cryptsetup, you will be ready to start working with LUKS.
Creating a LUKS Volume
The first step to encrypt a partition or disk on Linux is to create a LUKS volume. This volume will act as an encryption layer that protects the data stored on the partition or disk.
To create a LUKS volume, you will need to specify the partition or disk you want to encrypt. Make sure the partition is unmounted before proceeding. Suppose we want to encrypt the partition /dev/sdb1. The following command will create a LUKS volume on this partition:
sudo cryptsetup luksFormat /dev/sdb1
This command will initiate the process of creating the LUKS volume on the specified partition. You will be prompted to confirm this action, as the process will erase all existing data on the partition. After confirming, you will be asked to enter a password to unlock the LUKS volume in the future. Make sure to choose a secure password and remember it well, as you will need it every time you want to access the encrypted data.
Once the process is complete, you will have a LUKS volume created on the specified partition, ready to be used.
Opening and Closing the LUKS Volume
After creating a LUKS volume, the next step is to open it to access the data stored on it. To open a LUKS volume, you will need to specify the partition containing the volume and assign it a name.
sudo cryptsetup luksOpen /dev/sdb1 my_encrypted_partition
In this command, /dev/sdb1 is the partition containing the LUKS volume, and my_encrypted_partition is the name we are assigning to the opened volume. Once you run this command, you will be asked to enter the password you specified during the creation of the LUKS volume. After entering the correct password, the volume will open and be ready to be used.
To close the LUKS volume and block access to the encrypted data, you can use the following command:
sudo cryptsetup luksClose my_encrypted_partition
This command will close the LUKS volume with the specified name (my_encrypted_partition in this case), preventing access to the data stored on it until it is opened again.
Creating a File System on a LUKS Volume
Once you have opened a LUKS volume, you can create a file system on it to start storing data securely. You can use any Linux-compatible file system, such as xfs or btrfs.
Suppose we want to create an xfs file system on the opened LUKS volume (my_encrypted_partition). The following command will create an xfs file system on the volume:
sudo mkfs.xfs /dev/mapper/my_encrypted_partition
This command will format the opened LUKS volume with an xfs file system, allowing you to start storing data on it securely.
Mounting and Unmounting a LUKS Volume
Once you have created a file system on a LUKS volume, you can mount it to the file system to access the data stored on it. To mount a LUKS volume, you can use the following command:
sudo mount /dev/mapper/my_encrypted_partition /mnt
In this command, /dev/mapper/my_encrypted_partition is the path to the block device representing the opened LUKS volume, and /mnt is the mount point where the file system will be mounted.
After mounting the LUKS volume, you can access the data stored on it as you would with any other file system mounted on Linux. When you have finished working with the data, you can unmount the LUKS volume using the following command:
sudo umount /mnt
This command will unmount the file system of the LUKS volume, preventing access to the data stored on it until it is mounted again.
Managing LUKS Volumes
LUKS provides several tools for managing volumes, including the ability to change the password, add additional keys, and backup the headers of the volumes.
To change the password of a LUKS volume, you can use the following command:
sudo cryptsetup luksChangeKey /dev/sdb1
This command will prompt you for the current password of the LUKS volume and then allow you to enter a new password.
If you want to add an additional key to the LUKS volume, you can use the following command:
sudo cryptsetup luksAddKey /dev/sdb1
This command will prompt you for the current password of the LUKS volume and then allow you to enter a new additional key.
To backup the header of a LUKS volume, you can use the following command:
sudo cryptsetup luksHeaderBackup /dev/sdb1 --header-backup-file backup_file
This command will backup the header of the LUKS volume to the specified file, allowing you to restore it in case the volume header is damaged.
Summary of Commands to Create Encrypted Volume with LUKS
sudo cryptsetup luksFormat /dev/DISK sudo cryptsetup luksOpen /dev/DISK DECRYPTED_DISK sudo mkfs.xfs /dev/mapper/DECRYPTED_DISK sudo mount /dev/mapper/DECRYPTED_DISK /mount_point
Integration with crypttab and fstab
Once you have encrypted a partition or disk using LUKS on Linux, you may want to configure the automatic opening of the LUKS container during system boot and mount it at a specific point in the file system. This can be achieved using the crypttab and fstab configuration files.
crypttab Configuration
The crypttab file is used to configure the automatic mapping of encrypted devices during the system boot process. You can specify the encrypted devices and their corresponding encryption keys in this file.
To configure an encrypted device in crypttab, you first need to know the UUID (Universally Unique Identifier) of the LUKS container. You can find the UUID by running the following command:
sudo cryptsetup luksUUID /dev/sdb1
Once you have the UUID of the LUKS container, you can add an entry in the crypttab file to configure the automatic mapping. For example, suppose the UUID of the LUKS container is 12345678-1234-1234-1234-123456789abc. You can add the following entry to the crypttab file:
my_encrypted_partition UUID=12345678-1234-1234-1234-123456789abc none luks
It can also be done this way without using the UUID:
my_encrypted_partition /dev/sdb1 none luks
In this entry, my_encrypted_partition is the name we have given to the LUKS container, and UUID=12345678-1234-1234-1234-123456789abc is the UUID of the container. The word none indicates that no pre-shared key is used, and luks specifies that the device is encrypted with LUKS.
fstab Configuration
Once you have configured the automatic mapping of the encrypted device in crypttab, you can configure the automatic mounting of the file system in fstab. The fstab file is used to configure the automatic mounting of file systems during system boot.
To configure the automatic mounting of a file system in fstab, you first need to know the mount point and the file system type of the LUKS container. Suppose the mount point is /mnt/my_partition and the file system is xfs. You can add an entry in the fstab file as follows:
/dev/mapper/my_encrypted_partition /mnt/my_partition xfs defaults 0 2
In this entry, /dev/mapper/my_encrypted_partition is the path to the block device representing the opened LUKS container, /mnt/my_partition is the mount point where the file system will be mounted, xfs is the file system type, defaults specifies the default mount options, and 0 2 specifies the file system check options.
Recommendations with crypttab
In the case of a server, I would not have crypttab active, meaning I would leave the configuration set but commented out, as well as with fstab. I would perform the mounts manually after a reboot. This avoids having to use key files and prevents some derived issues.