Block Device Encryption - dm-crypt

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

This document describes for Linux-based systems, how to encrypt a block device using LUKS/dm-Crypt/cryptsetup and automatically unlock and map the encrypted block device on boot.

Requirements

  • Linux-based Operating System (Here: Ubuntu 20.04 LTS)
  • Plain dm-crypt and LUKS encrypted volumes manager installed (apt install cryptsetup) (Here: v2.2.2)
  • Block device (e.g. partition) that is unmapped and ready to encrypt. (Any content will be lost!)

TL;DR

# Encrypt block device
sudo cryptsetup luksFormat $BLOCK_DEVICE
# Generate a random keyfile
sudo dd if=/dev/urandom bs=256 count=1 of=$KEYFILE
# Add keyfile to the LUKS header key store
sudo cryptsetup luksAddKey $BLOCK_DEVICE $KEYFILE
# Unlock and map the encrypted device on boot via UUID (See: man crypttab)
UUID=`sudo cryptsetup luksUUID $BLOCK_DEVICE`
echo "$MAPPER_NAME UUID=$UUID $KEYFILE" | sudo tee -a /etc/crypttab
# Dump the header information of a LUKS device.
sudo cryptsetup luksDump $BLOCK_DEVICE

# USE IT.
man cryptsetup

Encryption

Initializes a LUKS partition and sets the initial passphrase (for key-slot 0). LUKS2 is used by default. All available algorithms (cipher, hash) are listed in /proc/crypto or use cryptsetup benchmark.

# CHANGE THIS VARIABLE TO THE APPROPRIATE BLOCK DEVICE
BLOCK_DEVICE="/dev/sdb1"

# Encrypt block device (Here: using defaults)
sudo cryptsetup luksFormat $BLOCK_DEVICE

# Verify: Dump the header information
sudo cryptsetup luksDump $BLOCK_DEVICE
# Verify: Inspect device content
sudo hexdump -C $BLOCK_DEVICE | less

Additional luksFormat parameters:

--cypher: (Default: aes-xts-plain64)
--key-size: (Default: 256)
--hash: Algorithm used to derive the key. (Default: sha256)
--time: The time used for passphrase processing. (Default: 2000) milliseconds.
--use-random/--use-urandom: Used RNG. (Default: --use-urandom)

Auto-Mount during Boot

In the following a keyfile will be added to the LUKS header key store to use with crypttab for automatic device unlocking and mapping at boot. The resulting mapped device can be added a filesystem via mkfs and automatically mounted using fstab.

# CHANGE THIS VARIABLE TO A SAFE LOCATION TO STORE THE KEYFILE
KEYFILE="/root/key.bin"
# CHANGE THIS VARIABLE TO THE NAME OF THE DEVICE MAPPER MOUNTPOINT
MAPPER_NAME="enc_dev"

# Generate a random Keyfil and limit access
sudo dd if=/dev/urandom bs=32 count=1 of=$KEYFILE
sudo chmod 400 $KEYFILE

# Add keyfile to the LUKS key storage (max. 8)
sudo cryptsetup luksAddKey $BLOCK_DEVICE $KEYFILE
# Remove: sudo cryptsetup luksRemoveKey $BLOCK_DEVICE
# The passphrase (aka. key-slot 0) remains as backup key

# The crypttab file describes encrypted block devices that are set up during system boot.
# Format: volume-name encrypted-device key-file options
UUID=`sudo cryptsetup luksUUID $BLOCK_DEVICE`
echo "$MAPPER_NAME UUID=$UUID $KEYFILE" | sudo tee -a /etc/crypttab

# Reboot. Then Verify.
lsblk "/dev/mapper/$MAPPER_NAME"

References