Block Device Encryption - dm-crypt
This document describes for Linux-based systems, how to encrypt a block device using LUKS/dm-Crypt/cryptsetup and automatically unlock and map the encrypted block device on boot.
Requirements
- Linux-based Operating System (Here: Ubuntu 20.04 LTS)
- Plain dm-crypt and LUKS encrypted volumes manager installed (
apt install cryptsetup
) (Here: v2.2.2) - Block device (e.g. partition) that is unmapped and ready to encrypt. (Any content will be lost!)
TL;DR
# Encrypt block device
sudo cryptsetup luksFormat $BLOCK_DEVICE
# Generate a random keyfile
sudo dd if=/dev/urandom bs=256 count=1 of=$KEYFILE
# Add keyfile to the LUKS header key store
sudo cryptsetup luksAddKey $BLOCK_DEVICE $KEYFILE
# Unlock and map the encrypted device on boot via UUID (See: man crypttab)
UUID=`sudo cryptsetup luksUUID $BLOCK_DEVICE`
echo "$MAPPER_NAME UUID=$UUID $KEYFILE" | sudo tee -a /etc/crypttab
# Dump the header information of a LUKS device.
sudo cryptsetup luksDump $BLOCK_DEVICE
# USE IT.
man cryptsetup
Encryption
Initializes a LUKS partition and sets the initial passphrase (for key-slot 0). LUKS2 is used by default. All available algorithms (cipher, hash) are listed in /proc/crypto
or use cryptsetup benchmark
.
# CHANGE THIS VARIABLE TO THE APPROPRIATE BLOCK DEVICE
BLOCK_DEVICE="/dev/sdb1"
# Encrypt block device (Here: using defaults)
sudo cryptsetup luksFormat $BLOCK_DEVICE
# Verify: Dump the header information
sudo cryptsetup luksDump $BLOCK_DEVICE
# Verify: Inspect device content
sudo hexdump -C $BLOCK_DEVICE | less
Additional luksFormat
parameters:
--cypher
: (Default: aes-xts-plain64)
--key-size
: (Default: 256)
--hash
: Algorithm used to derive the key. (Default: sha256)
--time
: The time used for passphrase processing. (Default: 2000) milliseconds.
--use-random/--use-urandom
: Used RNG. (Default: --use-urandom)
Auto-Mount during Boot
In the following a keyfile will be added to the LUKS header key store to use with crypttab
for automatic device unlocking and mapping at boot. The resulting mapped device can be added a filesystem via mkfs
and automatically mounted using fstab
.
# CHANGE THIS VARIABLE TO A SAFE LOCATION TO STORE THE KEYFILE
KEYFILE="/root/key.bin"
# CHANGE THIS VARIABLE TO THE NAME OF THE DEVICE MAPPER MOUNTPOINT
MAPPER_NAME="enc_dev"
# Generate a random Keyfil and limit access
sudo dd if=/dev/urandom bs=32 count=1 of=$KEYFILE
sudo chmod 400 $KEYFILE
# Add keyfile to the LUKS key storage (max. 8)
sudo cryptsetup luksAddKey $BLOCK_DEVICE $KEYFILE
# Remove: sudo cryptsetup luksRemoveKey $BLOCK_DEVICE
# The passphrase (aka. key-slot 0) remains as backup key
# The crypttab file describes encrypted block devices that are set up during system boot.
# Format: volume-name encrypted-device key-file options
UUID=`sudo cryptsetup luksUUID $BLOCK_DEVICE`
echo "$MAPPER_NAME UUID=$UUID $KEYFILE" | sudo tee -a /etc/crypttab
# Reboot. Then Verify.
lsblk "/dev/mapper/$MAPPER_NAME"