Block Device Encryption - dm-crypt

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

This document describes for Linux-based systems, how to encrypt a block device using LUKS/dm-Crypt/cryptsetup and automatically unlock and map the encrypted block device on boot.

Requirements

  • Linux-based Operating System (Here: Ubuntu 20.04 LTS)
  • Plain dm-crypt and LUKS encrypted volumes manager installed (apt install cryptsetup) (Here: v2.2.2)
  • Block device (e.g. partition) that is unmapped and ready to encrypt. (Any content will be lost!)

TL;DR

# Encrypt block device
sudo cryptsetup luksFormat $BLOCK_DEVICE
# Generate a random keyfile
sudo dd if=/dev/urandom bs=256 count=1 of=$KEYFILE
# Add keyfile to the LUKS header key store
sudo cryptsetup luksAddKey $BLOCK_DEVICE $KEYFILE
# Unlock and map the encrypted device on boot via UUID (See: man crypttab)
UUID=`sudo cryptsetup luksUUID $BLOCK_DEVICE`
echo "$MAPPER_NAME UUID=$UUID $KEYFILE" | sudo tee -a /etc/crypttab
# Dump the header information of a LUKS device.
sudo cryptsetup luksDump $BLOCK_DEVICE

# USE IT.
man cryptsetup

Encryption

Initializes a LUKS partition and sets the initial passphrase (for key-slot 0). LUKS2 is used by default. All available algorithms (cipher, hash) are listed in /proc/crypto or use cryptsetup benchmark.

# CHANGE THIS VARIABLE TO THE APPROPRIATE BLOCK DEVICE
BLOCK_DEVICE="/dev/sdb1"

# Encrypt block device (Here: using defaults)
sudo cryptsetup luksFormat $BLOCK_DEVICE

# Verify: Dump the header information
sudo cryptsetup luksDump $BLOCK_DEVICE
# Verify: Inspect device content
sudo hexdump -C $BLOCK_DEVICE | less

Additional luksFormat parameters:

--cypher: (Default: aes-xts-plain64)
--key-size: (Default: 256)
--hash: Algorithm used to derive the key. (Default: sha256)
--time: The time used for passphrase processing. (Default: 2000) milliseconds.
--use-random/--use-urandom: Used RNG. (Default: --use-urandom)

Auto-Mount during Boot

In the following a keyfile will be added to the LUKS header key store to use with crypttab for automatic device unlocking and mapping at boot. The resulting mapped device can be added a filesystem via mkfs and automatically mounted using fstab.

# CHANGE THIS VARIABLE TO A SAFE LOCATION TO STORE THE KEYFILE
KEYFILE="/root/key.bin"
# CHANGE THIS VARIABLE TO THE NAME OF THE DEVICE MAPPER MOUNTPOINT
MAPPER_NAME="enc_dev"

# Generate a random Keyfil and limit access
sudo dd if=/dev/urandom bs=32 count=1 of=$KEYFILE
sudo chmod 400 $KEYFILE

# Add keyfile to the LUKS key storage (max. 8)
sudo cryptsetup luksAddKey $BLOCK_DEVICE $KEYFILE
# Remove: sudo cryptsetup luksRemoveKey $BLOCK_DEVICE
# The passphrase (aka. key-slot 0) remains as backup key

# The crypttab file describes encrypted block devices that are set up during system boot.
# Format: volume-name encrypted-device key-file options
UUID=`sudo cryptsetup luksUUID $BLOCK_DEVICE`
echo "$MAPPER_NAME UUID=$UUID $KEYFILE" | sudo tee -a /etc/crypttab

# Reboot. Then Verify.
lsblk "/dev/mapper/$MAPPER_NAME"

References