Cryptsetup and LUKS

Ever have a hard drive go bad, yet hesitate to RMA it? That’s understandable. Who knows what people on the other end will do, once it is repaired. Once simple solution is to encrypt the contents of the hard disk. This is made easy using cryptsetup.

For example, I just plugged in a 1TB external USB drive. Looking at my dmesg output, I see it is /dev/sde.

# dmesg
[710452.205068] sd 9:0:0:0: Attached scsi generic sg4 type 0
[710452.206899] sd 9:0:0:0: [sde] 1953525168 512-byte logical blocks: (1.00 TB/931 GiB)
[710452.208131] sd 9:0:0:0: [sde] Write Protect is off
[710452.208361] sd 9:0:0:0: [sde] Mode Sense: 00 38 00 00
[710452.208364] sd 9:0:0:0: [sde] Assuming drive cache: write through
[710452.210121] sd 9:0:0:0: [sde] Assuming drive cache: write through
[710452.226260]  sde:
[710452.228245] sd 9:0:0:0: [sde] Assuming drive cache: write through
[710452.228472] sd 9:0:0:0: [sde] Attached SCSI disk

To install encryption, I use the cryptsetup command:

# cryptsetup --verbose --verify-passphrase luksFormat /dev/sde
This will overwrite data on /dev/sde irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
Command successful.

Now, I need to install assign a device to the encrypted device:

# cryptsetup luksOpen /dev/sde BACKUP
Enter passphrase for /dev/sde:

Finally, I’ll make a filesystem on it and mount it:

# mke2fs -j -m 0 -L BACKUP /dev/mapper/BACKUP
mke2fs 1.41.12 (17-May-2010)
Filesystem label=BACKUP
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
61054976 inodes, 244190134 blocks
0 blocks (0.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
7453 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
	4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 
	102400000, 214990848

Writing inode tables: done                            
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 33 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
# mount /dev/mapper/BACKUP /mnt
# df -k /mnt
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/BACKUP   961432608    204568 961228040   1% /mnt

Being able to unplug this USB drives means I need to issue the following:

# umount /mnt
# cryptsetup luksClose /dev/mapper/BACKUP

There are many nice features in cryptsetup. One is that you can have multiple passwords.
To add a pass phrase to my USB drive I first have to authenticate using an original pass phrase, then I can add a new one:

# cryptsetup luksAddKey /dev/sde 
Enter any passphrase: 
Enter new passphrase for key slot: 
Verify passphrase:

Comments are closed.