Block device encryption with cryptsetup and LUKS

In this post I'll demonstrate how to encrypt a block device on Debian using the cryptsetup [1] toolset.

cryptsetup is a utility that can encrypt/decrypt block devices based on dm-crypt kernel module [2] in real time.

I'll be using the LUKS specification [3] which is the standard for Linux hard disk encryption.

First lets install the package:
Then create your symmetric key file:
Next format the block device with LUKS, specifying the key size and the cipher (from /proc/crypto):
Check if the device is a LUKS encrypted device:
Dump information about the LUKS device (metadata is stored in the LUKS header):
Now that the device has been prepared we can "open" it by creating a device mapper file named "encrypt-volume":
This will create a device mapping file in /dev/mapper that can be formatted and mounted:
Create a file system and mount the block device:
If this is an iSCSI block device, it can easily be moved to a different host, but first we need to unmount it and "close" it:
On the new server:
LUKS uses a special header to store some metadata like the master password, salt values etc. If the header gets corrupted, i.e you reformat the encrypted block device instead of the mapped one, you'll not be able to decrypt it and will loose the data. To prevent this make sure you have a backup of the header, stored at a secure location. To backup and restore the LUKS header run:
With this you have an encrypted block device in few quick steps. One thing worth mentioning is that the private key should be kept at a secure location, if lost you'll not be able to decrypt your device.

Here's a list of the most popular available options for disk encruption:

- Loop-AES - longest-existing one; possibly the fastest; works on legacy systems, must manually compile custom kernel, not ideal for containers;
- dm-crypt +/- LUKS - the de-facto standard for block device encryption on Linux; very flexible, kernel modules already shipped with default kernel;
- Truecrypt - very portable, well-polished, self-contained solution, but the project died mid 2014;
- eCryptfs - stacked filesystem encryption instead of block level, slower, individual encrypted files portable between systems;
- EncFs - stacked filesystem encryption instead of block level, the slowest, easiest one to use; supports non-root administration;



No comments:

Post a Comment