Create a luks encrypted partition on Linux Mint

HDD_encryptedEncryption is not only for someone who has something to hide. There are simple concerns like a lost or stolen laptop that justify a full disk encryption. There are only a few steps necessary to create a encrypted partition.

In the following a already created partition will be used to create an encrypted volume. To creating the partition layout on the disk tools like gparted (GUI) parted (command-line) fdisk (command-line) or others can be used.

Advertisements

The following partition layout is used in this example. It shows the device /dev/sdc1 with the partitions shown below.

$ sudo fdisk -l /dev/sdc

Disk /dev/sdc: 2055 MB, 2055208960 bytes
221 heads, 35 sectors/track, 518 cylinders, total 4014080 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x01bed634

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1               1     4014079     2007039+  83  Linux

Create luks encrypted partition

To create the encrypted partition on /dev/sdc1, luks is used. The encryption of the partition will be managed using the cryptsetup command. The command below will format the partition sdb5 as luks encrypted partition.

The man page suggests to use the options “–cipher aes-xts-plain” with “–key-size 512” for kernel 2.6.24 or higher. The “luksFormat” action will create the encryption on the partition.

$ sudo cryptsetup --cipher aes-xts-plain --key-size 512 --hash sha512 -v luksFormat /dev/sdc1

WARNING!
========
This will overwrite data on /dev/sdc1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: SecurePassword!
Verify passphrase: SecurePassword!
Command successful.
infoIt might be necessary to unmount the partition before the luks encryption can be created on it. Linux Mint mounts known filesystems automatically. A umount command like the following will unmount the partition allowing to create the luks encryption on it.
sudo umount /dev/sdc1

With the successful execution of the above command, the partition is now encrypted. The encrypted partition now needs to be opened to access its content. With the “luksOpen” activity, the encrypted partition provided is opened and mapped to the name specified in the last option.

$ sudo cryptsetup -v luksOpen /dev/sdc1 sdc1crypt
Enter passphrase for /dev/sdc1: SecurePassword!
Key slot 0 unlocked.
Command successful.

The Luks encryption created on the device supports the possibility to configure multiple keys. Those keys are stored in a so called “Key Slot”. To show the configured keys as well as other details of the encrypted partition cryptsetup provides the following “luksDump” action.

$ sudo cryptsetup luksDump /dev/sdc1
LUKS header information for /dev/sdc1

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain
Hash spec:     	sha512
Payload offset:	4096
MK bits:       	512
MK digest:     	a9 a7 02 02 69 9c 2a 66 fa a1 63 18 ce 42 24 40 53 94 af 8d 
MK salt:       	e2 48 15 da 0e 63 a9 92 c4 82 be 26 42 b7 c3 bd 
               	70 02 9b e1 e6 9e c0 98 7a 47 b9 10 70 d0 a0 81 
MK iterations: 	22750
UUID:          	f30dd479-0ce5-4819-992f-eec11e1a17b8

Key Slot 0: ENABLED
	Iterations:         	90908
	Salt:               	7c 78 14 18 1f 71 88 64 4e a7 15 32 d1 ba 9c 50 
	                      	01 7d 96 aa 78 ce 6e 10 6a d6 df c0 b5 e7 c1 42 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

The partition is now encrypted and opened, but does not jet have a filesystem that can be mounted and used. The lsblk(8) command allows to show the filesystem on a block device.

$ sudo lsblk -f /dev/mapper/sdc1crypt 
NAME               FSTYPE LABEL MOUNTPOINT
sdc1crypt (dm-4)              

Executed with the mapping name, the command shows that no filesystem is on the encrypted partition.

Create a filesystem on the encrypted partition

Depending on the use of the encrypted partition, the filesystem can be chosen as needed. The following will generate a ext4 filesystem. With the command mkfs(8) a new filesystem will be created on the encrypted partition. The parameter “-t ext4” defines the filesystem while the “-L” option is a ext4 specific option to sets the user friendly label of the filesystem. This label will be used to show the filesystem in the GUI file manager.

$ sudo mkfs -t ext4 -L LuksPartition /dev/mapper/sdc1crypt 
mke2fs 1.42.9 (4-Feb-2014)
Filesystem label=LuksPartition
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
125440 inodes, 501058 blocks
25052 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=515899392
16 block groups
32768 blocks per group, 32768 fragments per group
7840 inodes per group
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done 

The filesystem is now generated on the partition. The filesystem reserves “25052 blocks (5.00%) reserved for the super user” on the filesystem. To manage the reserved space see Utility df shows inconsistent calculation for ext filesystems for details.

Another check with “lsklb” shows already the newly created filesystem ext4.

$ sudo lsblk -f /dev/mapper/sdc1crypt 
NAME               FSTYPE LABEL         MOUNTPOINT
sdc1crypt (dm-4) ext4   LuksPartition 

Finally to use the partition, the filesystem just created needs to be mounted in the system. To manually mount the filesystem in the system a directory to mount the filesystem should be created before the filesystem can be mounted.

$ sudo mkdir /mnt/sdc1crypt/
$ sudo mount /dev/mapper/sdc1crypt /mnt/sdc1crypt/

Executing mount(8) will finaly mount the filesystem passed on as the mapped luks partition at the directory specified. When mount is executed without any parameters, the list of mounted filesystems should now list the mounted filesystem.

/dev/mapper/sdc1crypt on /mnt/sdc1crypt type ext4 (rw)

Remove luks encrypted partition from system

To removing the luks encrypted device properly from the system the following commands should be executed.

$ sudo umount /mnt/sdc1cryp
$ sudo cryptsetup -v luksClose sdc1crypt
Command successful.

With the first command, the filesystem is unmounted from the system. In the second command cryptsetup is called with the “luksClose” action to close the encrypted partition which will as well remove the mapping.

Backup and safety

The encrypted partition will keep your data safe even when the laptop is lost or stolen. In case of a problem with the luks header on the partition, a backup of the luks header is suggested. Even the man page indicates that a damaged luks header happens “surprising frequently”.

$ sudo cryptsetup -v luksHeaderBackup  /dev/sdc1 --header-backup-file LuksHeaderBackup.bin

The above command creates a backup of the luks header which can be used in case of a damaged luks header. The command below is used to restore the luks header. For both operation it is not necessary to have the luks encrypted partition opened.

$ sudo cryptsetup -v luksHeaderRestore /dev/sdc1 --header-backup-file LuksHeaderBackup.bin

Read more of my posts on my blog at https://blog.tinned-software.net/.

This entry was posted in Encryption, Linux Administration, Security and tagged , , . Bookmark the permalink.