Linux/Security/Encrypted disk

From Iveze
Jump to: navigation, search

Make a harddisk encrypted and password protected.

Use case

Unless hardware is not physically protected, it is mostly not necessary to take the overhead of encryption on every harddisk. Clear exceptions are external harddisks with sensitive information on them i.e. backup disks. If they leave the building, they might get lost or stolen.

Cryptsetup

Cryptsetup is a utility for setting up disk encryption using dm-crypt kernel module. It adds an extra step to mounting and unmounting in that a decrypted device needs to be created before mounting and removed after mounting.

Mount

# This creates /dev/mapper/backup
cryptsetup luksOpen /dev/sdb1 backup
# Now mount the decrypted device
 mount /dev/mapper/backup /mnt/backup

Unmount

umount /mnt/backup
cryptsetup luksClose backup

Install

Centos 6

yum install cryptsetup-luks

Centos 7

yum install cryptsetup

Encrypt a disk

WARNING: This procedure wipes data from the disk.

First find out which device is the disk that needs to be encrypted. If it is a USB disk, then plug it in.

fdisk -l

or

ls -l /dev/disk/by-id

Let us assume we found that the device is /dev/sdb.

Check if there are no partitions of /dev/sdb mounted at the moment. Else unmount them.

df

Create a linux partition on the device i.e. /dev/sdb1.

fdisk /dev/sdb

Format the partition as encrypted. A password should be given.

cryptsetup luksFormat /dev/sdb1

Open the encrypted /dev/sdb1 to the decrypted device /dev/mapper/backup ("backup" can be anything you like).

cryptsetup luksOpen /dev/sdb1 backup

Put a filesystem on the decrypted device.

mkfs.ext4 /dev/mapper/backup

The filesystem can now be used by mounting it.

mount /dev/mapper/backup /mnt/backup

Add a key file

If the mounting happens in a shell script, then there must be a solution to giving the password. Extra keys can be added to the encrypted device. One of which can be a key file containing a password.

Create a file containing only a password and chmod it to 600, so only root can read it. Then add it as a key file to the encrypted device. Assuming the file is named /var/scripts/backupkey.

cryptsetup luksAddKey /dev/sdb1 /var/scripts/backupkey

Now the encrypted device can be opened with this key file too.

cryptsetup -d /var/scripts/backupkey luksOpen /dev/sdb1 backup