Difference between revisions of "Linux/Security/Encrypted disk"
(Tag: VisualEditor) |
(Tag: VisualEditor) |
||
Line 46: | Line 46: | ||
=== Add a key file === | === Add a key file === | ||
− | If the mounting happens in a shell script, | + | If the mounting happens in a shell script, then there must be a solution to giving the password. Extra keys can be added to the encrypted device. One of which can be a key file containing a password. |
Create a file containing only a password and chmod it to 600, so only root can read it. Then add it as a key file to the encrypted device. Assuming the file is named /var/scripts/backupkey. | Create a file containing only a password and chmod it to 600, so only root can read it. Then add it as a key file to the encrypted device. Assuming the file is named /var/scripts/backupkey. |
Latest revision as of 15:04, 25 June 2015
Make a harddisk encrypted and password protected.
Use case
Unless hardware is not physically protected, it is mostly not necessary to take the overhead of encryption on every harddisk. Clear exceptions are external harddisks with sensitive information on them i.e. backup disks. If they leave the building, they might get lost or stolen.
Cryptsetup
Cryptsetup is a utility for setting up disk encryption using dm-crypt kernel module. It adds an extra step to mounting and unmounting in that a decrypted device needs to be created before mounting and removed after mounting.
Mount
# This creates /dev/mapper/backup cryptsetup luksOpen /dev/sdb1 backup # Now mount the decrypted device mount /dev/mapper/backup /mnt/backup
Unmount
umount /mnt/backup cryptsetup luksClose backup
Install
Centos 6
yum install cryptsetup-luks
Centos 7
yum install cryptsetup
Encrypt a disk
WARNING: This procedure wipes data from the disk.
First find out which device is the disk that needs to be encrypted. If it is a USB disk, then plug it in.
fdisk -l
or
ls -l /dev/disk/by-id
Let us assume we found that the device is /dev/sdb.
Check if there are no partitions of /dev/sdb mounted at the moment. Else unmount them.
df
Create a linux partition on the device i.e. /dev/sdb1.
fdisk /dev/sdb
Format the partition as encrypted. A password should be given.
cryptsetup luksFormat /dev/sdb1
Open the encrypted /dev/sdb1 to the decrypted device /dev/mapper/backup ("backup" can be anything you like).
cryptsetup luksOpen /dev/sdb1 backup
Put a filesystem on the decrypted device.
mkfs.ext4 /dev/mapper/backup
The filesystem can now be used by mounting it.
mount /dev/mapper/backup /mnt/backup
Add a key file
If the mounting happens in a shell script, then there must be a solution to giving the password. Extra keys can be added to the encrypted device. One of which can be a key file containing a password.
Create a file containing only a password and chmod it to 600, so only root can read it. Then add it as a key file to the encrypted device. Assuming the file is named /var/scripts/backupkey.
cryptsetup luksAddKey /dev/sdb1 /var/scripts/backupkey
Now the encrypted device can be opened with this key file too.
cryptsetup -d /var/scripts/backupkey luksOpen /dev/sdb1 backup