skip to main content.

posts for february 2010.

since i’m always forgetting what to do to encrypt a harddisk, and have to rely on other sites (which might go offline once), i decided to sum everything up in a post. parts can already be found here in this blog.
note that the disk device name can differ from computer to computer, so i used /dev/sdx in this description which you have to change to the right name.

creation.

first, connect the disk and unmount it. then, delete all existing partitions and create a linux primary partition (or do whatever else you want):

$ sudo fdisk /dev/sdx

then it is recommended to clear the partition with random data:

$ sudo dd if=/dev/urandom of=/dev/sdx1

note that this step takes a lot of time.
then, make luks aware of the drive, open it with luks and format it:

$ sudo cryptsetup –verbose –cipher aes-xts-plain64 –key-size 512 –verify-passphrase luksFormat /dev/sdx1
$ sudo cryptsetup luksOpen /dev/sdx1 encrdisk
$ sudo mke2fs -v /dev/mapper/encrdisk
$ sudo cryptsetup luksClose encrdisk

this creates an ext2 file system. now you should be able to unplug the drive and reconnect it, and ubuntu should ask you for a passphrase to unlock the disk. feel free to add -L “label” (at most 16 characters; see the man page for more details); ubuntu will try to mount the disk as /media/label then.

(edit: since there is now a successful attack on the aes-cbc-essiv encryption mentioned here earlier, i changed it to aes-xts-plain64, using a different approach.)

mounting and unmounting.

to mount:

$ sudo cryptsetup luksOpen /dev/sdx1 encrdisk
$ sudo mount /dev/mapper/encrdisk /mnt

to unmount:

$ sudo unmount /mnt
$ sudo cryptsetup luksClose encrdisk

note that for example newer ubuntu versions automatically ask for a passphrase and performs luksOpen / mount / unmount / luksClose for you.

checking.

basically, you just have to open the partition, run the usual file system check, and close it:

$ sudo cryptsetup luksOpen /dev/sdx1 encrdisk
$ sudo fsck -v -C -n /dev/mapper/encrdisk
$ sudo cryptsetup luksClose encrdisk

passphrase management.

note that luks has a storage of several passphrases, which can all be used to open the partition. one can add and remove phrases to/from this list.
to add a passphrase:

$ cryptsetup luksAddKey /dev/sdx1

to remove a passphrase (you have to enter the passphrase to be removed):

$ cryptsetup luksRemoveKey /dev/sdx1

to remove the passphrase from a slot (useful if you forgot one of the passphrases and want to remove it):

$ cryptsetup luksKillSlot /dev/sdx1 0

i just got orphaned land‘s new album, the never ending way of orwarrior, after long years of waiting. it’s amazing! the first track, sapari, is really catchy. i’m pretty much addicted to it. i might write more about the album later, but for now, here’s the official video for sapari:

[[for legal reasons, i do not want to include youtube videos here anymore. please click on this link to watch the video at youtube.]]

edit: apparently, century media requested to delete that video and replaced it by another version of the same thing, with a more “hip” title. great. whatever. here’s the new version:

[[for legal reasons, i do not want to include youtube videos here anymore. please click on this link to watch the video at youtube.]]

for some reason, they screwed it up that a lot of hyphens appear in the title… whatever…