encrypting partitions with luks.

since i’m always forgetting what to do to encrypt a harddisk, and have to rely on other sites (which might go offline once), i decided to sum everything up in a post. parts can already be found here in this blog.
note that the disk device name can differ from computer to computer, so i used /dev/sdx in this description which you have to change to the right name.

creation.

first, connect the disk and unmount it. then, delete all existing partitions and create a linux primary partition (or do whatever else you want):

$ sudo fdisk /dev/sdx

then it is recommended to clear the partition with random data:

$ sudo dd if=/dev/urandom of=/dev/sdx1

note that this step takes a lot of time.
then, make luks aware of the drive, open it with luks and format it:

$ sudo cryptsetup –verbose –cipher aes-xts-plain64 –key-size 512 –verify-passphrase luksFormat /dev/sdx1 $ sudo cryptsetup luksOpen /dev/sdx1 encrdisk $ sudo mke2fs -v /dev/mapper/encrdisk $ sudo cryptsetup luksClose encrdisk

this creates an ext2 file system. now you should be able to unplug the drive and reconnect it, and ubuntu should ask you for a passphrase to unlock the disk. feel free to add -L “label” (at most 16 characters; see the man page for more details); ubuntu will try to mount the disk as /media/label then.

(edit: since there is now a successful attack on the aes-cbc-essiv encryption mentioned here earlier, i changed it to aes-xts-plain64, using a different approach.)

mounting and unmounting.

to mount:

$ sudo cryptsetup luksOpen /dev/sdx1 encrdisk $ sudo mount /dev/mapper/encrdisk /mnt

to unmount:

$ sudo unmount /mnt $ sudo cryptsetup luksClose encrdisk

note that for example newer ubuntu versions automatically ask for a passphrase and performs luksOpen / mount / unmount / luksClose for you.

checking.

basically, you just have to open the partition, run the usual file system check, and close it:

$ sudo cryptsetup luksOpen /dev/sdx1 encrdisk $ sudo fsck -v -C -n /dev/mapper/encrdisk $ sudo cryptsetup luksClose encrdisk

passphrase management.

note that luks has a storage of several passphrases, which can all be used to open the partition. one can add and remove phrases to/from this list.
to add a passphrase:

$ cryptsetup luksAddKey /dev/sdx1

to remove a passphrase (you have to enter the passphrase to be removed):

$ cryptsetup luksRemoveKey /dev/sdx1

to remove the passphrase from a slot (useful if you forgot one of the passphrases and want to remove it):

$ cryptsetup luksKillSlot /dev/sdx1 0

comments.

felix wrote on january 28, 2011 at 18:41:

sometimes one also wants encrypted container files. here’s documentation on how to create such a container; it can be mounted and unmounted using mount.crypt and umount.crypt. for easy reference, here’s what you have to do (also contains less bugs and does a more thorough job):

$ container=blah $ dd if=/dev/urandom of=$container bs=1M count=100 $ device=`sudo losetup -f` $ sudo losetup $device $container $ sudo cryptsetup –verbose –cipher aes-xts-plain64 –key-size 512 –verify-passphrase luksFormat -y $device $ sudo cryptsetup luksOpen $device openedcontainer $ sudo mkfs.ext3 /dev/mapper/openedcontainer $ sudo cryptsetup luksClose openedcontainer $ sudo losetup -d $device

encrypting partitions with luks.

creation.

mounting and unmounting.

checking.

passphrase management.

comments.

felix.

settings.

other languages.

pages.

friends.

things i like to read.

recent posts.

archives.

places.

impressum.

data protection.

encrypting partitions with luks.

creation.

mounting and unmounting.

checking.

passphrase management.

comments.

felix.

settings.

other languages.

pages.

friends.

things i like to read.

categories.

recent posts.

archives.

tags.

places.

impressum.

data protection.