Here are some notes that I took about setting up LUKS when studying for the RHCSA. I felt that this would be appropriate to post after the recent issues with TrueCrypt.
Disk Encryption
- LUKS - Linux Unified Key Setup
- Create a new LUKS encrypted device:
- cryptsetup luksFormat
- cryptsetup luksFormat
- Establish access to the device:
- cryptsetup luksOpen
- /dev/mapper/<mapname>
- cryptsetup luksOpen
- Create the filesystem:
- mkfs -t ext4 /dev/mapper/
- mkfs -t ext4 /dev/mapper/
- Mount the filesystem:
- mount /dev/mapper/
/mnt
- mount /dev/mapper/
- Make filesystem persistent:
- vim /etc/fstab
- /dev/mapper/
/cryptomount ext4 defaults 1 2
- /dev/mapper/
- vim /etc/fstab
- Removing access to an encrypted device:
- Umount the filesystem, if mounted:
- umount /mnt
- cryptsetup luksClose mapname
- Umount the filesystem, if mounted:
- To make LUKS devices available at boot time (persistence):
- /etc/crypttab
[keyfile] [options]
- To create a keyfile:
- dd if=/dev/urandom of=/etc/keyfile bs=1k count=4
- cryptsetup luksAddKey <device> /etc/keyfile
- chmod 400 /etc/keyfile
- /etc/crypttab
- To test LUKS functionality for persistence:
- umount /cryptfs
- cryptsetup luksClose mapname
- #> bash
- #> . /etc/init.d/functions
- #> init_crypto 1
- #> mount -a
- #> ls /cryptfs
- Create a new LUKS encrypted device:
If I remember correctly, you can’t do whole disk encryption with LUKS after the fact. Meaning, you can’t use LUKS to do whole disk encryption after the operating system has been installed. You can, however, create a back up of a partition like /home, encrypt it, then restore /home to your newly encrypted partition. I’ll play around with this soon and get some solid details available for those of you looking for a TrueCrypt alternative for Linux. For now, I hope that this helps.