0

I find the following somewhat confusing, but it doesn't have many steps. Is this a solid method for encrypting a hdd with LUKS?

Here’s the process in few steps:

  1. Create a LUKS partition

    cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sda

    Note that obviously you can use different settings for the luksFormat command; above it’s what i usually use. After that you will be asked to enter a password for the encryption, it doesn’t matter if it’s not very secure now, because we will only use this device as random data generator.

  2. Open the encrypted device: the command below opens the luks device and maps it as "sda_crypt"

    cryptsetup luksOpen /dev/sda sda_crypt

  3. Now we fill this device with 0s using dd and /dev/zero as source:

    dd if=/dev/zero of=/dev/mapper/sda_crypt bs=1M

  4. All the underlying disk appears now to be filled with random data, minus the LUKS header that we are about to override (you can take a look using hexdump /dev/sda | less command). Usually the header takes few Megabytes, but to avoid calculations and be rude we will cover the first 10 Megabytes of the disk. We will use dd with /dev/urandom as random data source this time:

    # first destroy the mapping
cryptsetup luksClose sda_crypt

# override the header
dd if=/dev/urandom of=/dev/sda bs=512 count=20480

  5. We have now the disk full of random data. Now for the serious stuff. Just repeat steps 1 and 2 but this time use a very secure passhrase, because it will be the key to unlock your disk

  6. Now we will use the device as phisical volume…

    pvcreate /dev/mapper/sda_crypt

  7. Now create a volume group (I will name it vg00 ) that will contain the phisical device /dev/mapper/sda_crypt

    vgcreate vg00 /dev/mapper/sda_crypt

  8. Create the logical volumes. I usually use 4: one for root, one for the swap partition, one for /home and the other for a data partition, but this is obviously up to you. The “+100%FREE” options on the last line modifies the command to use logical extents instead of size, and to use all of the free remaining ones for that logical volume.

    lvcreate -n lv00_swap -L 4G vg00
lvcreate -n lv01_root -L 30G vg00
lvcreate -n lv02_home -L 10G vg00
lvcreate -n lv03_data -l +100%FREE vg00

  9. Now create the boot partition on a separate device, ideally an usb stick, and install GRUB on the MBR of this device. With this setup we both will have no clear partitions on our encrypted disk, and no chance to boot the system without the external device, which adds an extra layer of security.

topencrypt
  • 13
  • 5
  • 3
    Where did you get these steps? How do you define "solid"? What's your goal? – schroeder Aug 26 '19 at 20:44
  • @schroeder Online article - can't find the link. My goal is to encrypt my external storage hdd with LUKS or Veracrypt. I would prefer to use a command line, but I need the encryption to do what it is supposed to: if the hdd was stolen, an expert hacker couldn't get to its contents. There is no OS with this hdd and it is empty. Having great difficulty online finding a good tutorial that is easy to follow for either method. I just need to get it done, one method or another, but only with top encryption methods Thanks. – topencrypt Aug 26 '19 at 21:12

1 Answers1

1

It looks quite good for encrypting a computer disk where you will install your OS. Some comments:

  • You are filling the disk with random data by creating a temporary luks device, that you then fill with zeros. I would have used shred -n 1 /dev/sda to do the same, replacing your first 5 steps. I suspect shred may be slightly faster, would need to benchmark to be sure. Anyway, your approach would work, too.

  • You claim that "there's no chance to boot the system without the external device". I disagree, it would be possible to create an equivalent external device that is able to boot your system, as long as that the password is known. If you really want to force that only that usb device can be used for booting, I would include a key file in the usb device that is decrypted with a user-defined passphrase, then used as a LUKS key-file. That would require cloning that specific device, not only discovering your luks passwrod.

  • Booting from a separate media is better in that you can use a trusted boot device. On the other hand, this requires that you allow booting from external devices, which would make it easier to tamper with your machine (your disk is encrypted, but still). As a way to improve this, you could use a TPM to verify that you are booting what you really wanted to boot.

  • Another option would be to use a hardware security key instead of or in addition to your boot usb.

  • You don't mention it, but in the end, you would install the OS in the given partitions by pointing the installer to them as usual, letting it format those LVM groups.

Finally a few of warnings for anyone which wants to follow this:

  • This procedure will obviously remove any data that was previously on the device.
  • /dev/sda is the main disk of the computer. Most likely it is NOT the device you want to encrypt. topencrypt wants to use that one but you probably not.
  • Given that the above procedure wipes the main disk, it should be performed booting from another one (usually a live CD/usb).
  • Using an encrypted disk increases the risk of something going wrong and losing access to the data, making backups even more important to have.

Creating a LUKS partition for a non-OS external disk

The OP later mentioned that he is not interested in having OS data there at all, but only wanted an external hard disk that he would boot into his linux os.

This changes the procedure quite a bit, it becomes much easier as we won't need swap, lvm volumes for root and home, etc. A big filesystem on an encrypted container should this more simplistic need.

Note that in this case it is completely unlikely that /dev/sda is the hdd you connected. I will refer to it as /dev/sdX. You can find out the name assigned using lsblk, checking dmesg output, etc.

Creating an encrypted disk could be as simple as:

shred -n 1 /dev/sdX # Fill the disk with random data. This will take a while and destroy everything that was stored there
cryptsetup luksFormat /dev/sdX # Create luks container
cryptsetup luksOpen /dev/sdX external_disk # Open encrypted drive
mkfs /dev/mapper/external_disk  # Format the external disk

That's it.

Close the mapping with cryptsetup luksCLose external_disk and disconnect. If you know connect it again to your computer, your distro will probably automatically ask you for the encryption key to mount it, or will show it as a locked device that will ask the password you attempt to open it.

Should you need to mount it manually, you may do:

cryptsetup luksOpen /dev/sdX external_disk
mount /dev/mapper/external_disk /mnt # Mount on /mnt

Remember that the disk will have been formatted with an ext filesystem, in order to be able to write to the drive with your user account, you should change the permissions so that your user is able to write on it, for example: chown topencrypt /media/topencrypt/external_disk
(it would be the same whether it's encrypted or not).

Ángel
  • 18,824
  • 3
  • 28
  • 65