It has been a while since I posted about the wonderful LUKS encryption tool. I’m sure all Linux users have encrypted disks and I have already posted about using it to encrypt external devices (all my external disks and USB keys are encrypted, as should all yours be).
The history behind this post is way back in the dark ages when I used both windoze and linux machines I used the windoze third party TrueCrypt utility for encrypted volumes, there was/is a 3rd party ‘truecrypt’ program (that I must have installed from source as rpm -qf shows it is not part of a rpm package); which worked on linux to also be able to use those encrypted volumes… so momentum kept me using that method. Anyway, up until it stopped working on the more recent versions of Fedora as old obsolete library files were removed from the distros.
As I don’t actually use windoze anymore I created a LUKS volume and copied the data to that, and got rid of the TrueCrypt one… but it did make me realise I have not actually posted on using LUKS to encrypt virtual volumes… by that I do not mean all the fancy disk formats used by virtual machines, but a simple flat file on disk.
One little point to note, this may all need to be done as root simply because luksOpen needs to create a device entry under /dev/mapper which I would hope is restricted to root. Admitedly I have not tried using a non-root user simply because if your users have encrypted volumes lying about the place that are not documented you should squash them.
It is simple, as I was replacing a 200Mb truecrypt volume with a 200Mb LUKS one this is all that is needed…
Create a disk file as a LUKS encrypted volume
- create a diskfile of 200Mb to use as the encrypted volume
- luksFormat: format it as a LUKS device/file, and set the encryption password
- luksOpen: create the device entry for it, format the device with a ext2 filesystem
- luksClose: remove the device entry; it is now an encrypted disk file
And the log of the above steps
[root@phoenix posts]# dd if=/dev/zero of=normaldiskfile.dat bs=1024000 count=200 200+0 records in 200+0 records out 204800000 bytes (205 MB) copied, 3.86504 s, 53.0 MB/s [root@phoenix posts]# cryptsetup luksFormat normaldiskfile.dat WARNING! ======== This will overwrite data on bkpfiles.dat irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: yourpassphrase Verify passphrase: yourpassphrase [root@phoenix posts]# cryptsetup luksOpen normaldiskfile.dat myluksdisk Enter passphrase for /home/mark/posts/normaldiskfile.dat: [root@phoenix posts]# mkfs -t ext2 /dev/mapper/myluksdisk mke2fs 1.42.3 (14-May-2012) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) Stride=0 blocks, Stripe width=0 blocks 49600 inodes, 197952 blocks 9897 blocks (5.00%) reserved for the super user First data block=1 Maximum filesystem blocks=67371008 25 block groups 8192 blocks per group, 8192 fragments per group 1984 inodes per group Superblock backups stored on blocks: 8193, 24577, 40961, 57345, 73729 Allocating group tables: done Writing inode tables: done Writing superblocks and filesystem accounting information: done [root@phoenix posts]# cryptsetup luksClose myluksdisk
Use the above disk file as a disk (mounted volume)
- luksOpen: create the device entry
- mount the device on a mount point, generally requires root access
- happily use it
- when done umount it and luksClose it
With the above example
[root@phoenix posts]# mkdir /mnt/newvol [root@phoenix posts]# cryptsetup luksOpen normaldiskfile.dat myluksdisk Enter passphrase for /home/mark/posts/normaldiskfile.dat: [root@phoenix posts]# mount /dev/mapper/myluksdisk /mnt/newvol [root@phoenix posts]# df -k /mnt/newvol Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/myluksdisk 191689 1550 180242 1% /mnt/newvol [root@phoenix posts]# ls /mnt/newvol lost+found [root@phoenix posts]# umount /mnt/newvol [root@phoenix posts]# cryptsetup luksClose myluksdisk