Protect Your Stuff With Encrypted Linux Partitions (Part 2)

Monday Jun 18th 2007 by Carla Schroder

For mobile users, or workstations that need some extra security, cryptsetup-luks provides strong encryption for disk partitions. This week we learn how to mount our encrypted partitions and create a secure USB stick.

Last week we learned how to create and use an encrypted, password-protected hard-drive partition using cryptsetup-luks. Today we're going to learn how to mount it automatically at boot, how to encrypt a USB stick, and some slick password-management hacks.

Adding Your Own Back Door

You may add up to seven passwords to your encrypted partition. While you shouldn't go too crazy, having a second password could save you if you ever lose your first password. Or maybe you need to ensure that you always have access to your users' data. The encrypted partition must be unmounted and closed first. These examples use the partition we created in Part 1:

# umount crypted
# cryptsetup luksClose sda2

Then run the cryptsetup luksAddKey command to create a new password. Note that you must use the /dev name of your partition and not the /dev/mapper name. There is no cryptsetup-luks device because it is closed; this is a common error that is responsible for a lot of hair loss. Run the password-creation command like this:

# cryptsetup luksAddKey /dev/sda2
Enter any LUKS passphrase:
key slot 1 unlocked.
Enter new passphrase for key slot:
Verify passphrase:
Command successful.

Then you can try out your new password:

# cryptsetup luksOpen /dev/sda2 sda2
Enter LUKS passphrase:
key slot 1 unlocked.
Command successful.

You now have two keys slots, 0 and 1.

Removing a password is done with this command:

# cryptsetup luksDelKey  /dev/sda2  1
Enter any remaining LUKS passphrase:
key slot 2 unlocked.
Command successful.

Query Commands

With these commands it doesn't matter if your cryptsetup-luks device is open or closed.

What if you can't remember if a partition is a cryptsetup-luks partition?

# cryptsetup isLuks /dev/sda1
/dev/sda1 is not a LUKS partition

If it is a LUKS partition, it will exit silently. Yes, a positive confirmation would be nice, but that's the way it is.

You can see the entire LUKS header with this command:

# cryptsetup luksDump /dev/sda2
LUKS header information for /dev/sda2

Version:        1
Cipher name:    aes
Cipher mode:    cbc-plain
Hash spec:      sha1
Payload offset: 1032
MK bits:        128
MK digest:      40 cc 8c ff b4 0d f2  ...
MK salt:        5e 8f 35 dd 4d 1a 8c  ...
                cb 70 da a7 b8 06 11  ...
MK iterations:  10
UUID:           1c390791-bd8a-4655-b722-6d0bcbbdf547

Key Slot 0: ENABLED
        Iterations:             168940
        Salt:                   88 e9 98 ...
                                65 5f c9  ...
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             166133
        Salt:                   b7 77 84  ...
                                66 91 93  ...
        Key material offset:    136
        AF stripes:             4000
Key Slot 2: ENABLED
        Iterations:             166970
        Salt:                   cf 5c 82  ...
                                d9 9b c5  ...
        Key material offset:    264
        AF stripes:             4000
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

This shows that there are three passwords set, the device UUID, the type of encryption used, and other details.

Using the UUID in /etc/fstab

While most Linux distributions have a default udev configuration that nails down the /dev names of internal drives, it doesn't hurt to make extra sure by using the UUID instead. So the /etc/fstab entry for our encrypted partition would look like this:

UUID=1c390791-bd8a-4655-b722-6d0bcbbdf547 /home/carla/crypted ext3 users,atime,noauto,rw,dev,exec,suid 0 0

Note that all of that should be on a single line with no carriage returns or line breaks.

Where do you find the UUID? With the vol_id command:

# vol_id -u /dev/sda2

Mounting Your Encrypted Partition At Boot On Debian

This is delightfully easy, and should work on any Debian-derived distribution, such as the fabulously popular *buntu family. You'll need a line in /etc/fstab for the encrypted partition; make sure to change noauto to auto, and make sure to specify users and not user, to allow non-root users to mount and unmount the encrypted partition.

Then add a line to the /etc/crypttab file with your cryptsetup device name, the /dev name, the path to the keyfile (we don't have one) and specify that we want LUKS extensions:

sda2    /dev/sda2  none luks

Now run the startup script to test it:

# /etc/init.d/cryptdisks start 
 * Starting remaining crypto disks...
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

Hurrah! Now reboot to see if it works. You'll be prompted for your LUKS password early in the boot process. It times out after 180 seconds; this is controlled in /etc/default/cryptdisks.

Now you can stop and start it with the usual /etc/init.d/cryptdisks {start|stop|restart|reload|force-reload} commands.

Giving Users Limited Rootly Powers

Ubuntu makes ingenious use of the sudo command to allow unprivileged users to easily run as root when necessary. All they need is to be members of the admin group.

You may also give users the power to run only a single command that requires rootly powers by editing /etc/sudoers. You must edit this file with visudo. This example lets Pinball on the laptop Xena run the cryptsetup script:

# visudo
# /etc/sudoers
# pinball can use  /etc/init.d/cryptdisks
pinball xena=/etc/init.d/cryptdisks

Other Boot Methods

For any Linux distribution that does not come with prefab init scripts, the nice folks who invented LUKS wrote a boot script to use. You won't need entries in /etc/fstab if you use this script. Edit it so that it has your correct device names, then treat it like any other boot script. I like to use it the traditional way; put it in /etc/init.d, then create startup links in /etc/rc*.d for whatever runlevels I want.

It does not unmount or close the encrypted partition, so if you want to do this without shutting down you'll have to do it manually. Or, try this script at This gives you a single base command to remember for the most common cryptsetup operations, such as creating a new encrypted partition, mounting and unmounting it, and creating and deleting passwords.

Encrypt a USB Key

If you want to carry secret stuff around on a USB key you can encrypt it too. Follow the steps for partitioning, creating a filesystem, and creating the encrypted device just like we did for our hard drive partition. You can do it all with GParted.

Hot-plugging USB devices is still not foolproof. If GParted does not see your USB key, dmesg will reveal the USB device name:

$ dmesg
[  658.589523] scsi 2:0:0:0: Direct-Access     LEXAR   ... 
[  658.595866] sdb: assuming drive cache: write through
[  658.595869]  sdb: sdb1
[  658.732154] sd 2:0:0:0: Attached scsi removable disk sdb

fdisk will save the day if something goes hayware and GParted won't work. Run this command to open the command menu for your USB key:

# fdisk /dev/sdb1

Using your own device name, of course. Use fdisk only to re-partition your storage devices. If you use it on an encrypted device it won't recognize the LUKS headers and will emit this scary warning:

Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel Building a new DOS disklabel. Changes will remain in memory only, until you decide to write them. After that, of course, the previous content won't be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Obviously, don't enter the w (write) command unless you wish to lose your data.

GNOME users can plug in their encrypted removable drives, and they will be prompted for their LUKS password. It may or may not be automatically mounted; this depends on how udev is configured. You can either tweak udev, or add a line to /etc/fstab to enable automounting.


Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved