All Linux HowTo's Security HowTo's

Encrypt the things, Use of Cryptsetup

With all of the scary and some what questionable things that have made it into the news lately we cannot stress enough, you need to use encryption. Encryption on everything network traffic, passwords and storage media to list a few. This article is going to tell you how to setup encryption on your storage media using linux.

Now one of the things that I have heard when I mention encrypting drives is
“I ticked the box to encrypt my hard drive when I did the install so I am protected”
While technically this is true on RHEL and most others, what about your backup location or perhaps your external hard disk? That is where this article comes in.

Cryptsetup is included out of the box in RHEL,Ubuntu,Mint,SuSe and more. On Gentoo you will likely need to merge it unless you included it in your install.

To install on Gentoo you can do the following:

emerge --ask -jv cryptsetup

From here we can start encrypting our drives, we can use lsblk to find our drive for this example we are using a 3TB external drive.

lsblk

You should get an output similar to

NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sdf           8:80   0   2.7T  0 disk

We can see here that my drive is on sdf and it is not mounted.

Now we need to format the drive (This will delete data on the disk) You will be asked for a password to encrypt the drive, the stronger better.

cryptsetup luksFormat /dev/sdf

Now we need to open the drive in order to put a file system on it, you will be asked for the password that you set earlier. For this command we need to tell it which drive and what we want it to be mapped to, in this case “EXT_DRIVE”

cryptsetup luksOpen /dev/sdf EXT_DRIVE
mkfs.ext4 /dev/mapper/EXT_DRIVE

Now we can mount the drive to our system

mount -t ext4 /dev/mapper/EXT_DRIVE /mnt/test

Now the drive is just another disk in your system you can copy your data to it read from it whatever you need. When you are done and you want to unmount the drive or perhaps remove it from the system for an external hard drive you will just have to do the following.

umount /mnt/test
cryptsetup luksClose EXT_DRIVE

For drives that you want to mount when the system boots, you can use a key file in place of a password this is specified at the time of the format as follows

cryptsetup luksFormat /dev/sdf /home/brad/Documents/key_file

If you want to change from using a password to using a key file you would do the following, this does not overwrite any data on the disk.

cryptsetup luksAddKey /dev/sdf /home/brad/Documents/key_file

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *