{"id":2369,"date":"2018-08-24T15:40:56","date_gmt":"2018-08-24T19:40:56","guid":{"rendered":"https:\/\/easy-admin.ca\/?p=2369"},"modified":"2020-08-30T15:55:06","modified_gmt":"2020-08-30T19:55:06","slug":"cryptseup","status":"publish","type":"post","link":"https:\/\/easy-admin.ca\/index.php\/2018\/08\/24\/cryptseup\/","title":{"rendered":"Cryptsetup on Centos 7 Server"},"content":{"rendered":"

Linux encryption methods<\/h2>\n

There are two methods to encrypt your data:<\/p>\n

#1: Filesystem stacked level encryption<\/h3>\n
    \n
  1. eCryptfs<\/a> \u2013 It is a cryptographic stacked Linux filesystem. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. This solution is widely used, as the basis for Ubuntu\u2019s Encrypted Home Directory, natively within Google\u2019s ChromeOS, and transparently embedded in several network attached storage (NAS) devices.<\/li>\n
  2. EncFS<\/a> -It provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. You can find links to source and binary releases below. EncFS is open source software, licensed under the GPL.<\/li>\n<\/ol>\n

    #2: Block device level encryption<\/h3>\n
      \n
    1. Loop-AES<\/a> \u2013 Fast and transparent file system and swap encryption package for linux. No source code changes to linux kernel. Works with 3.x, 2.6, 2.4, 2.2 and 2.0 kernels.<\/li>\n
    2. VeraCrypt<\/a> \u2013 It is free open-source disk encryption software for Windows 7\/Vista\/XP, Mac OS X and Linux based on TrueCrypt codebase.<\/li>\n
    3. dm-crypt+LUKS<\/a> \u2013 dm-crypt is a transparent disk encryption subsystem in Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, removable media, partitions, software RAID volumes, logical volumes, and files.<\/li>\n<\/ol>\n

      In this post, I will explain how to encrypt your partitions using Linux Unified Key Setup-on-disk-format (LUKS) on your Linux based computer or laptop.<\/p>\n

      Step #1: Install cryptsetup utility<\/h2>\n

      You need to install the following package. It contains cryptsetup, a utility for setting up encrypted filesystems using Device Mapper and the dm-crypt target. Debian \/ Ubuntu Linux user type the following apt-get command<\/a> or apt command<\/a>:
      \n# apt-get install cryptsetup<\/code>
      \nOR
      \n$ sudo apt install cryptsetup<\/code>
      \nSample outputs:<\/p>\n

      \n\n\n\n
      \n
      Reading package lists... Done\r\nBuilding dependency tree       \r\nReading state information... Done\r\nThe following additional packages will be installed:\r\n  console-setup console-setup-linux cryptsetup-bin kbd keyboard-configuration xkb-data\r\nSuggested packages:\r\n  dosfstools keyutils\r\nThe following NEW packages will be installed:\r\n  console-setup console-setup-linux cryptsetup cryptsetup-bin kbd keyboard-configuration xkb-data\r\n0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.\r\nNeed to get 3,130 kB of archives.\r\nAfter this operation, 13.2 MB of additional disk space will be used.\r\nDo you want to continue? [Y\/n] y\r\nGet:1 http:\/\/deb.debian.org\/debian stretch\/main amd64 kbd amd64 2.0.3-2+b1 [343 kB]\r\nGet:2 http:\/\/deb.debian.org\/debian stretch\/main amd64 keyboard-configuration all 1.164 [644 kB]\r\nGet:3 http:\/\/deb.debian.org\/debian stretch\/main amd64 console-setup-linux all 1.164 [983 kB]\r\nGet:4 http:\/\/deb.debian.org\/debian stretch\/main amd64 xkb-data all 2.19-1 [648 kB]\r\nGet:5 http:\/\/deb.debian.org\/debian stretch\/main amd64 console-setup all 1.164 [117 kB]\r\nGet:6 http:\/\/deb.debian.org\/debian stretch\/main amd64 cryptsetup-bin amd64 2:1.7.3-4 [221 kB]\r\nGet:7 http:\/\/deb.debian.org\/debian stretch\/main amd64 cryptsetup amd64 2:1.7.3-4 [174 kB]\r\nFetched 3,130 kB in 0s (7,803 kB\/s)\r\nPreconfiguring packages ...\r\nSelecting previously unselected package kbd.\r\n(Reading database ... 22194 files and directories currently installed.)\r\nPreparing to unpack ...\/0-kbd_2.0.3-2+b1_amd64.deb ...\r\nUnpacking kbd (2.0.3-2+b1) ...\r\nSelecting previously unselected package keyboard-configuration.\r\nPreparing to unpack ...\/1-keyboard-configuration_1.164_all.deb ...\r\nUnpacking keyboard-configuration (1.164) ...\r\nSelecting previously unselected package console-setup-linux.\r\nPreparing to unpack ...\/2-console-setup-linux_1.164_all.deb ...\r\nUnpacking console-setup-linux (1.164) ...\r\nSelecting previously unselected package xkb-data.\r\nPreparing to unpack ...\/3-xkb-data_2.19-1_all.deb ...\r\nUnpacking xkb-data (2.19-1) ...\r\nSelecting previously unselected package console-setup.\r\nPreparing to unpack ...\/4-console-setup_1.164_all.deb ...\r\nUnpacking console-setup (1.164) ...\r\nSelecting previously unselected package cryptsetup-bin.\r\nPreparing to unpack ...\/5-cryptsetup-bin_2%3a1.7.3-4_amd64.deb ...\r\nUnpacking cryptsetup-bin (2:1.7.3-4) ...\r\nSelecting previously unselected package cryptsetup.\r\nPreparing to unpack ...\/6-cryptsetup_2%3a1.7.3-4_amd64.deb ...\r\nUnpacking cryptsetup (2:1.7.3-4) ...\r\nSetting up keyboard-configuration (1.164) ...\r\nSetting up xkb-data (2.19-1) ...\r\nSetting up kbd (2.0.3-2+b1) ...\r\nProcessing triggers for systemd (232-25+deb9u1) ...\r\nSetting up cryptsetup-bin (2:1.7.3-4) ...\r\nProcessing triggers for man-db (2.7.6.1-2) ...\r\nSetting up console-setup-linux (1.164) ...\r\nCreated symlink \/etc\/systemd\/system\/sysinit.target.wants\/keyboard-setup.service \u2192 \/lib\/systemd\/system\/keyboard-setup.service.\r\nCreated symlink \/etc\/systemd\/system\/multi-user.target.wants\/console-setup.service \u2192 \/lib\/systemd\/system\/console-setup.service.\r\nSetting up console-setup (1.164) ...\r\nSetting up cryptsetup (2:1.7.3-4) ...\r\nupdate-initramfs: deferring update (trigger activated)\r\nProcessing triggers for systemd (232-25+deb9u1) ...\r\nProcessing triggers for initramfs-tools (0.130) ...\r\nupdate-initramfs: Generating \/boot\/initrd.img-4.9.0-3-amd64<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
      RHEL \/ CentOS \/ Oracle \/ Scientific Linux user type the following yum command<\/a>:
      \n# yum install cryptsetup-luks<\/code>
      \nOR Fedora Linux user use the dnf command:
      \n# dnf install cryptsetup-luks<\/code><\/p>\n
      Step #2: Configure LUKS partition<\/h2>\n
      WARNING!<\/strong> The following command will remove all data on the partition that you are encrypting. You WILL lose all your information! So make sure you backup your data to an external source such as NAS or hard disk before typing any one of the following command.<\/div>\n
      In this example, I\u2019m going to encrpt \/dev\/xvdc. Type the following command:
      \n# cryptsetup -y -v luksFormat \/dev\/xvdc<\/code>
      \nSample outputs:<\/p>\n
      \n\n\n\n
      \n
      WARNING!\r\n========\r\nThis will overwrite data on \/dev\/xvdc irrevocably.\r\n\u00a0\r\nAre you sure? (Type uppercase yes): YES\r\nEnter LUKS passphrase: \r\nVerify passphrase: \r\nCommand successful.<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
      This command initializes the volume, and sets an initial key or passphrase. Please note that the passphrase is not recoverable so do not forget it.Type the following command create a mapping:
      \n# cryptsetup luksOpen \/dev\/xvdc backup2<\/code>
      \nSample outputs:<\/p>\n
      Enter passphrase for \/dev\/xvdc:<\/pre>\n
      You can see a mapping name \/dev\/mapper\/backup2 after successful verification of the supplied key material which was created with luksFormat command extension:
      \n# ls -l \/dev\/mapper\/backup2 <\/code>
      \nSample outputs:<\/p>\n
      lrwxrwxrwx 1 root root 7 Oct 19 19:37 \/dev\/mapper\/backup2 -> ..\/dm-0<\/pre>\n
      You can use the following command to see the status for the mapping:
      \n# cryptsetup -v status backup2<\/code>
      \nSample outputs:<\/p>\n
      \/dev\/mapper\/backup2 is active.\r\n  type:    LUKS1\r\n  cipher:  aes-cbc-essiv:sha256\r\n  keysize: 256 bits\r\n  device:  \/dev\/xvdc\r\n  offset:  4096 sectors\r\n  size:    419426304 sectors\r\n  mode:    read\/write\r\nCommand successful.\r\n<\/pre>\n
      You can dump LUKS headers using the following command:
      \n# cryptsetup luksDump \/dev\/xvdc<\/code>
      \nSample outputs:<\/p>\n
      \n\n\n\n
      \n
      LUKS header information for \/dev\/xvdc\r\n\u00a0\r\nVersion:       \t1\r\nCipher name:   \taes\r\nCipher mode:   \txts-plain64\r\nHash spec:     \tsha256\r\nPayload offset:\t4096\r\nMK bits:       \t256\r\nMK digest:     \t21 07 68 54 77 96 11 34 f2 ec 17 e9 85 8a 12 c3 1f 3e cf 5f \r\nMK salt:       \t8c a6 3d 8c e9 de 16 fb 07 fd 8e d3 72 d7 db 94 \r\n               \t7e e0 75 f9 e0 23 24 df 50 26 fb 92 f8 b5 dd 70 \r\nMK iterations: \t222000\r\nUUID:          \t4dd563a9-5bff-4fea-b51d-b4124f7185d1\r\n\u00a0\r\nKey Slot 0: ENABLED\r\n\tIterations:         \t2245613\r\n\tSalt:               \t05 a8 b4 a2 54 f7 c6 ee 52 db 60 b6 12 7f 2f 53 \r\n\t                      \t3f 5d 2d 62 fb 5a b1 c3 52 da d5 5f 7b 2d 38 32 \r\n\tKey material offset:\t8\r\n\tAF stripes:            \t4000\r\nKey Slot 1: DISABLED\r\nKey Slot 2: DISABLED\r\nKey Slot 3: DISABLED\r\nKey Slot 4: DISABLED\r\nKey Slot 5: DISABLED\r\nKey Slot 6: DISABLED\r\nKey Slot 7: DISABLED<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
      Step #3: Format LUKS partition<\/h2>\n
      First, you need to write zeros to \/dev\/mapper\/backup2 encrypted device. This will allocate block data with zeros. This ensures that outside world will see this as random data i.e. it protect against disclosure of usage patterns:
      \n# dd if=\/dev\/zero of=\/dev\/mapper\/backup2<\/code>
      \nThe dd command may take many hours to complete. I suggest that you use pv command to monitor the progress<\/a>:
      \n# pv -tpreb \/dev\/zero | dd of=\/dev\/mapper\/backup2 bs=128M<\/code>
      \nSample outputs:<\/p>\n
      dd: error writing '\/dev\/mapper\/backup2': No space left on device                                                                                                            ]\r\n 200GiB 0:16:47 [ 203MiB\/s] [                      <=>                                                                                                                      ]\r\n1600+1 records in\r\n1599+1 records out\r\n214746267648 bytes (215 GB, 200 GiB) copied, 1008.19 s, 213 MB\/s<\/pre>\n
      You can also pass the status=progress option to the dd command<\/a>:
      \n# dd if=\/dev\/zero of=\/dev\/mapper\/backup2 status=progress<\/code>
      \nSample outputs:<\/p>\n
      2133934592 bytes (2.1 GB, 2.0 GiB) copied, 142 s, 15.0 MB\/s<\/pre>\n
      Next, create a filesystem<\/a> i.e. format filesystem, enter:
      \n# mkfs.ext4 \/dev\/mapper\/backup2<\/code>
      \nSample outputs:<\/p>\n
      mke2fs 1.42.13 (17-May-2015)\r\nCreating filesystem with 52428288 4k blocks and 13107200 inodes\r\nFilesystem UUID: 1c71b0f4-f95d-46d6-93e0-cbd19cb95edb\r\nSuperblock backups stored on blocks: \r\n\t32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, \r\n\t4096000, 7962624, 11239424, 20480000, 23887872\r\n\r\nAllocating group tables: done                            \r\nWriting inode tables: done                            \r\nCreating journal (32768 blocks): done\r\nWriting superblocks and filesystem accounting information: done<\/pre>\n
      To mount the new filesystem at \/backup2<\/a>, enter:
      \n# mkdir \/backup2
      \n# mount \/dev\/mapper\/backup2 \/backup2
      \n# df -H
      \n# cd \/backup2
      \n# ls -l<\/code><\/p>\n
      How do I unmount and secure data?<\/h2>\n
      Type the following commands:
      \n#       umount<\/a> \/backup2
      \n# cryptsetup luksClose backup2<\/code><\/p>\n
      How do I mount or remount encrypted partition?<\/h2>\n
      Type the following command:
      \n# cryptsetup luksOpen \/dev\/xvdc backup2
      \n# mount \/dev\/mapper\/backup2 \/backup2
      \n# df -H
      \n# mount<\/code>
      \nSample outputs:<\/p>\n
      \"Fig.01:
      Fig.01: Encrypted partition mounted on \/backup2<\/figcaption><\/figure>\n
      See shell script wrapper that opens LUKS partition<\/a> and sets up a mapping for nas devices.<\/p>\n
      Can I run fsck on LUKS based partition \/ LVM volume?<\/h2>\n
      Yes, you can use the fsck command<\/a> On LUKS based systems:
      \n# umount \/backup2
      \n# fsck -vy \/dev\/mapper\/backup2
      \n# mount \/dev\/mapper\/backup2 \/backu2<\/code>
      \nSee how to run       fsck On LUKS (dm-crypt) based LVM physical volume<\/a> for more details.<\/p>\n
      How do I change LUKS passphrase (password) for encrypted partition?<\/h2>\n
      Type the following command
      \n### see key slots, max -8 i.e. max 8 passwords can be setup for each device ####
      \n# cryptsetup luksDump \/dev\/xvdc
      \n# cryptsetup luksAddKey \/dev\/xvdc<\/code><\/p>\n
      Enter any passphrase: \r\nEnter new passphrase for key slot: \r\nVerify passphrase: \r\n<\/pre>\n
      Remove or delete the old password:
      \n# cryptsetup luksRemoveKey \/dev\/xvdc<\/code>
      \nPlease note that you need to enter the old password \/ passphrase.<\/p>\n
      What next?<\/h2>\n
      You can store files or store backups using following software:<\/p>\n