Install LUKS and Create an Encrypted LUKS Partition on Debian

We will install Linux Unified Key Setup (LUKS) software and create an encrypted LUKS volume.

General disclaimer applies, no liability will be accepted for any loss or damage, use at your own risk and do frequent backups!

Also, likely a good idea to keep this in mind (credit goes to xkdc.com):

It is strongly advised to read cryptsetup FAQ first: http://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions.

Installation

We’ll be using a Debian Wheezy server. Update packages list and install cryptsetup:

# apt-get update && apt-get install cryptsetup

Load the kernel module:

# modprobe dm_crypt

Install the pv package for progress monitoring that will be used later:

# apt-get install pv

Setup LUKS Partition

Our disk partition table looks like this:

# fdisk -l | grep -i "/dev/sd"
Disk /dev/sda: 32.0 GB, 32017047552 bytes
/dev/sda1 * 2048 60547071 30272512 fd Linux RAID autodetect
/dev/sda2 60547072 62531583 992256 82 Linux swap / Solaris
Disk /dev/sdb: 32.0 GB, 32015965696 bytes
/dev/sdb1 * 2048 60547071 30272512 fd Linux RAID autodetect
/dev/sdb2 60547072 62531182 992055+ 83 Linux

We will be setting up a LUKS volume on a 1GB partition /dev/sdb2.

Create LUKS Partition

We want to verify the passphrase twice, use the verbose mode and set the cipher string:

# cryptsetup -v -y --cipher "aes-xts-plain64:sha512" \
  --key-size 512 --hash sha512 --iter-time 5000 \
  --use-random luksFormat /dev/sdb2
WARNING!
========
This will overwrite data on /dev/sdb2 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

[UPDATE]: release 1.6.0 of cryptsetup changed the defaults to an AES cipher in XTS mode. It is advised against using the previous default cipher aes-cbc-essiv because of its known issues and practical attacks against them.

Unlock LUKS Partition

Having created the partition, let us go and to unlock it:

# cryptsetup luksOpen /dev/sdb2 data 
Enter passphrase for /dev/sdb2:

The above command should create the following mapper:

/dev/mapper/data

Format LUKS Volume and Create a Filesystem

We want to overwrite the LUKS volume with zeros to ensure that outside world sees this as random data – it protects against disclosure of usage patterns:

# pv -tpreb /dev/zero | dd of=/dev/mapper/data bs=1M
dd: writing `/dev/mapper/data': No space left on device
 966MB 0:00:58 [16.6MB/s] 
0+7729 records in
0+7728 records out
1012924416 bytes (1.0 GB) copied, 70.8432 s, 14.3 MB/s

When the format operation is complete, we can go ahead and create a filesystem (ext4 in this case):

# mkfs.ext4 /dev/mapper/data -L data
mke2fs 1.42 (29-Nov-2011)
Filesystem label=data
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
61824 inodes, 247296 blocks
12364 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=255852544
8 block groups
32768 blocks per group, 32768 fragments per group
7728 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376

Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done

Mount LUKS Volume

Create a new mountpoint for the LUKS volume:

# mkdir /data

Mount the volume:

# mount /dev/mapper/data /data

The LUKS volume can be dismounted and closed this way:

# umount /data
# cryptsetup luksClose data

Next thing on a list: add a backup key and backup the LUKS header.

2 thoughts on “Install LUKS and Create an Encrypted LUKS Partition on Debian

Leave a Reply

Your email address will not be published. Required fields are marked *