Background and Concepts
What is block device encryption?
Encrypting block devices using dm-crypt/LUKS
Overview of dm-crypt/LUKS
Strengths
Limitations
Creating Encrypted Block Devices
Creating Encrypted Block Devices in Anaconda
Choosing a Good Passphrase
What Kinds of Block Devices Can Be Encrypted?
How Will I Access the Encrypted Devices After Installation? (System Boot)
Limitations of Anaconda's Block Device Encryption Support
Filling the Device with Random Data Before Encrypting
Using a Key Comprised of Randomly Generated Data to Access Encrypted Devices
Creating Encrypted Block Devices on the Installed System After Installation
Create the block devices
Optional: Fill the device with random data
Filling the device with random data before encrypting it greatly increases the strength of the encryption. The downside is that it can take a very long time.
- Best way, which provides high quality random data but takes a long time (several minutes per gigabyte on most systems)
dd if=/dev/urandom of=<device>
- Fastest way, which provides lower quality random data
/sbin/badblocks -c 10240 -s -w -t random -v <device>
Format the device as a dm-crypt/LUKS encrypted device
cryptsetup luksFormat <device>
Run man cryptsetup for further information on the cryptsetup command.
TODO: insert something about using keys instead of passphrases.
After supplying the passphrase twice, the device should be formatted for use. To verify this, use the following command:
cryptsetup isLuks <device> && echo Success
To see a summary of the encryption information for the device, use the following command:
cryptsetup luksDump <device>
Create a mapping to allow access to the device's decrypted contents
cryptsetup luksOpen <device> <name>
There should now be a device node, /dev/mapper/<name>, which represents the decrypted device. To see some information about the mapped device, use the following command:
dmsetup info <name>
Run man dmsetup for further information on the dmsetup command.
Create filesystems on the mapped device, or continue to build complex storage structures using the mapped device
Just use the mapped device node (/dev/mapper/<name>) as you would use any other block device. To create an ext2 filesystem on the mapped device, use the following command:
mke2fs /dev/mapper/<name>
To mount this filesystem on /mnt/test (this directory should exist prior to any attempts to mount a device on it), use the following command:
mount /dev/mapper/<name> /mnt/test
Add the mapping information to /etc/crypttab
In order for the system to set up a mapping for the device, an entry must be present in the /etc/crypttab file. If you are creating the file it should be owned by root (root:root) and should have mode 0744. Add a line of the following form the the file:
<name> <device> none
For details on the format of the /etc/crypttab file, run man crypttab.
TODO: reference section 2.3 (Accessing the device during system boot)
Add an entry to /etc/fstab
Add an entry to /etc/fstab, if desired, to establish a persistent association between the device and a mountpoint. Be sure to use the decrypted device, eg: /dev/mapper/test.
For details on the format of the /etc/fstab file, run man fstab.
Common Post-Installation Tasks
Set a randomly generated key as an additional way to access an encrypted block device
Generate a key
This will generate a 256-bit key in the file $HOME/keyfile.
dd if=/dev/urandom of=$HOME/keyfile bs=32 count=1 chmod 600 $HOME/keyfile
Add the key to an available keyslot on the encrypted device
cryptsetup luksAddKey <device> ~/keyfile
Add a new passphrase to an existing device
cryptsetup luksAddKey <device>
After being prompted for any existing passprase for the device for authentication, you will be prompted to enter the new passphrase.
Remove a passphrase or key from a device
cryptsetup luksRemoveKey <device>
You will be prompted for the passphrase you wish to remove, and then for any remaining passphrase for authentication.