From Fedora Project Wiki

< Docs‎ | Drafts‎ | CryptoGuide

Revision as of 14:13, 24 May 2008 by fp-wiki>ImportUser (Imported from MoinMoin)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Stop (medium size).png THIS IS A DRAFT ONLY, FOR USE BY DOCUMENTATION WRITERS AND EDITORS. DO NOT RELY ON IT FOR ANY ADVICE UNTIL THIS NOTICE DISAPPEARS AND THE DOCUMENT IS PUBLISHED AS FINAL.

Introduction to LUKS

Linux Unified Key Setup-on-disk-format (or LUKS) allows you to encrypt partitions on your Linux computer. This is particularly important when it comes to mobile computers and removable media. LUKS allows multiple user keys to decrypt a master key which is used for the bulk encryption of the partition.

LUKS Implementation in Fedora 9

Fedora 9 utilizes LUKS to perform file system encryption. By default, the option to encrypt the file system is checked during the installation. You are prompted for a passphrase that will be asked every time you boot the computer. This passphrase "unlocks" the bulk encryption key that is used to decrypt your partition.

If you choose to modify the default partition table you can choose which partitions you want to encrypt. This is set in the partition table settings.

Encrypted Home Directories

Idea.png
Following this procedure will remove all data on the partition that you are encrypting. You WILL loose all your information! Make sure you backup your data to an external source before beginning this procedure!

The following procedure will reconfigure and format your /home. The procedure is for single-user computers or computers that are shared between trusted users.

The following procedure will wipe all your existing data, so be sure to have a tested backup before you start. This also requires you to have a separate partition for /home (in my case that is /dev/VG00/LV_home). All the following must be done as root. Any of these steps failing means you must not continue until the step succeeded.

Step-by-Step Instructions

  • enter runlevel 1: telinit 1
  • unmount your existing /home: umount /home
  • if it fails use fuser to find and kill processes hogging /home: fuser -mvk /home
  • verify /home is not mounted any longer: cat /proc/mounts | grep home
  • fill your partition with random data: dd if=/dev/urandom of=/dev/VG00/LV_home
Idea.png
You're looking at a process that takes many hours, but it is imperative to do this in order to have good protection against break-in attempts. Just let it run overnight.
  • initialize your partition: cryptsetup --verbose --verify-passphrase luksFormat /dev/VG00/LV_home
  • open the newly encrypted device: cryptsetup luksOpen /dev/VG00/LV_home home
  • check it's there: ls -l /dev/mapper | grep home
  • create a filesystem: mkfs.ext3 /dev/mapper/home
  • mount it: mount /dev/mapper/home /home
  • check it's visible: df -h | grep home
  • add the following to /etc/crypttab: home /dev/VG00/LV_home none
  • edit your /etc/fstab, removing the old entry for /home and adding /dev/mapper/home /home ext3 defaults 1 2
  • verify your fstab entry: mount /home
  • restore default SELinux security contexts: /sbin/restorecon -v -R /home
  • reboot: shutdown -r now
  • The entry into /etc/crypttab makes your computer ask your luks passphrase on boot.
  • Log in as root and restore your backup.

What you have just accomplished.

Congratulations, you now have an encrypted partition for all of your data to safely rest while the computer is off.

Links of Interest / For More Information


DRAFT BELOW HERE

Using a USB Key Token

http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedVarWithUSBKey


Key Management

Adding Additional Keys

LUKS allows multiple passphrases to be used to "unlock" the master key that is used to handle the bulk encryption of the partition.

FIXME

Master Key Recovery

Passphrase Revocation

Passphrase Changing