LUKS Encryption of External Hard Drives on Fedora and Ubuntu
Install cryptsetup
# dnf install cryptsetup-luks
Step #1 - Find out what disk is the external hard drive you will be encrypting
# lsblk
The result is a list of all of the physical disks and partitions on the system
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk
sdb 8:16 0 465.8G 0 disk
├─sdb1 8:17 0 1G 0 part /boot
└─sdb2 8:18 0 464.8G 0 part
└─luks-d501f37b-d815-419f-b5a9-23a65caf9697
253:0 0 464.8G 0 crypt
├─fedora-root 253:1 0 35G 0 lvm /
├─fedora-swap 253:2 0 7.6G 0 lvm [SWAP]
└─fedora-home 253:3 0 422.1G 0 lvm /home
sdc 8:32 0 3.7T 0 disk
sr0 11:0 1 1024M 0 rom
For this example, we are going to encrypt the 4TB drive at /dev/sdc. Double check the location of your disk as it may not be at /dev/sdc.
Step #2 - Wipe all data from the drive
This step takes a considerable amount of time. The 4TB drive here took just over 7 hours to be completely erased (zero written) on a Lenovo T430 and USB 3.
The following command begins the zero write process and displays the progress of the operation.
Fedora:
# pv -tpreb /dev/zero | dd of=/dev/sdc bs=128M
Ubuntu:
$ sudo shred -n 1 -z -v /dev/sdc
Step #3 - Create a Partition Table
The disk will most likely not have a partition table. Since we are blanking a disk, we should create a new partition table using fdisk. Disks over 2TB can't use a DOS partition table, so use the GPT partition table.
# fdisk /dev/sdc
Command (m for help):m
Welcome to fdisk (util-linux 2.32).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): m
Help:
GPT
M enter protective/hybrid MBR
Generic
d delete a partition
F list free unpartitioned space
l list known partition types
n add a new partition
p print the partition table
t change a partition type
v verify the partition table
i print information about a partition
Misc
m print this menu
x extra functionality (experts only)
Script
I load disk layout from sfdisk script file
O dump disk layout to sfdisk script file
Save & Exit
w write table to disk and exit
q quit without saving changes
Create a new label
g create a new empty GPT partition table
G create a new empty SGI (IRIX) partition table
o create a new empty DOS partition table
s create a new empty Sun partition table
Command (m for help): g
Created a new GPT disklabel (GUID: B081AFD2-62C1-6847-A8AB-1F976A8BD377).
Command (m for help): n
Partition number (1-128, default 1):
First sector (2048-7814037133, default 2048):
Last sector, +sectors or +size{K,M,G,T,P} (2048-7814037133, default 7814037133):
Created a new partition 1 of type 'Linux filesystem' and of size 3.7 TiB.
Command (m for help): w
The partition table has been altered.
Syncing disks.
# lsblk
and see that the partition was created under sdc
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk
sdb 8:16 0 465.8G 0 disk
├─sdb1 8:17 0 1G 0 part /boot
└─sdb2 8:18 0 464.8G 0 part
└─luks-d501f37b-d815-419f-b5a9-23a65caf9697
253:0 0 464.8G 0 crypt
├─fedora-root 253:1 0 35G 0 lvm /
├─fedora-swap 253:2 0 7.6G 0 lvm [SWAP]
└─fedora-home 253:3 0 422.1G 0 lvm /home
sdc 8:32 0 3.7T 0 disk
└─sdc1 8:33 0 3.7T 0 part /run/media/username/Media5
sr0 11:0 1 1024M 0 rom
Step #4 - Encrypt the partition
Encrypt the new partition with the following command
# cryptsetup -v -y luksFormat --type luks1 --key-size 256 /dev/sdc1
This uses the default cipher (aes-xts-plain64), key size (256), and hash key (sha256).
Once the command completes, take a backup of the LUKS header.
# cryptsetup luksHeaderBackup --header-backup-file /home/username/Media5-Header.img /dev/sdc1
Then store the file on a separate, secure file store. You should also encrypt the header file, for extra security.
Step #5 - Unlock the partition
# cryptsetup luksOpen /dev/sdc1 Media5
Enter passphrase for /dev/sdc1:
Step #6 - Create a new ext4 filesystem on the partition
# mkfs.ext4 -L Media5 /dev/mapper/Media5
mke2fs 1.43.8 (1-Jan-2018)
Creating filesystem with 976753873 4k blocks and 244195328 inodes
Filesystem UUID: 3769a3a3-c3d7-4cd9-a5dc-72582eb409d4
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000, 214990848, 512000000, 550731776, 644972544
Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done
At this point, the drive can be mounted in the UI or with the following command
# mkdir -p /mount/media5
# mount /dev/mapper/Media5 /mount/media5
and unmounted and locked with
# umount /mount/media5
# cryptsetup luksClose /dev/mapper/Media5
Resources
This was a combination of the following pages:
Fedora Disk_Encryption_User_Guide
Encrypted external drive with LUKS
How To: Linux Hard Disk Encryption With LUKS [ cryptsetup Command ]
Install cryptsetup
# dnf install cryptsetup-luks
Step #1 - Find out what disk is the external hard drive you will be encrypting
# lsblk
The result is a list of all of the physical disks and partitions on the system
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk
sdb 8:16 0 465.8G 0 disk
├─sdb1 8:17 0 1G 0 part /boot
└─sdb2 8:18 0 464.8G 0 part
└─luks-d501f37b-d815-419f-b5a9-23a65caf9697
253:0 0 464.8G 0 crypt
├─fedora-root 253:1 0 35G 0 lvm /
├─fedora-swap 253:2 0 7.6G 0 lvm [SWAP]
└─fedora-home 253:3 0 422.1G 0 lvm /home
sdc 8:32 0 3.7T 0 disk
sr0 11:0 1 1024M 0 rom
For this example, we are going to encrypt the 4TB drive at /dev/sdc. Double check the location of your disk as it may not be at /dev/sdc.
Step #2 - Wipe all data from the drive
This step takes a considerable amount of time. The 4TB drive here took just over 7 hours to be completely erased (zero written) on a Lenovo T430 and USB 3.
The following command begins the zero write process and displays the progress of the operation.
Fedora:
# pv -tpreb /dev/zero | dd of=/dev/sdc bs=128M
Ubuntu:
$ sudo shred -n 1 -z -v /dev/sdc
Step #3 - Create a Partition Table
The disk will most likely not have a partition table. Since we are blanking a disk, we should create a new partition table using fdisk. Disks over 2TB can't use a DOS partition table, so use the GPT partition table.
# fdisk /dev/sdc
Command (m for help):m
Welcome to fdisk (util-linux 2.32).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): m
Help:
GPT
M enter protective/hybrid MBR
Generic
d delete a partition
F list free unpartitioned space
l list known partition types
n add a new partition
p print the partition table
t change a partition type
v verify the partition table
i print information about a partition
Misc
m print this menu
x extra functionality (experts only)
Script
I load disk layout from sfdisk script file
O dump disk layout to sfdisk script file
Save & Exit
w write table to disk and exit
q quit without saving changes
Create a new label
g create a new empty GPT partition table
G create a new empty SGI (IRIX) partition table
o create a new empty DOS partition table
s create a new empty Sun partition table
Command (m for help): g
Created a new GPT disklabel (GUID: B081AFD2-62C1-6847-A8AB-1F976A8BD377).
Command (m for help): n
Partition number (1-128, default 1):
First sector (2048-7814037133, default 2048):
Last sector, +sectors or +size{K,M,G,T,P} (2048-7814037133, default 7814037133):
Created a new partition 1 of type 'Linux filesystem' and of size 3.7 TiB.
Command (m for help): w
The partition table has been altered.
Syncing disks.
Create the new partition table with command g, then create the new partition with option n. To set the partition to use the whole disk, just hit enter to accept the default values for partition number, first sector, and last sector.
Lastly, use the w command to write the changes to the disk.
Verify that the new partition was created by running# lsblk
and see that the partition was created under sdc
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk
sdb 8:16 0 465.8G 0 disk
├─sdb1 8:17 0 1G 0 part /boot
└─sdb2 8:18 0 464.8G 0 part
└─luks-d501f37b-d815-419f-b5a9-23a65caf9697
253:0 0 464.8G 0 crypt
├─fedora-root 253:1 0 35G 0 lvm /
├─fedora-swap 253:2 0 7.6G 0 lvm [SWAP]
└─fedora-home 253:3 0 422.1G 0 lvm /home
sdc 8:32 0 3.7T 0 disk
└─sdc1 8:33 0 3.7T 0 part /run/media/username/Media5
sr0 11:0 1 1024M 0 rom
Step #4 - Encrypt the partition
Encrypt the new partition with the following command
# cryptsetup -v -y luksFormat --type luks1 --key-size 256 /dev/sdc1
This uses the default cipher (aes-xts-plain64), key size (256), and hash key (sha256).
Once the command completes, take a backup of the LUKS header.
# cryptsetup luksHeaderBackup --header-backup-file /home/username/Media5-Header.img /dev/sdc1
Then store the file on a separate, secure file store. You should also encrypt the header file, for extra security.
Step #5 - Unlock the partition
# cryptsetup luksOpen /dev/sdc1 Media5
Enter passphrase for /dev/sdc1:
Step #6 - Create a new ext4 filesystem on the partition
# mkfs.ext4 -L Media5 /dev/mapper/Media5
mke2fs 1.43.8 (1-Jan-2018)
Creating filesystem with 976753873 4k blocks and 244195328 inodes
Filesystem UUID: 3769a3a3-c3d7-4cd9-a5dc-72582eb409d4
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000, 214990848, 512000000, 550731776, 644972544
Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done
At this point, the drive can be mounted in the UI or with the following command
# mkdir -p /mount/media5
# mount /dev/mapper/Media5 /mount/media5
and unmounted and locked with
# umount /mount/media5
# cryptsetup luksClose /dev/mapper/Media5
Resources
This was a combination of the following pages:
Fedora Disk_Encryption_User_Guide
Encrypted external drive with LUKS
How To: Linux Hard Disk Encryption With LUKS [ cryptsetup Command ]
No comments:
Post a Comment