Encrypting non-root partitions with dm_crypt and LUKS

Introduction

First of all it should be said that encrypting the /home partition only is not recommended. This does not nearly give you the same security as e.g. encrypting all your partitions. I missed doing this task on my laptop during installation and i am too lazy to copy all my data + OS to some external location, encrypt all partations and move them back. This is why i decided to encrypt my /home partition only.

The following procedure had been done on Arch Linux using dm-crypt and LUKS.

Procedure

Before we start we need to backup our whole data to some destination outside the partition in question.


cd /home; find . -xdev | cpio -pvm /outside/destination/


The /home filesystem we are going to encrypt resides on /dev/sda3. Before the actual encryption we should overwrite our data with random bit patterns a few times. Therefore i used a little handy tool named shred. Sure, you can dd if=/dev/urandom of=/dev/yourpartition a couple of times as well.

shred -v /dev/sda3

Now we can start with the encryption of my partition.

cryptsetup luksFormat /dev/sda3 --cipher aes-cbc-essiv:sha256 --verify-passphrase --key-size 256

We decided to go with the default cipher but specified it on the cmdline for documentation purposes. --verify-passphrase just instructs cryptsetup to ask the password twice. A key size of 256bit(--key-size 256) is also the default. A smaller value might increase performace but take care to use a multiple of 8bits.

Opening the device…from the users perspective means asking the passphrase and creating a device-mapper pseudo device we can use for example to create a filesystem or VGs/LVs on top, etc etc.


[root@chill ~]# cryptsetup luksOpen /dev/sda3 sda3_crypt
Enter passphrase for /dev/sda3:
[root@chill ~]# ls -l /dev/mapper/sda3_crypt
lrwxrwxrwx 1 root root 7 Mar 23 11:55 /dev/mapper/sda3_crypt -> ../dm-0
[root@chill ~]#


We could now simply create a filesystem of our choice on /dev/mapper/sda3_crypt.
But we want our home-filesystem to reside on a Logical Volume.


[root@chill ~]# pvcreate /dev/mapper/sda3_crypt
Physical volume "/dev/mapper/sda3_crypt" successfully created
[root@chill ~]# vgcreate local0 /dev/mapper/sda3_crypt
Volume group "local0" successfully created
[root@chill ~]# vgs
VG #PV #LV #SN Attr VSize VFree
local0 1 0 0 wz--n- 437.81g 437.81g
[root@chill ~]# lvcreate -n home0 -L 300G local0
Logical volume "home0" created
[root@chill ~]# lvs
LV VG Attr LSize Origin Snap% Move Log Copy% Convert
home0 local0 -wi-a- 300.00g
[root@chill ~]# mkfs.ext4 /dev/local0/home0
[root@chill ~]# mount /dev/local0/home0 /home/


Thats mainly it with the basics. We can now just add /dev/local0/home0 to our fstab and the OS will ask us for the passphrase at boot time.

Using a keyfile

I totally hate the fact to type my ‘superstrongpassword’ every time my machine boots up. So i decided to create a keyfile and add it to my sda3_crypt slot:

dd if=/dev/urandom of=/tmp/my_home.key bs=1k count=2

Add the key to a free slot on sda3:

cryptsetup luksAddKey /dev/sda3 /tmp/my_home.key

Testing opening the device with our key:

cryptsetup luksOpen /dev/sda3 sda3_crypt --key-file /tmp/my_home.key

Important: /tmp/my_home.key must not stay on any of your unencrypted partitions or do you stick the key to your house to the front door?!

Storing the keyfile on a usb-stick

We want to store our keyfile on an usb stick so that we can just plug it in, boot, open and mount our home partition.

Preperation

Create a persistent name for the usbstick using udev:

lsusb -v | grep -A 5 Vendor

Note your USB-sticks serial number and replace it with _serial_ in the next command.

echo 'KERNEL=="sd*", ATTRS{serial}=="_serial_", SYMLINK+="usblock%n"' > /etc/udev/rules.d/8-usbstick.rules

Test.

udevadm trigger
ls -l /dev/usblock* 

In the next step we store our key in between the MBR and the first partition on our usb-stick. Make sure you backup the data on the stick upfront because this might destroy it.

Check, to see if the first 64sectors are free:

dd if=/dev/usblock of=64sectors bs=512 count=64
xxd 64sectors | less

Free? Good. Write the key to our stick.
Attention: A potentially existing bootloader on the USB-stick will be overwritten.

dd if=my_home.key of=/dev/usblock bs=512 seek=4

Add the keylocation to crypttab:

echo "sda3_crypt /dev/sda3 /dev/usblock:2048:2048" >> /etc/crypttab 

Since this is not the root-partition we do not need dm_crypt in our initrd. But we need usb support in the initrd. Otherwise it might happen that the usb-device is not recognized by the system the moment udev is initialized. Therefore we need to create a new initrd.
On ArchLinux simply add usb to the HOOKS in /etc/mkinitcpio.conf and create a mew image.

mkinitcpio -v -g /boot/ourinitrd.img

Reboot with your usb-stick pluged in and enjoy.

Usefull little commands

Closing a Device

Above we used luksOpen to open a device manually. Clearly, luksClose is the thing to achieve the opposite.

cryptsetup luksClose sda3_crypt

Again, closing the device also removes the device-mapper pseudo device.

Changing the key/passphrase

This involves two steps:

  1. adding a new passphrase
  2. cryptsetup luksAddKey /dev/sda3
  3. deleting the old passphrase
  4. cryptsetup luksRemoveKey /dev/sda3

References

Feedback is highly appreciated.


Leave a Reply

Your email address will not be published / Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.