We have heard multiple stories where someone looses a pendrive or a laptop containing sensitive/private data which is then published by the person who found the drive embarrassing the owner of the data. The best way to prevent something like that from happening to you if you loose a disk is to make sure all your data is encrypted. Historically this used to be quite painful to setup and required a lost of technical know-how. Thankfully this is no longer the case. After trying a bunch of different options I found Linux Unified Key Setup-on-disk-format (LUKS) to be the most user-friendly and easy to setup option for me.
Setting it up is quite easy by following the instructions over at www.cyberciti.biz. However since things on the internet have a tendency of disappearing on a fairly frequent basis, I am using this post to save a paraphrased version of the installation instructions (along with my notes/comments) just in case the original site goes down and I need to reinstall. All credit goes to original author. So without further ado here we go:
First we need to install cryptsetup utility which contains all the utilities we need to encrypt our drive. To install it in Debian/Ubuntu you just issue the following command as root:
apt-get install cryptsetup
Configure LUKS partition
Warning: This will remove all data on the partition that you are encrypting. So make sure you have a working backup before proceeding amd don’t blame me if you manage to destroy your data/device.
Run the following command as root to start the encryption process:
cryptsetup -y -v luksFormat <device>
where <device> is the partition we want to encrypt (e.g. /dev/sda1). The command will ask you for confirmation and a passphrase. This passphrase is not recoverable so make sure you don’t forget it.
Create drive mapping
Once the previous command completes you need to create a mapping of the encrypted drive by issuing the following command:
cryptsetup luksOpen <device> backup2
You can also map a partition to using its UUID (which is what I do) by issuing the following command instead (This works great if you want to script automated backups to an external drive):
cryptsetup luksOpen UUID=88848060-fab7-4e9e-bac2-f9a2323c7c29 backup2
Replace the UUID in the example with the UUID of your drive. (Instructions on how to find the UUID are available here).
Use the following command to see the status for the mapping and to check if the command succeeded:
cryptsetup -v status backup2
Format LUKS partition
Now that we have created the mapping we need to write zeroes to the encrypted device, to ensure that the outside world sees this as random data and protects the system against disclosure of usage by issuing the following command:
dd if=/dev/zero of=/dev/mapper/backup2
Since this command can take a long time to complete depending on the drive size and dd by default doesn’t give any feedback on the percentage completed/remaining I recommend that you use the pv command to monitor the progress by issuing the following command instead:
pv -tpreb /dev/zero | dd of=/dev/mapper/backup2 bs=128M
This will take a while to run so you can go for a walk or read a book while it runs. Once the command completes you can create a filesystem on the device (I prefer to use ext4 but you can use any filesystem you like) by formatting the device:
After the filesystem is created you can mount and use the partition as usual by issuing the following command:
mount /dev/mapper/backup2 /mnt/backup
That’s it. You now have an encrypted partition that shows up as a regular partition in Linux which you can use as a regular drive without having to worry about anything. No special changes are needed to use this partition which means any software can use it without requiring changes.
How to unmount and secure the data
After you are done transferring data to/from the drive you can unmount and secure the partition by issuing the following commands as root:
cryptsetup luksClose backup2
Creating a backup of the LUKS headers
Before you start anything else, you should create a backup copy of the LUKS header because if this header gets corrupted somehow then all data in the encrypted partition is lost forever with no way to recover it. From the cryptsetup man page:
“LUKS header: If the header of a LUKS volume gets damaged, all data is permanently lost unless you have a header-backup. If a key-slot is damaged, it can only be restored from a header-backup or if another active key-slot with known passphrase is undamaged. Damaging the LUKS header is something people manage to do with surprising frequency. This risk is the result of a trade-off between security and safety, as LUKS is designed for fast and secure wiping by just overwriting header and key-slot area.”
Create a backup by issuing the following command:
cryptsetup luksHeaderBackup <device> --header-backup-file <file>
Important note: a LUKS header backup can grant access to most or all data, therefore you need to make sure that nobody has access to it.
In case of disaster where our LUKS header gets broken, we can restore it by issuing the following command:
cryptsetup luksHeaderRestore <device> --header-backup-file <file>
How to remount the encrypted partition?
Issue the following commands in sequence to mount the partition:
cryptsetup luksOpen <device> backup2 mount /dev/mapper/backup2 /mnt/backup
Please note that data encrypted by LUKS is quite obvious with most Linux systems identifying it as an encrypted partition automatically. So if someone examines your system they will know you have encrypted data and can force you to divulge the password by various means (including the use of Rubber-hose Cryptanalysis. )
If you want the encrypted partition to be hidden then you can use Deniable encryption/Hidden Partition or use steganography. I haven’t really used either so can’t comment on how to set it up correctly but maybe I can talk about it in a future post after I explore them a bit more.
Well this is all for now, hope you find this useful. Will write more later.