Howto use Cryptsetup with LUKS support.
This is a short howto to describe the basic usage of Device-Mapper, DM-Crypt, and Cryptsetup to mount and use encrypted partitions and container files.
This is partially in response to the recent articles about the numbers of USB flash thumbdrives that are regularly lost. If we learn to use encryption then that statistic is just sad but not worrying. (see The problem of lost USB flash thumbdrives)
Background
Device Mapper and DM-Crypt
Starting in version 2.6, the Linux kernel started providing the Device-Mapper interface. This interface allowed for the creation of layers of virtual block devices ontop of real block devices. These devices are used for things like RAID formats, snapshot or encryption. The DM-Crypt is the module for Device-Mapper that provides access to the cryptographic functions.
CryptsetupCryptsetup is the primary userland tool for creating and managing encrypted partitions and containers for DM-Crypt.
Linux Unified Key Setup (LUKS)LUKS provides a standard on-disk format for encrypted partitions to facilitate cross distribution compatability, to allow for multiple users/passwords, effective password revocation, and to provide additional security against low entropy attacks. To use LUKS, you must use an enabled version of cryptsetup. To the authors knowledge currently only Debian (Etch, Lenny and Sid), Ubuntu and Gentoo offer LUKS enabled versions of cryptsetup in their repositories.
Creating a New Encrypted Container File or Partition
Create the Container and Loopback Mount it
First we need to create the container file, and loopback mount it.
root@host:~$ dd if=/dev/urandom of=testfile bs=1M count=10 10+0 records in 10+0 records out 10485760 bytes (10 MB) copied, 1.77221 seconds, 5.9 MB root@host:~$ losetup /dev/loop/0 testfile root@host:~$Note: Skip this step for encrypted partitions.
luksFormat
Before we can open an encrypted partition, we need to initialize it.
root@host:~$ cryptsetup luksFormat /dev/loop/0 WARNING! ======== This will overwrite data on /dev/loop/0 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful. root@host:~$Note: For encrypted partitions replace the loopback device with the device label of the partition.
luksOpen
Now that the partition is formated, we can create a Device-Mapper mapping for it.
root@host:~$ cryptsetup luksOpen /dev/loop/0 testfs Enter LUKS passphrase: key slot 0 unlocked. Command successful. root@host:~$Formating the Filesystem
The first time we create the Device-Mapper mapping, we need to format the new virtual device with a new filesystem.
root@host:~$ mkfs.ext2 /dev/mapper/testfs
mke2fs 1.39-WIP (09-Apr-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
2432 inodes, 9724 blocks
486 blocks (5.00%) reserved for the super user
First data block=1
2 block groups
8192 blocks per group, 8192 fragments per group
1216 inodes per group
Superblock backups stored on blocks:
8193
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 34 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to overri
root@host:~$
Mounting the Virtual Device
Now, we can mount the new virtual device just like any other device.
root@host:~$ mount /dev/mapper/testfs /mnt/test/ root@host:~$
Mounting an Existing Encrypted Container File or Partition
root@host:~$ losetup /dev/loop/0 testfile root@host:~$ cryptsetup luksOpen /dev/loop/0 testfs Enter LUKS passphrase: key slot 0 unlocked. Command successful. root@host:~$ mount /dev/mapper/testfs /mnt/test/ root@host:~$Note: Skip the losetup setup for encrypted partitions.
Unmounting and Closing an Encrypted Container File or Partition
root@host:~$ umount /mnt/test root@host:~$ cryptsetup luksClose /dev/mapper/testfs root@host:~$ losetup -d /dev/loop/0 root@host:~$Note: Skip the losetup setup for encrypted partitions.
Handling Multiple Users and Passwords
The LUKS header allows you to assign 8 different passwords that can access the encyrpted partition or container. This is useful for environments where the CEO & CTO can each have passwords for the device and the administrator(s) can have another. This makes it easy to change the password in case of employee turnover while keeping the data accessible.
Adding passwords to new slotsroot@host:~$ cryptsetup luksAddKey /dev/loop/0 Enter any LUKS passphrase: Verify passphrase: key slot 0 unlocked. Enter new passphrase for key slot: Verify passphrase: Command successful. root@host:~$Deleting key slots
root@host:~$ cryptsetup luksDelKey /dev/loop/0 1 Command successful. root@host:~$
Displaying LUKS Header Information
root@host:~$ cryptsetup luksDump /dev/loop/0
LUKS header information for /dev/loop/0
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
MK digest: a9 3c c2 33 0b 33 db ff d2 b9 dc 6c 01 d6 90 48 1d c1 2e bb
MK salt: 98 46 a3 28 64 35 f1 55 f0 2b 8e af f5 71 16 64
3c 30 1f 6c b1 4b 43 fd 23 49 28 a6 b0 e4 e2 14
MK iterations: 10
UUID: 089559af-41af-4dfe-b736-9d9d48d3bf53
Key Slot 0: ENABLED
Iterations: 254659
Salt: 02 da 9c c3 c7 39 a5 62 72 81 37 0f eb aa 30 47
01 1b a8 53 93 23 83 71 20 03 1b 6c 90 84 a5 6e
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
root@host:~$ 
Comments
I've just used this greate
I've just used this greate guide in Debian stable (etch) using kernel 2.6.18-4-686 laon it works perfectly. So luks has been ported to testing and stable now. All fine
re: I've just used this greate
Hey thanks for the good news!
I'm not sure I believe in perfect, there's always room for improvement. Any suggestions?
:)
remount existing device, error
I THINK I followed the description to the point (on opensuse 10.3), with one exception:
/dev/loop/0 doesn't work, however /dev/loop0 does (how come?)
But my main problem is, after some weeks I seem to be unable to reopen it. I am sure I am giving it the right passphrase, but it keeps asking about the passphrase three times and then says "Command failed."
Any idea where I could be getting this wrong?
Thanks
Thanks / Questions.
Hello,
Ok perfect now !
Thanks for your clues.
New questions : i have to be root each time i want to handle the encrypted
partitions.
How can this be done by a 'simple' user ?
Thanks.
Best.
ok, thanks.
Hello,
Thanks for your answer.
I have to check, but i'm sure i dont have build neither module (m) or hard (*) the cryptoloop option in the kernel (i thought it was deprecated with the Device mapper support)
I'm going to give another try with it.
Thanks you very much.
Best.
Help on error, please.
Hello All, following the uper step-by-step tutorial and http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS
when it comes to :
debian:~# cryptsetup luksFormat /dev/hdb12
i got the error :
WARNING!
========
This will overwrite data on /dev/hdb12 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Failed to setup dm-crypt key mapping.
Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/hdb12 contains at least 133 sectors.
Failed to write to key storage.
Command failed.
What i'm suppose to do ? i'm stuck.
I got The Multi-device support (RAID and LVM)(*) -> Device mapper support (*)
in my kernel (2.6.22.3)
I got the Cryptographic options : AES cipher algorithms (*) and AES cipher algorithms (i586) (*) in my kernel (2.6.22.3)
Did i forget something ?
Thanks for any help !
Did you compile them as
Did you compile them as modules or in kernel?
If as modules check if crytoloop and dm_mod modules are loaded.
If not, load them:
modprobe cryptoloop
modprobe dm_crypt
Need help for error, please.
Hello All, following the uper step-by-step tutorial and http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS
when it comes to :
debian:~# cryptsetup luksFormat /dev/hdb12
i got the error :
WARNING!
========
This will overwrite data on /dev/hdb12 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Failed to setup dm-crypt key mapping.
Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/hdb12 contains at least 133 sectors.
Failed to write to key storage.
Command failed.
What i'm suppose to do ? i'm stuck.
I got The Multi-device support (RAID and LVM)(*) -> Device mapper support (*)
in my kernel (2.6.22.3)
I got the Cryptographic options : AES cipher algorithms (*) and AES cipher algorithms (i586) (*) in my kernel (2.6.22.3)
Did i forget something ?
Thanks for any help !
Works in Debian stable now
I've just used this greate guide in Debian stable (etch) using kernel 2.6.18-4-686 and it works perfectly. So luks has been ported to testing and stable now. Have also tried it under Debian testing (lenny).. Also works fine..
Auto-mount of container as home on login?
How can a crypted file-container be mounted automatically on login as $HOME ??? This also must work with ssh and for multiple users. THANKS!
Use pam_mount
Use pam_mount
re: Auto-mount of container as home on login?
Interesting idea, but I'm not sure right off the top of my head.
Anyone else have any ideas?
cryptobox.org
This looks quite interesting: cryptobox.org
BTW the Captchas are almost very, very near to unreadable! It is really hard, hard work to contribute here...
re: cryptobox.org
Interesting idea but I'm not sure I like the idea of running the OS off a live-CD when I have a perfectly good hard drive that I'm storing the encrypted data on. Why not run both the OS and the data on the same hard drive. Both encrypted?
Then again, this could be an easy way for beginners to get into using encrypted data stores.
As for the captchas, well they got progressively more complicated as a way to deal with comment spam, but even that didn't seem to work.
Now not only do anonymous users have to enter the captcha but all comments from anonymous users have to be approved by a moderator.
Now I am not editing comments for content except for one way. I will not host your "advertising" links for gay porn or sex sites or Viagra or anything else not related to the topics here.
Now if anyone has any better ideas for dealing with these issues, I'm all ears. I'm currently the only moderator/admin and I'm getting tired of dealing with it all.
Oh, and FYI authenticated users dont have to enter either the captcha or get approved. So if you're going to be a frequent commenter, just register.
Thanks for the feedback but for the time being, this is the way its going to be.
captchas
While i would never have thought of the answer myself the answer is pretty easy. You need to make the problem more difficult. Text recognition simply is not a hard enough problem.
What is hard for computers and easy for humans? Simple. Asthetics and object recognition.
For example:
http://ieeexplore.ieee.org/Xplore/login.jsp?url=/iel5/10670/33674/016022...
Ive heard of the same thing but with different questions like:
(with 4 animal pictures numbered 1-4) put them in order dog,cat, mouse,horse
(with many human pictures) which of the several pictures is a woman
which person is ugly
etc....
hope it helps
spam
The problem with captchas, the spammers just pay some guy in Bangalore 1c per captcha to get past them. Making the captchas harder or making posters arrange pictures of kittens in order of cuteness is not going to solve this problem.. perhaps you can pay some guy in Bangalore 1c per submitted message to answer the question 'is this comment spam' or 'does this comment have anything to do with encrypted filesystems'.
Thanks, very useful page.
I found it very useful - STDOUBT appears to have misunderstood the device mapping.
mapper device disappears?
After reboot, my /dev/mapper/(device) is gone....
In order to re-initialize, cryptsetup wants to destroy
all data on the partition.
I sure wish the developer would take a weekend and write
a walk-through for this thing. The documentation _sucks_!
BTW - luksClose is for _removing_ a mapped device. Not the
best idea if you want to retain your encrypted data!!!
(No, that's the the problem I had, but it's worth mentioning).
Lol don't be stupid,
Lol don't be stupid, luksClose doesn't remove the data it just closes the device.
and you need to use luksOpen to open the device, not luksFormat which asks to destroy data.
Maybe you should read it a little better!
re: mapper device disappears?
The /dev/mapper/<device> will only appear after you have performed the cryptsetup luksOpen step. It should dissappear after you run cryptsetup luksClose. You should always run cryptsetup luksClose on ALL partitions/devices that you mounted manually before rebooting the system.
The only time you need to initialize the media is when it is brand new, once its installed skip the luksFormat step and go straight to the luksOpen.
As for luksClose, it DOES NOT DESTROY the data, it simply removes the device mapping from /dev/mapper. It is the same as performing a umount command on a non-encrypted partition. When you want to access the data again, first add the mapping with the cryptsetup luksOpen command, and then mount the mapped device.
I'm sorry that the documentation was confusing for you but I felt that having two sections: "Creating a New Encrypted Container File or Partition" and "Mounting an Existing Encrypted Container File or Partition" made a clear distinction between the two processes. What do you suggest for an improvment?
Hmmm... just found this:
http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS
Here's to hoping!
nope.....
Looks like I must have a bug -I followed the directions
at this and the above site, and the /dev/mapper/(device)
is gone after reboot.... (debian testing/unstable)
Really really frustrating!
re: nope.....
This is not a bug it is by design.
If you wish to keep encrypted devices available after reboot you need to add them to /etc/crypttab.