Archive

Posts Tagged ‘cryptsetup’

LUKS encrypted image with udisk

September 10, 2017 Leave a comment

I tried to find a way to create and mount a LUKS encrypted image. Thanks to udisks it starts well:

dd if=/dev/zero of=.encrypted bs=20M count=1024
/sbin/cryptsetup luksFormat .encrypted
udisksctl loop-setup -f .encrypted
udisksctl unlock -b /dev/loop0

Sadly I did not find how to Ext4 format without sudo.

sudo /sbin/mkfs.ext4 -m 0 /dev/dm-0
udisksctl mount -b /dev/dm-0

Fortunately once created it’s possible to mount the encrypted image without root privileges:

udisksctl loop-setup -f .encrypted
udisksctl unlock -b /dev/loop0
udisksctl mount -b /dev/dm-0
Advertisements

Encrypting a laptop with dm-crypt without reinstalling from scratch

August 7, 2009 Leave a comment

First you need to backup the partition you want to encrypt. If like me you are using samba sharing not supporting large files you will probably want to compress and split you backup. Tar does’nt support multi-volume compressed archive, but you can create them using the split command:

tar --one-file-system -cvfz - / | split -b 700M - /mnt/backup/backup

Then boot your laptop with a live CD or USB stick. It needs to include at least cryptsetup, chroot and all tools required to get you backup back. I use a custom debian live USB key created with live-helper:

sudo apt-get install live-helper

lh_config -b usb-hdd -p standard \
--mirror-binary http://ftp.fr.debian.org/debian \
--mirror-binary-security http://ftp.fr.debian.org/security \
--mirror-bootstrap http://ftp.fr.debian.org/debian \
--mirror-chroot http://ftp.fr.debian.org/debian \
--mirror-chroot-security http://ftp.fr.debian.org/security \
--hostname "rescue" --packages "ntfsprogs cryptseup bzip2 smbclient lftp
openssh-server elinks vim-nox pciutils lshw ntfs-3g rsync debootstrap" \
--bootappend-live "locale=fr"

sudo lh_build

sudo dd if=binary.img of=/dev/sdf

Once booted, you have to prepare your partitions. The requirements are:

  • A partition for /boot (will be unencrypted
  • A partition for / (wil be encrypted)

You may also want to have an encrypted swap. I personally do not use any swap partition. Here is my configuration before partitioning modifications (yes, I have a Windows dual boot):

# fdisk -l /dev/sda

Disk /dev/sda: 120.0 GB, 120034123776 bytes
255 heads, 63 sectors/track, 14593 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xeede9d79

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1          13      104391   de  Dell Utility
/dev/sda2   *          14        7327    58749705    7  HPFS/NTFS
/dev/sda3            7328       14593    58364145   83  Linux

I just removed the partition 3 and create 2 new ones using fdisk. Here is my new partition table:

# fdisk -l /dev/sda

Disk /dev/sda: 120.0 GB, 120034123776 bytes
255 heads, 63 sectors/track, 14593 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xeede9d79

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1          13      104391   de  Dell Utility
/dev/sda2   *          14        7327    58749705    7  HPFS/NTFS
/dev/sda3            7328       14583    58283820   83  Linux
/dev/sda4           14584       14593       80325   83  Linux

Now let’s create the encrypted file system:

cryptsetup create sda3 /dev/sda3

It will ask for a password. You will have to enter this password at each boot. The encrypted partition should now appear as /dev/mapper/sda3. Format it and mount it:

mkfs.ext3 /dev/mapper/sda3
mkdir /mnt/sda3
mount /dev/mapper/sda3 /mnt/sd3

You can now restore your backup. If you used tar and split as said before, the untar command will look like this:

cd /mnt/sda3
cat /mnt/backup/backup* | tar -zxvf -

Later to configure initrd we will need to know the ciper, hash and key size used to encrypt the partition:

# cryptsetup status sda3

/dev/mapper/sda3 is active:
  cipher:  aes-cbc-plain
  keysize: 256 bits
  device:  /dev/sda3
  offset:  0 sectors
  size:    116567640 sectors
  mode:    read/write

Now let’s configure the restored system to make it able to boot on an encrypted file system. First chroot it:

mount --bind /proc /mnt/sda3/proc
mount --bind /sys /mnt/sda3/sys
mount --bind /dev /mnt/sda3/dev
chroot /mnt/sda3

You have to write a /etc/crypttab file so initramfs-tools know what to include in the initrd image.

#<target name>	<source device>		<key file>	<options>
sda3 /dev/sda3 none cipher=aes-cbc-plain,hash=ripemd160,size=256

initramfs-tools need some parts of the cryptsetup package to create the initrd:

apt-get install cryptsetup

During the installation of this package the initrd images will be recreated to take the new /etc/crypttab file into account. If cryptsetup was already installed you would have to update the initrd images manually:

update-initramfs

Final step… As your /boot directory as been moved, grub need to be reinstalled:

grub-install /dev/sda
update-grub