LUKS - Linux Unified Key Setup: Difference between revisions
From Lolly's Wiki
Jump to navigationJump to search
(Die Seite wurde neu angelegt: „Kategorie:Linux ==Encrypted swap on LVM== ===Create logical volume for swap== <source lang=bash> # lvcreate -L 2g -n lv-swap vg-root Logical volume "lv-…“) |
m (Text replacement - "[[Kategorie:" to "[[Category:") |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[ | [[Category:Linux]] | ||
[[Category:Security]] | |||
==Encrypted swap on LVM== | ==Encrypted swap on LVM== | ||
===Create logical volume for swap== | ===Create logical volume for swap=== | ||
< | <syntaxhighlight lang=bash> | ||
# lvcreate -L 2g -n lv-swap vg-root | # lvcreate -L 2g -n lv-swap vg-root | ||
Logical volume "lv-swap" created | Logical volume "lv-swap" created | ||
</ | </syntaxhighlight> | ||
< | <syntaxhighlight lang=bash> | ||
# lvs /dev/vg-root/lv-swap | # lvs /dev/vg-root/lv-swap | ||
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert | LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert | ||
lv-swap vg-root -wi-ao--- 2.00g | lv-swap vg-root -wi-ao--- 2.00g | ||
</ | </syntaxhighlight> | ||
===Create and get the UUID=== | ===Create and get the UUID=== | ||
< | '''This step will erase all of your data from the disk after the mkswap command!!!''' | ||
So be sure you pick the right one! | |||
<syntaxhighlight lang=bash> | |||
# mkswap /dev/vg-root/lv-swap | # mkswap /dev/vg-root/lv-swap | ||
mkswap: /dev/vg-root/lv-swap: warning: don't erase bootbits sectors | mkswap: /dev/vg-root/lv-swap: warning: don't erase bootbits sectors | ||
on whole disk. Use -f to force. | on whole disk. Use -f to force. | ||
Setting up swapspace version 1, size = 2097148 KiB | Setting up swapspace version 1, size = 2097148 KiB | ||
no label, | no label, UUID=4764e516-d025-41de-ab5b-72070a3ae765 | ||
</ | </syntaxhighlight> | ||
Save this UUID for the next step!!! | Save this UUID for the next step!!! | ||
| Line 27: | Line 30: | ||
Put this in your /etc/crypttab : | Put this in your /etc/crypttab : | ||
< | <syntaxhighlight lang=bash> | ||
cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly | cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly | ||
</ | </syntaxhighlight> | ||
The UUID is the one from mkswap before!!! | The UUID is the one from mkswap before!!! | ||
| Line 35: | Line 38: | ||
# offset=40 : Save the region where your UUID is written on disk. | # offset=40 : Save the region where your UUID is written on disk. | ||
# noearly : Avoid race conditions of the init scripts (cryptdisks and cryptdisks-early). | # noearly : Avoid race conditions of the init scripts (cryptdisks and cryptdisks-early). | ||
====Start the crypted partition==== | |||
<syntaxhighlight lang=bash> | |||
# cryptdisks_start cryptswap1 | |||
* Starting crypto disk... | |||
* cryptswap1 (starting).. | |||
* cryptswap1 (started)... | |||
</syntaxhighlight> | |||
====Check the status==== | |||
<syntaxhighlight lang=bash> | |||
# cryptsetup status cryptswap1 | |||
/dev/mapper/cryptswap1 is active. | |||
type: PLAIN | |||
cipher: aes-cbc-essiv:sha256 | |||
keysize: 256 bits | |||
device: /dev/mapper/vg--root-lv--swap | |||
offset: 40 sectors | |||
size: 4194264 sectors | |||
mode: read/write | |||
</syntaxhighlight> | |||
====Make the swapFS==== | |||
<syntaxhighlight lang=bash> | |||
# mkswap /dev/mapper/cryptswap1 | |||
mkswap: /dev/mapper/cryptswap1: warning: don't erase bootbits sectors | |||
on whole disk. Use -f to force. | |||
Setting up swapspace version 1, size = 2097128 KiB | |||
no label, UUID=ccdd1d28-0504-4682-8ece-8b6ef381d7e9 | |||
</syntaxhighlight> | |||
This new UUID has no relevance for /etc/crypttab. | |||
===Edit the /etc/fstab=== | |||
<syntaxhighlight lang=bash> | |||
# vit /etc/fstab | |||
... | |||
/dev/mapper/cryptswap1 none swap sw 0 0 | |||
</syntaxhighlight> | |||
Reboot to test your settings. | |||
Latest revision as of 04:52, 26 November 2021
Encrypted swap on LVM
Create logical volume for swap
# lvcreate -L 2g -n lv-swap vg-root
Logical volume "lv-swap" created
# lvs /dev/vg-root/lv-swap
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
lv-swap vg-root -wi-ao--- 2.00g
Create and get the UUID
This step will erase all of your data from the disk after the mkswap command!!! So be sure you pick the right one!
# mkswap /dev/vg-root/lv-swap
mkswap: /dev/vg-root/lv-swap: warning: don't erase bootbits sectors
on whole disk. Use -f to force.
Setting up swapspace version 1, size = 2097148 KiB
no label, UUID=4764e516-d025-41de-ab5b-72070a3ae765
Save this UUID for the next step!!!
Create the crypted swap
Put this in your /etc/crypttab :
cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly
The UUID is the one from mkswap before!!!
Important things:
- offset=40 : Save the region where your UUID is written on disk.
- noearly : Avoid race conditions of the init scripts (cryptdisks and cryptdisks-early).
Start the crypted partition
# cryptdisks_start cryptswap1
* Starting crypto disk...
* cryptswap1 (starting)..
* cryptswap1 (started)...
Check the status
# cryptsetup status cryptswap1
/dev/mapper/cryptswap1 is active.
type: PLAIN
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/mapper/vg--root-lv--swap
offset: 40 sectors
size: 4194264 sectors
mode: read/write
Make the swapFS
# mkswap /dev/mapper/cryptswap1
mkswap: /dev/mapper/cryptswap1: warning: don't erase bootbits sectors
on whole disk. Use -f to force.
Setting up swapspace version 1, size = 2097128 KiB
no label, UUID=ccdd1d28-0504-4682-8ece-8b6ef381d7e9
This new UUID has no relevance for /etc/crypttab.
Edit the /etc/fstab
# vit /etc/fstab
...
/dev/mapper/cryptswap1 none swap sw 0 0
Reboot to test your settings.
