LUKS - Linux Unified Key Setup: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
No edit summary
m (Text replacement - "[[Kategorie:" to "[[Category:")
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Kategorie:Linux]]
[[Category:Linux]]
[[Kategorie:Security]]
[[Category:Security]]


==Encrypted swap on LVM==
==Encrypted swap on LVM==
===Create logical volume for swap===
===Create logical volume for swap===
<source lang=bash>
<syntaxhighlight lang=bash>
# lvcreate -L 2g -n lv-swap vg-root
# lvcreate -L 2g -n lv-swap vg-root
   Logical volume "lv-swap" created
   Logical volume "lv-swap" created
</source>
</syntaxhighlight>


<source lang=bash>
<syntaxhighlight lang=bash>
# lvs /dev/vg-root/lv-swap
# lvs /dev/vg-root/lv-swap
   LV      VG      Attr      LSize Pool Origin Data%  Move Log Copy%  Convert
   LV      VG      Attr      LSize Pool Origin Data%  Move Log Copy%  Convert
   lv-swap vg-root -wi-ao--- 2.00g
   lv-swap vg-root -wi-ao--- 2.00g
</source>
</syntaxhighlight>


===Create and get the UUID===
===Create and get the UUID===
<source lang=bash>
'''This step will erase all of your data from the disk after the mkswap command!!!'''
So be sure you pick the right one!
<syntaxhighlight lang=bash>
# mkswap /dev/vg-root/lv-swap
# mkswap /dev/vg-root/lv-swap
mkswap: /dev/vg-root/lv-swap: warning: don't erase bootbits sectors
mkswap: /dev/vg-root/lv-swap: warning: don't erase bootbits sectors
Line 22: Line 24:
Setting up swapspace version 1, size = 2097148 KiB
Setting up swapspace version 1, size = 2097148 KiB
no label, UUID=4764e516-d025-41de-ab5b-72070a3ae765
no label, UUID=4764e516-d025-41de-ab5b-72070a3ae765
</source>
</syntaxhighlight>
Save this UUID for the next step!!!
Save this UUID for the next step!!!


Line 28: Line 30:


Put this in your /etc/crypttab :
Put this in your /etc/crypttab :
<source lang=bash>
<syntaxhighlight lang=bash>
cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly
cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly
</source>
</syntaxhighlight>
The UUID is the one from mkswap before!!!
The UUID is the one from mkswap before!!!


Line 38: Line 40:


====Start the crypted partition====
====Start the crypted partition====
<source lang=bash>
<syntaxhighlight lang=bash>
# cryptdisks_start cryptswap1
# cryptdisks_start cryptswap1
  * Starting crypto disk...
  * Starting crypto disk...
  * cryptswap1 (starting)..
  * cryptswap1 (starting)..
  * cryptswap1 (started)...
  * cryptswap1 (started)...
</source>
</syntaxhighlight>


====Check the status====
====Check the status====
<source lang=bash>
<syntaxhighlight lang=bash>
# cryptsetup status cryptswap1
# cryptsetup status cryptswap1
/dev/mapper/cryptswap1 is active.
/dev/mapper/cryptswap1 is active.
Line 56: Line 58:
   size:    4194264 sectors
   size:    4194264 sectors
   mode:    read/write
   mode:    read/write
</source>
</syntaxhighlight>


====Make the swapFS====
====Make the swapFS====
<source lang=bash>
<syntaxhighlight lang=bash>
# mkswap /dev/mapper/cryptswap1
# mkswap /dev/mapper/cryptswap1
mkswap: /dev/mapper/cryptswap1: warning: don't erase bootbits sectors
mkswap: /dev/mapper/cryptswap1: warning: don't erase bootbits sectors
Line 65: Line 67:
Setting up swapspace version 1, size = 2097128 KiB
Setting up swapspace version 1, size = 2097128 KiB
no label, UUID=ccdd1d28-0504-4682-8ece-8b6ef381d7e9
no label, UUID=ccdd1d28-0504-4682-8ece-8b6ef381d7e9
</source>
</syntaxhighlight>
This new UUID has no relevance for /etc/crypttab.
This new UUID has no relevance for /etc/crypttab.


===Edit the /etc/fstab===
===Edit the /etc/fstab===
<source lang=bash>
<syntaxhighlight lang=bash>
# vit /etc/fstab
# vit /etc/fstab
...
...
/dev/mapper/cryptswap1 none swap sw 0 0
/dev/mapper/cryptswap1 none swap sw 0 0
</source>
</syntaxhighlight>


Reboot to test your settings.
Reboot to test your settings.

Latest revision as of 04:52, 26 November 2021


Encrypted swap on LVM

Create logical volume for swap

# lvcreate -L 2g -n lv-swap vg-root
  Logical volume "lv-swap" created
# lvs /dev/vg-root/lv-swap
  LV      VG      Attr      LSize Pool Origin Data%  Move Log Copy%  Convert
  lv-swap vg-root -wi-ao--- 2.00g

Create and get the UUID

This step will erase all of your data from the disk after the mkswap command!!! So be sure you pick the right one!

# mkswap /dev/vg-root/lv-swap
mkswap: /dev/vg-root/lv-swap: warning: don't erase bootbits sectors
        on whole disk. Use -f to force.
Setting up swapspace version 1, size = 2097148 KiB
no label, UUID=4764e516-d025-41de-ab5b-72070a3ae765

Save this UUID for the next step!!!

Create the crypted swap

Put this in your /etc/crypttab :

cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly

The UUID is the one from mkswap before!!!

Important things:

  1. offset=40 : Save the region where your UUID is written on disk.
  2. noearly  : Avoid race conditions of the init scripts (cryptdisks and cryptdisks-early).

Start the crypted partition

# cryptdisks_start cryptswap1
 * Starting crypto disk...
 * cryptswap1 (starting)..
 * cryptswap1 (started)...

Check the status

# cryptsetup status cryptswap1
/dev/mapper/cryptswap1 is active.
  type:    PLAIN
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/mapper/vg--root-lv--swap
  offset:  40 sectors
  size:    4194264 sectors
  mode:    read/write

Make the swapFS

# mkswap /dev/mapper/cryptswap1
mkswap: /dev/mapper/cryptswap1: warning: don't erase bootbits sectors
        on whole disk. Use -f to force.
Setting up swapspace version 1, size = 2097128 KiB
no label, UUID=ccdd1d28-0504-4682-8ece-8b6ef381d7e9

This new UUID has no relevance for /etc/crypttab.

Edit the /etc/fstab

# vit /etc/fstab
...
/dev/mapper/cryptswap1 none swap sw 0 0

Reboot to test your settings.