LUKS - Linux Unified Key Setup: Difference between revisions
From Lolly's Wiki
Jump to navigationJump to search
m (Text replacement - "</source" to "</syntaxhighlight") |
m (Text replacement - "<source " to "<syntaxhighlight ") |
||
| Line 4: | Line 4: | ||
==Encrypted swap on LVM== | ==Encrypted swap on LVM== | ||
===Create logical volume for swap=== | ===Create logical volume for swap=== | ||
< | <syntaxhighlight lang=bash> | ||
# lvcreate -L 2g -n lv-swap vg-root | # lvcreate -L 2g -n lv-swap vg-root | ||
Logical volume "lv-swap" created | Logical volume "lv-swap" created | ||
</syntaxhighlight> | </syntaxhighlight> | ||
< | <syntaxhighlight lang=bash> | ||
# lvs /dev/vg-root/lv-swap | # lvs /dev/vg-root/lv-swap | ||
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert | LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert | ||
| Line 18: | Line 18: | ||
'''This step will erase all of your data from the disk after the mkswap command!!!''' | '''This step will erase all of your data from the disk after the mkswap command!!!''' | ||
So be sure you pick the right one! | So be sure you pick the right one! | ||
< | <syntaxhighlight lang=bash> | ||
# mkswap /dev/vg-root/lv-swap | # mkswap /dev/vg-root/lv-swap | ||
mkswap: /dev/vg-root/lv-swap: warning: don't erase bootbits sectors | mkswap: /dev/vg-root/lv-swap: warning: don't erase bootbits sectors | ||
| Line 30: | Line 30: | ||
Put this in your /etc/crypttab : | Put this in your /etc/crypttab : | ||
< | <syntaxhighlight lang=bash> | ||
cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly | cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 40: | Line 40: | ||
====Start the crypted partition==== | ====Start the crypted partition==== | ||
< | <syntaxhighlight lang=bash> | ||
# cryptdisks_start cryptswap1 | # cryptdisks_start cryptswap1 | ||
* Starting crypto disk... | * Starting crypto disk... | ||
| Line 48: | Line 48: | ||
====Check the status==== | ====Check the status==== | ||
< | <syntaxhighlight lang=bash> | ||
# cryptsetup status cryptswap1 | # cryptsetup status cryptswap1 | ||
/dev/mapper/cryptswap1 is active. | /dev/mapper/cryptswap1 is active. | ||
| Line 61: | Line 61: | ||
====Make the swapFS==== | ====Make the swapFS==== | ||
< | <syntaxhighlight lang=bash> | ||
# mkswap /dev/mapper/cryptswap1 | # mkswap /dev/mapper/cryptswap1 | ||
mkswap: /dev/mapper/cryptswap1: warning: don't erase bootbits sectors | mkswap: /dev/mapper/cryptswap1: warning: don't erase bootbits sectors | ||
| Line 71: | Line 71: | ||
===Edit the /etc/fstab=== | ===Edit the /etc/fstab=== | ||
< | <syntaxhighlight lang=bash> | ||
# vit /etc/fstab | # vit /etc/fstab | ||
... | ... | ||
Revision as of 23:32, 25 November 2021
Kategorie:Linux Kategorie:Security
Encrypted swap on LVM
Create logical volume for swap
# lvcreate -L 2g -n lv-swap vg-root
Logical volume "lv-swap" created
# lvs /dev/vg-root/lv-swap
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
lv-swap vg-root -wi-ao--- 2.00g
Create and get the UUID
This step will erase all of your data from the disk after the mkswap command!!! So be sure you pick the right one!
# mkswap /dev/vg-root/lv-swap
mkswap: /dev/vg-root/lv-swap: warning: don't erase bootbits sectors
on whole disk. Use -f to force.
Setting up swapspace version 1, size = 2097148 KiB
no label, UUID=4764e516-d025-41de-ab5b-72070a3ae765
Save this UUID for the next step!!!
Create the crypted swap
Put this in your /etc/crypttab :
cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly
The UUID is the one from mkswap before!!!
Important things:
- offset=40 : Save the region where your UUID is written on disk.
- noearly : Avoid race conditions of the init scripts (cryptdisks and cryptdisks-early).
Start the crypted partition
# cryptdisks_start cryptswap1
* Starting crypto disk...
* cryptswap1 (starting)..
* cryptswap1 (started)...
Check the status
# cryptsetup status cryptswap1
/dev/mapper/cryptswap1 is active.
type: PLAIN
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/mapper/vg--root-lv--swap
offset: 40 sectors
size: 4194264 sectors
mode: read/write
Make the swapFS
# mkswap /dev/mapper/cryptswap1
mkswap: /dev/mapper/cryptswap1: warning: don't erase bootbits sectors
on whole disk. Use -f to force.
Setting up swapspace version 1, size = 2097128 KiB
no label, UUID=ccdd1d28-0504-4682-8ece-8b6ef381d7e9
This new UUID has no relevance for /etc/crypttab.
Edit the /etc/fstab
# vit /etc/fstab
...
/dev/mapper/cryptswap1 none swap sw 0 0
Reboot to test your settings.
