LUKS - Linux Unified Key Setup: Difference between revisions
m (Text replacement - "</source" to "</syntaxhighlight") |
|||
| Line 7: | Line 7: | ||
# lvcreate -L 2g -n lv-swap vg-root | # lvcreate -L 2g -n lv-swap vg-root | ||
Logical volume "lv-swap" created | Logical volume "lv-swap" created | ||
</ | </syntaxhighlight> | ||
<source lang=bash> | <source lang=bash> | ||
| Line 13: | Line 13: | ||
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert | LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert | ||
lv-swap vg-root -wi-ao--- 2.00g | lv-swap vg-root -wi-ao--- 2.00g | ||
</ | </syntaxhighlight> | ||
===Create and get the UUID=== | ===Create and get the UUID=== | ||
| Line 24: | Line 24: | ||
Setting up swapspace version 1, size = 2097148 KiB | Setting up swapspace version 1, size = 2097148 KiB | ||
no label, UUID=4764e516-d025-41de-ab5b-72070a3ae765 | no label, UUID=4764e516-d025-41de-ab5b-72070a3ae765 | ||
</ | </syntaxhighlight> | ||
Save this UUID for the next step!!! | Save this UUID for the next step!!! | ||
| Line 32: | Line 32: | ||
<source lang=bash> | <source lang=bash> | ||
cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly | cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly | ||
</ | </syntaxhighlight> | ||
The UUID is the one from mkswap before!!! | The UUID is the one from mkswap before!!! | ||
| Line 45: | Line 45: | ||
* cryptswap1 (starting).. | * cryptswap1 (starting).. | ||
* cryptswap1 (started)... | * cryptswap1 (started)... | ||
</ | </syntaxhighlight> | ||
====Check the status==== | ====Check the status==== | ||
| Line 58: | Line 58: | ||
size: 4194264 sectors | size: 4194264 sectors | ||
mode: read/write | mode: read/write | ||
</ | </syntaxhighlight> | ||
====Make the swapFS==== | ====Make the swapFS==== | ||
| Line 67: | Line 67: | ||
Setting up swapspace version 1, size = 2097128 KiB | Setting up swapspace version 1, size = 2097128 KiB | ||
no label, UUID=ccdd1d28-0504-4682-8ece-8b6ef381d7e9 | no label, UUID=ccdd1d28-0504-4682-8ece-8b6ef381d7e9 | ||
</ | </syntaxhighlight> | ||
This new UUID has no relevance for /etc/crypttab. | This new UUID has no relevance for /etc/crypttab. | ||
| Line 75: | Line 75: | ||
... | ... | ||
/dev/mapper/cryptswap1 none swap sw 0 0 | /dev/mapper/cryptswap1 none swap sw 0 0 | ||
</ | </syntaxhighlight> | ||
Reboot to test your settings. | Reboot to test your settings. | ||
Revision as of 15:29, 25 November 2021
Kategorie:Linux Kategorie:Security
Encrypted swap on LVM
Create logical volume for swap
<source lang=bash>
- lvcreate -L 2g -n lv-swap vg-root
Logical volume "lv-swap" created
</syntaxhighlight>
<source lang=bash>
- lvs /dev/vg-root/lv-swap
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert lv-swap vg-root -wi-ao--- 2.00g
</syntaxhighlight>
Create and get the UUID
This step will erase all of your data from the disk after the mkswap command!!! So be sure you pick the right one! <source lang=bash>
- mkswap /dev/vg-root/lv-swap
mkswap: /dev/vg-root/lv-swap: warning: don't erase bootbits sectors
on whole disk. Use -f to force.
Setting up swapspace version 1, size = 2097148 KiB no label, UUID=4764e516-d025-41de-ab5b-72070a3ae765 </syntaxhighlight> Save this UUID for the next step!!!
Create the crypted swap
Put this in your /etc/crypttab : <source lang=bash> cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly </syntaxhighlight> The UUID is the one from mkswap before!!!
Important things:
- offset=40 : Save the region where your UUID is written on disk.
- noearly : Avoid race conditions of the init scripts (cryptdisks and cryptdisks-early).
Start the crypted partition
<source lang=bash>
- cryptdisks_start cryptswap1
* Starting crypto disk... * cryptswap1 (starting).. * cryptswap1 (started)...
</syntaxhighlight>
Check the status
<source lang=bash>
- cryptsetup status cryptswap1
/dev/mapper/cryptswap1 is active.
type: PLAIN cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/mapper/vg--root-lv--swap offset: 40 sectors size: 4194264 sectors mode: read/write
</syntaxhighlight>
Make the swapFS
<source lang=bash>
- mkswap /dev/mapper/cryptswap1
mkswap: /dev/mapper/cryptswap1: warning: don't erase bootbits sectors
on whole disk. Use -f to force.
Setting up swapspace version 1, size = 2097128 KiB no label, UUID=ccdd1d28-0504-4682-8ece-8b6ef381d7e9 </syntaxhighlight> This new UUID has no relevance for /etc/crypttab.
Edit the /etc/fstab
<source lang=bash>
- vit /etc/fstab
... /dev/mapper/cryptswap1 none swap sw 0 0 </syntaxhighlight>
Reboot to test your settings.
