LUKS - Linux Unified Key Setup: Difference between revisions
From Lolly's Wiki
Jump to navigationJump to search
m (Text replacement - "[[Kategorie:" to "[[Category:") |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[ | [[Category:Linux]] | ||
[[ | [[Category:Security]] | ||
==Encrypted swap on LVM== | ==Encrypted swap on LVM== | ||
===Create logical volume for swap=== | ===Create logical volume for swap=== | ||
< | <syntaxhighlight lang=bash> | ||
# lvcreate -L 2g -n lv-swap vg-root | # lvcreate -L 2g -n lv-swap vg-root | ||
Logical volume "lv-swap" created | Logical volume "lv-swap" created | ||
</ | </syntaxhighlight> | ||
< | <syntaxhighlight lang=bash> | ||
# lvs /dev/vg-root/lv-swap | # lvs /dev/vg-root/lv-swap | ||
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert | LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert | ||
lv-swap vg-root -wi-ao--- 2.00g | lv-swap vg-root -wi-ao--- 2.00g | ||
</ | </syntaxhighlight> | ||
===Create and get the UUID=== | ===Create and get the UUID=== | ||
'''This step will erase all of your data from the disk after the mkswap command!!!''' | '''This step will erase all of your data from the disk after the mkswap command!!!''' | ||
So be sure you pick the right one! | So be sure you pick the right one! | ||
< | <syntaxhighlight lang=bash> | ||
# mkswap /dev/vg-root/lv-swap | # mkswap /dev/vg-root/lv-swap | ||
mkswap: /dev/vg-root/lv-swap: warning: don't erase bootbits sectors | mkswap: /dev/vg-root/lv-swap: warning: don't erase bootbits sectors | ||
| Line 24: | Line 24: | ||
Setting up swapspace version 1, size = 2097148 KiB | Setting up swapspace version 1, size = 2097148 KiB | ||
no label, UUID=4764e516-d025-41de-ab5b-72070a3ae765 | no label, UUID=4764e516-d025-41de-ab5b-72070a3ae765 | ||
</ | </syntaxhighlight> | ||
Save this UUID for the next step!!! | Save this UUID for the next step!!! | ||
| Line 30: | Line 30: | ||
Put this in your /etc/crypttab : | Put this in your /etc/crypttab : | ||
< | <syntaxhighlight lang=bash> | ||
cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly | cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly | ||
</ | </syntaxhighlight> | ||
The UUID is the one from mkswap before!!! | The UUID is the one from mkswap before!!! | ||
| Line 40: | Line 40: | ||
====Start the crypted partition==== | ====Start the crypted partition==== | ||
< | <syntaxhighlight lang=bash> | ||
# cryptdisks_start cryptswap1 | # cryptdisks_start cryptswap1 | ||
* Starting crypto disk... | * Starting crypto disk... | ||
* cryptswap1 (starting).. | * cryptswap1 (starting).. | ||
* cryptswap1 (started)... | * cryptswap1 (started)... | ||
</ | </syntaxhighlight> | ||
====Check the status==== | ====Check the status==== | ||
< | <syntaxhighlight lang=bash> | ||
# cryptsetup status cryptswap1 | # cryptsetup status cryptswap1 | ||
/dev/mapper/cryptswap1 is active. | /dev/mapper/cryptswap1 is active. | ||
| Line 58: | Line 58: | ||
size: 4194264 sectors | size: 4194264 sectors | ||
mode: read/write | mode: read/write | ||
</ | </syntaxhighlight> | ||
====Make the swapFS==== | ====Make the swapFS==== | ||
< | <syntaxhighlight lang=bash> | ||
# mkswap /dev/mapper/cryptswap1 | # mkswap /dev/mapper/cryptswap1 | ||
mkswap: /dev/mapper/cryptswap1: warning: don't erase bootbits sectors | mkswap: /dev/mapper/cryptswap1: warning: don't erase bootbits sectors | ||
| Line 67: | Line 67: | ||
Setting up swapspace version 1, size = 2097128 KiB | Setting up swapspace version 1, size = 2097128 KiB | ||
no label, UUID=ccdd1d28-0504-4682-8ece-8b6ef381d7e9 | no label, UUID=ccdd1d28-0504-4682-8ece-8b6ef381d7e9 | ||
</ | </syntaxhighlight> | ||
This new UUID has no relevance for /etc/crypttab. | This new UUID has no relevance for /etc/crypttab. | ||
===Edit the /etc/fstab=== | ===Edit the /etc/fstab=== | ||
< | <syntaxhighlight lang=bash> | ||
# vit /etc/fstab | # vit /etc/fstab | ||
... | ... | ||
/dev/mapper/cryptswap1 none swap sw 0 0 | /dev/mapper/cryptswap1 none swap sw 0 0 | ||
</ | </syntaxhighlight> | ||
Reboot to test your settings. | Reboot to test your settings. | ||
Latest revision as of 05:52, 26 November 2021
Encrypted swap on LVM
Create logical volume for swap
# lvcreate -L 2g -n lv-swap vg-root
Logical volume "lv-swap" created
# lvs /dev/vg-root/lv-swap
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
lv-swap vg-root -wi-ao--- 2.00g
Create and get the UUID
This step will erase all of your data from the disk after the mkswap command!!! So be sure you pick the right one!
# mkswap /dev/vg-root/lv-swap
mkswap: /dev/vg-root/lv-swap: warning: don't erase bootbits sectors
on whole disk. Use -f to force.
Setting up swapspace version 1, size = 2097148 KiB
no label, UUID=4764e516-d025-41de-ab5b-72070a3ae765
Save this UUID for the next step!!!
Create the crypted swap
Put this in your /etc/crypttab :
cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly
The UUID is the one from mkswap before!!!
Important things:
- offset=40 : Save the region where your UUID is written on disk.
- noearly : Avoid race conditions of the init scripts (cryptdisks and cryptdisks-early).
Start the crypted partition
# cryptdisks_start cryptswap1
* Starting crypto disk...
* cryptswap1 (starting)..
* cryptswap1 (started)...
Check the status
# cryptsetup status cryptswap1
/dev/mapper/cryptswap1 is active.
type: PLAIN
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/mapper/vg--root-lv--swap
offset: 40 sectors
size: 4194264 sectors
mode: read/write
Make the swapFS
# mkswap /dev/mapper/cryptswap1
mkswap: /dev/mapper/cryptswap1: warning: don't erase bootbits sectors
on whole disk. Use -f to force.
Setting up swapspace version 1, size = 2097128 KiB
no label, UUID=ccdd1d28-0504-4682-8ece-8b6ef381d7e9
This new UUID has no relevance for /etc/crypttab.
Edit the /etc/fstab
# vit /etc/fstab
...
/dev/mapper/cryptswap1 none swap sw 0 0
Reboot to test your settings.
