LUKS - Linux Unified Key Setup

From Lolly's Wiki
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.


Encrypted swap on LVM

Create logical volume for swap

# lvcreate -L 2g -n lv-swap vg-root
  Logical volume "lv-swap" created
# lvs /dev/vg-root/lv-swap
  LV      VG      Attr      LSize Pool Origin Data%  Move Log Copy%  Convert
  lv-swap vg-root -wi-ao--- 2.00g

Create and get the UUID

This step will erase all of your data from the disk after the mkswap command!!! So be sure you pick the right one!

# mkswap /dev/vg-root/lv-swap
mkswap: /dev/vg-root/lv-swap: warning: don't erase bootbits sectors
        on whole disk. Use -f to force.
Setting up swapspace version 1, size = 2097148 KiB
no label, UUID=4764e516-d025-41de-ab5b-72070a3ae765

Save this UUID for the next step!!!

Create the crypted swap

Put this in your /etc/crypttab :

cryptswap1 UUID=4764e516-d025-41de-ab5b-72070a3ae765 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=40,noearly

The UUID is the one from mkswap before!!!

Important things:

  1. offset=40 : Save the region where your UUID is written on disk.
  2. noearly  : Avoid race conditions of the init scripts (cryptdisks and cryptdisks-early).

Start the crypted partition

# cryptdisks_start cryptswap1
 * Starting crypto disk...
 * cryptswap1 (starting)..
 * cryptswap1 (started)...

Check the status

# cryptsetup status cryptswap1
/dev/mapper/cryptswap1 is active.
  type:    PLAIN
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/mapper/vg--root-lv--swap
  offset:  40 sectors
  size:    4194264 sectors
  mode:    read/write

Make the swapFS

# mkswap /dev/mapper/cryptswap1
mkswap: /dev/mapper/cryptswap1: warning: don't erase bootbits sectors
        on whole disk. Use -f to force.
Setting up swapspace version 1, size = 2097128 KiB
no label, UUID=ccdd1d28-0504-4682-8ece-8b6ef381d7e9

This new UUID has no relevance for /etc/crypttab.

Edit the /etc/fstab

# vit /etc/fstab
...
/dev/mapper/cryptswap1 none swap sw 0 0

Reboot to test your settings.