The Nihilism Blog
Previous Page

nihilist - 05 / 11 / 2022

luks Setup

In this tutorial we're going to look at how to setup LUKS encryption on additional drives of a server.

Initial Setup

For this tutorial i hooked up 2 additional hard drives to a VM:


[ 10.0.0.222/16 ] [ backup ] [~]
→ lsblk
NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda              8:0    0  1000G  0 disk
├─sda1           8:1    0   512M  0 part  /boot
├─sda2           8:2    0     1M  0 part
└─sda3           8:3    0 999.5G  0 part
  ├─lvm-swap   254:0    0   512M  0 lvm
  │ └─swap     254:5    0   512M  0 crypt [SWAP]
  ├─lvm-tmp    254:1    0   500M  0 lvm
  │ └─tmp      254:4    0   500M  0 crypt /tmp
  └─lvm-lvroot 254:2    0 998.5G  0 lvm
    └─root     254:3    0 998.5G  0 crypt /
sdb              8:16   0   3.6T  0 disk
└─sdb1           8:17   0   3.6T  0 part
sdc              8:32   0   3.6T  0 disk
└─sdc1           8:33   0   3.6T  0 part
sr0             11:0    1 891.3M  0 rom

the drives are /dev/sdb and /dev/sdc, they are both 3.6Tb big, and we want to encrypt them so they are unreadable unless we unlock them:


[ 10.0.0.222/16 ] [ backup ] [~]
→ cryptsetup luksFormat /dev/sdb
WARNING: Device /dev/sdb already contains a 'gpt' partition signature.

WARNING!
========
This will overwrite data on /dev/sdb irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sdb:
Verify passphrase:

[ 10.0.0.222/16 ] [ backup ] [~]
→ cryptsetup luksFormat /dev/sdc
WARNING: Device /dev/sdc already contains a 'gpt' partition signature.

WARNING!
========
This will overwrite data on /dev/sdc irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sdc:
Verify passphrase:

You can check the luks information of each device:


[ 10.0.0.222/16 ] [ backup ] [~]
→ cryptsetup luksDump /dev/sdb
LUKS header information
Version:        2
Epoch:          3
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           63088dd8-bca3-4e6c-b909-145b2de744c7
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 16777216 [bytes]
        length: (whole device)
        cipher: aes-xts-plain64
        sector: 4096 [bytes]

Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2id
        Time cost:  4
        Memory:     508031
        Threads:    2
        Salt:       e0 30 01 14 b3 8a 56 36 ef 7e b2 24 7b d6 a8 3b
                    06 2b c9 e9 5f 26 56 5a 78 c5 55 0d 4f 86 64 4f
        AF stripes: 4000
        AF hash:    sha256
        Area offset:32768 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
        Hash:       sha256
        Iterations: 26640
        Salt:       70 88 9e 5c 36 ae ae b4 d4 c5 85 3b f6 9c d5 8b
                    1d 13 24 93 29 fe c1 80 d9 18 7b b1 fe 3c 55 86
        Digest:     dd 9b 2c ba fa 3d 38 ec 56 92 28 d7 70 52 f1 a3
                    e5 fd 4d 3a 14 2c 85 52 bc e2 e0 99 c9 e6 bb 33

[ 10.0.0.222/16 ] [ backup ] [~]
→ cryptsetup luksDump /dev/sdc
LUKS header information
Version:        2
Epoch:          3
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           8f559499-ca90-4b71-aead-c2252d0e10e0
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 16777216 [bytes]
        length: (whole device)
        cipher: aes-xts-plain64
        sector: 4096 [bytes]

Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2id
        Time cost:  4
        Memory:     482968
        Threads:    2
        Salt:       8f 6f b2 6d 46 a1 8f 31 0c cb 06 64 94 73 86 47
                    6e a8 1f 39 38 ff b9 27 10 6a 35 61 1b 9e 16 af
        AF stripes: 4000
        AF hash:    sha256
        Area offset:32768 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
        Hash:       sha256
        Iterations: 24417
        Salt:       06 6f e4 bd dd 10 0d 9e 29 41 ae 7e df d2 55 77
                    b9 94 0b b3 fb ba 38 41 c5 c4 63 8e 5d 00 7c 40
        Digest:     86 62 5c 31 67 00 5c 46 69 5f 2f 81 fb 83 34 ec
                    d0 73 44 e4 73 bc f9 f8 41 86 7a 06 55 97 77 3d

Now we want to open the encrypted drives, so we use luksOpen:


[ 10.0.0.222/16 ] [ backup ] [~]
→ cryptsetup luksOpen /dev/sdb VAULT1
Enter passphrase for /dev/sdb:

[ 10.0.0.222/16 ] [ backup ] [~]
→ cryptsetup luksOpen /dev/sdc VAULT2
Enter passphrase for /dev/sdc:
	
[ 10.0.0.222/16 ] [ backup ] [~]
→ ls -lash /dev/mapper/VAULT*
0 lrwxrwxrwx 1 root root 7 Nov  5 09:12 /dev/mapper/VAULT1 -> ../dm-6
0 lrwxrwxrwx 1 root root 7 Nov  5 09:13 /dev/mapper/VAULT2 -> ../dm-7

Now from here, we have 2 mapped drives located in /dev/mapper/, we named them VAULT1 and VAULT2, now to use them we need to mount them, so let's create 2 folders in /mnt/ and mount them there:


[ 10.0.0.222/16 ] [ backup ] [~]
→ mkdir /mnt/VAULT1

[ 10.0.0.222/16 ] [ backup ] [~]
→ mkdir /mnt/VAULT2

Before we do thatm don't forget to format the unlocked drives in ext4 for example:


[ 10.0.0.222/16 ] [ backup ] [~]
→ mkfs.ext4 /dev/mapper/VAULT1
mke2fs 1.46.5 (30-Dec-2021)
/dev/mapper/VAULT1 contains `DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0x3ff,255,63), startsector 1, 976742143 sectors, extended partition table (last)' data
Proceed anyway? (y,N) y
Creating filesystem with 976742144 4k blocks and 244187136 inodes
Filesystem UUID: bcc579f6-96b9-4c9a-8ad8-694470db5dac
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
        4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
        102400000, 214990848, 512000000, 550731776, 644972544


Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done
	
[ 10.0.0.222/16 ] [ backup ] [~]
→ mount /dev/mapper/VAULT1 /mnt/VAULT1

[ 10.0.0.222/16 ] [ backup ] [~]
→ lsblk
NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda              8:0    0  1000G  0 disk
├─sda1           8:1    0   512M  0 part  /boot
├─sda2           8:2    0     1M  0 part
└─sda3           8:3    0 999.5G  0 part
  ├─lvm-swap   254:0    0   512M  0 lvm
  │ └─swap     254:5    0   512M  0 crypt [SWAP]
  ├─lvm-tmp    254:1    0   500M  0 lvm
  │ └─tmp      254:4    0   500M  0 crypt /tmp
  └─lvm-lvroot 254:2    0 998.5G  0 lvm
    └─root     254:3    0 998.5G  0 crypt /
sdb              8:16   0   3.6T  0 disk
└─VAULT1       254:6    0   3.6T  0 crypt /mnt/VAULT1
sdc              8:32   0   3.6T  0 disk
└─VAULT2       254:7    0   3.6T  0 crypt
sr0             11:0    1 891.3M  0 rom

And here you can see that we managed to mount our external luks encrypted drive in /mnt/VAULT1, so we can now write to it: 


[ 10.0.0.222/16 ] [ backup ] [~]
→ cd /mnt/VAULT1

[ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1]
→ echo 'test' > test.txt

[ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1]
→ ls -lash
total 28K
4.0K drwxr-xr-x 3 root root 4.0K Nov  5 09:23 .
4.0K drwxr-xr-x 4 root root 4.0K Nov  5 09:15 ..
 16K drwx------ 2 root root  16K Nov  5 09:21 lost+found
4.0K -rw-r--r-- 1 root root    5 Nov  5 09:23 test.txt

Then we mount the other drive in the same way:


[ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1]
→ mkfs.ext4 /dev/mapper/VAULT2
mke2fs 1.46.5 (30-Dec-2021)
/dev/mapper/VAULT2 contains `DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0x3ff,255,63), startsector 1, 976742143 sectors, extended partition table (last)' data
Proceed anyway? (y,N) y
Creating filesystem with 976742144 4k blocks and 244187136 inodes
Filesystem UUID: 8c41fdda-d272-4570-8562-f8f7ac4c87db
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
        4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
        102400000, 214990848, 512000000, 550731776, 644972544

Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done


[ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1]
→ mount /dev/mapper/VAULT2 /mnt/VAULT2

[ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1]
→ lsblk
NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda              8:0    0  1000G  0 disk
├─sda1           8:1    0   512M  0 part  /boot
├─sda2           8:2    0     1M  0 part
└─sda3           8:3    0 999.5G  0 part
  ├─lvm-swap   254:0    0   512M  0 lvm
  │ └─swap     254:5    0   512M  0 crypt [SWAP]
  ├─lvm-tmp    254:1    0   500M  0 lvm
  │ └─tmp      254:4    0   500M  0 crypt /tmp
  └─lvm-lvroot 254:2    0 998.5G  0 lvm
    └─root     254:3    0 998.5G  0 crypt /
sdb              8:16   0   3.6T  0 disk
└─VAULT1       254:6    0   3.6T  0 crypt /mnt/VAULT1
sdc              8:32   0   3.6T  0 disk
└─VAULT2       254:7    0   3.6T  0 crypt /mnt/VAULT2
sr0             11:0    1 891.3M  0 rom

Scripting



I think its obvious that you don't want to store your password in cleartext anywhere on your machine, so you'll have to type the password everytime you want to open the drives. So i have this script here to mount the drives quickly, i just run it at startup:


[ 10.0.0.222/16 ] [ backup ] [~]
→ cat vault.sh
	
#!/bin/bash
echo "[+] MOUNTING VAULTS..."

sudo cryptsetup luksOpen /dev/sdb VAULT1
sudo mkdir /mnt/VAULT1 2>/dev/null
sudo mount /dev/mapper/VAULT1 /mnt/VAULT1

sudo cryptsetup luksOpen /dev/sdc VAULT2
sudo mkdir /mnt/VAULT2 2>/dev/null
sudo mount /dev/mapper/VAULT2 /mnt/VAULT2

echo "[+] VAULTS MOUNTED"

Nihilism

Until there is Nothing left.



Creative Commons Zero: No Rights Reserved

My Links

RSS Feed
SimpleX Chat

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@contact.nowhere.moe (PGP)