Lesson 14

Date: 7/2/2018
Encrypted file systems
Linux System Administration


Exercise: DM-Crypt+LUKS

DM-Crypt works by transparently translating (in the kernel) between a physical on-disk partition (which is encrypted) and a logical partition which you can then mount and use as normal. Linux Unified Key Setup or LUKS is a disk encryption specification.
  • Install cryptsetup: 
    apt-get install cryptsetup
    Zero out the storage devices, label and partition. 
    dd if=/dev/zero of=/dev/sdb2 bs=1M count=10
    Create a LUKS container: 
    cryptsetup -y -v luksFormat /dev/sdb2
    Open the LUKS container: 
    cryptsetup luksOpen /dev/sdb2 secure
    Check the device mapping for drive secure: 
    cryptsetup status secure
    Create a file system, a mounting point and mount the device: 
    mkfs.ext4  /dev/mapper/secure
mkdir /secure
mount /dev/mapper/secure /secure
    Verify that the file system is mounted: 
    df -h
    Unmount the drive: 
    umount /secure
    Delete the device mapper: 
    cryptsetup luksClose secure

  • To mount the device, first, setup the device mapper: 
    cryptsetup luksOpen /dev/sdb2 secure
    Mount the device 
    mount /dev/mapper/secure /secure

  • You can add an additional passphrase (password) for encrypted partition: 
    cryptsetup luksDump /dev/sdb2
cryptsetup luksAddKey /dev/sdb2
    Maximum 8 passwords can be setup for each device.
    To remove one of the passwords: 
    cryptsetup luksRemoveKey /dev/sdb2
    Enter the old passphrase to remove.

    If the drive is stolen, it won't be mountable without the device mapper setup, which requires the password.

    • Take me to the Course Website