Crypto

Abstract

sdX = sda, sdb, sdg, sdp, sdomie all together we cry!!! FATAL ERROR, PLEASE CHECK YOUR BRAIN!!!! sdXy - y is the partition you want to encrypt

fdisk /dev/sdX                                                                # partition the disc
dd if=/dev/urandom of=/dev/sdXy                                               # write random data on the partition
cryptsetup -c aes-xts-plain64 -s 512 -y luksFormat /dev/sdXy                  # create cryptocontäner
cryptsetup luksOpen /dev/sdXy cryptname                                       # Open the contäner
mkfs.ext4 -j -m 1 -O dir_index,filetype -L binaryblob /dev/mapper/cryptname   # Format 
mount /dev/mapper/cryptname /mnt/crypt                                        # mount the opened container

RAID

howto create a RAID array with LUKS encryption, madm RAID tools and LVM2

tested on debian squeeze

replace sdX and sdY with the hdd devices of your choice - choose careful!

run badblocks check or dd to overwrite all data with random bit patterns

badblocks -c 10240 -s -w -t random -v /dev/sdX
badblocks -c 10240 -s -w -t random -v /dev/sdY  

“Warning: Do not use badblocks here. It only generates a random pattern which just repeats its randomness over and over again.” uups

slower and more secure:

dd if=/dev/urandom of=/dev/sdX
dd if=/dev/urandom of=/dev/sdY

wait some hours or days..

ubuntu suggests to randomize only the start of the partition:

dd if=/dev/urandom bs=1M count=8 of=/dev/sdX

best practice: use some random AES ciphers - this is faster and should be secure:

openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/sdxy


Create partitions on two devices

  • mark them with the type code FD
  • all partitions should be of the same size!
fdisk /dev/sdX 
..
fdisk /dev/sdY

Partition table limit! → GPT

You cannot create a Linux partition larger than 2 TB using the fdisk command An GPT partition table is required, it can be created with

parted

http://www.cyberciti.biz/tips/fdisk-unable-to-create-partition-greater-2tb.html

Check if the kernel supports EFI

cat /boot/config-2.6.26-2-686 | grep EFI

Replace version by with current kernel (uname -a)

Create GPT partition table:

mklabel gpt
mkpart non-fs 0 2
mkpart ext3 2 130
mkpart ... raid system...

The first partition is a fake MBR, the 2. is the /boot/partition

gptsync /dev/sdX # gptsync sets up the MBR to point to the fake partition

FIXME true?: Set type of 2. partition /boot/ to 'da' in fdisk

After fixing partition types with fdisk, start parted to set mode of 1. to bios_grub. After this, the partition table is protected and fdisc cannot read it anymore.

parted /dev/sdX
set 1 bios_grub on
quit

http://www.wensley.org.uk/gpt

If you are moving a root system to this disc, continue to copy the system and install bootlaoder from a chroot, see: Bootloader



Create the RAID array:

mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdX1 /dev/sdY1

This creates a RAID 1. Choose a free device number for X in /dev/mdX

The device will be created and synchronization of the blocks starts. Check the sync progress and details of the array:

cat /proc/mdstat
mdadm --detail /dev/md1

Create /etc/mdadm/mdadm.conf

cd /etc/mdadm
echo 'DEVICE /dev/hd*[0-9] /dev/sd*[0-9]' >> mdadm.conf
mdadm --detail --scan >> mdadm.conf

Comment original DEVICE line out



Encrypting the Block Devices

cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y luksFormat /dev/mdX [/path/to/keyfile]

If you add a key file, leave out “-y”

ciphers:

Another example using twofish:

cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy


Unlocking the Block Devices

cryptsetup luksOpen /dev/mdX cryptname

Open with key file:

cryptsetup --key-file /path/to/keyfile luksOpen /dev/md1 cryptname

The opened volume is available in /dev/mapper/cryptname after entering the correct passphrase or if the file is available



Create Logical Volume with Logical Volume Manager (LVM)

..read why, here: https://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29#Common_uses

for example: you can combine two RAID arrays to appear as one drive or create a swap inside the crypto container:

apt-get install lvm2

pvcreate /dev/mapper/sharedstore 
...
vgcreate -v cryptvg /dev/mapper/cryptname

Check results:

pvscan
vgdisplay

vgdisplay shows the number of physical extents available in a volume group, e.g.: “Total PE 476931”. Create a swap first

lvm lvcreate cryptvg -n swap -L 4G

To use the complete volume group cryptvg for a logical volume, we tell lvcreate the number of free extents to use with “-l” (check vgdisplay):

lvcreate -l 476931 -n lvdata cryptvg

Percentage or M / G are also possible:

lvcreate -l 60%VG -n lvdata cryptvg
lvcreate -l 50000G -n lvdata cryptvg

This maps the new logical to device file: /dev/cryptvg/lvdata



Format the volume group:

mkfs.ext4 -L cryptvg /dev/cryptvg/lvXY

Optimized parameters, testing:

mkfs.ext4 -j -m 1 -O dir_index,filetype -L tresor /dev/cryptvg/lvXY

sparse_super useful? creates fewer backups of superblock

If you created a swap:

mkswap /dev/cryptvg/lvswap

—-

Mount the volume group:

add a line to /etc/fstab to make it persistent:

/dev/cryptvg/lvdata /crypt ext4 ikeep,noatime 0 0


Create startup and shutdown scripts:

Check http://linuxgazette.net/140/pfeiffer.html for a example scripts..



Add a disc:

increase number of hdds:

mdadm --grow /dev/md2 --raid-devices=2 

add disc

mdadm /dev/md2 --add /dev/sdd1

watch it sync:

for i in {1..1000}; do cat /proc/mdstat ; echo '_____'; sleep 10 ; done;

or

watch cat /proc/mdstat


TEST

Quoting http://linuxgazette.net/140/pfeiffer.html :

“Now that your new shiny encrypted logical volume is empty, you have a once in a lifetime chance of testing the storage mechanism. Don't miss to do this! Try simulating a disk failure. Switch off the power and reboot. Do a filesystem check. Create thousands of files and delete them. Copy loads of big ISO images. Do whatever could happen to your storage and see if your data is still there.”



References:

CryptFile

the only difference is to use a loop mounted file instead of a partition:

create a file full of random data, setup loop device, luksFormat & format

                                    
dd if=/dev/urandom of=/cryptfile bs=1M count=3900    #=MB
losetup /dev/loop32 /cryptfile
cryptsetup luksFormat /dev/loop32
cryptsetup luksOpen /dev/loop32 cryptfs
mkfs.ext4 -L homecrypt /dev/mapper/cryptfs

btrfs on top of luks

Create a crypto partition as described above, then format the opened crypto container filesystem:

mkfs.btrfs /dev/mapper/<cryptname>

# recommended options for rotational discs (for ssds set 'sdd' option):
mount -o noatime,compress=lzo,noauto,autodefrag /dev/mapper/<cryptname> /<mountpoint>

/dev/sdaX / btrfs x-systemd.device-timeout=0,noatime,compress=lzo,commit=0,ssd_spread,autodefrag 0 0

* https://wiki.debian.org/Btrfs

 
Back to top
linux/filesystems/crypto_raid.txt · Last modified: 2016/06/20 22:22 by tkilla