====== Crypto ====== ===== Abstract ===== sdX = sda, sdb, sdg, sdp, sdomie all together we cry!!! FATAL ERROR, PLEASE CHECK YOUR BRAIN!!!! sdXy - y is the partition you want to encrypt fdisk /dev/sdX # partition the disc dd if=/dev/urandom of=/dev/sdXy # write random data on the partition cryptsetup -c aes-xts-plain64 -s 512 -y luksFormat /dev/sdXy # create cryptocontäner cryptsetup luksOpen /dev/sdXy cryptname # Open the contäner mkfs.ext4 -j -m 1 -O dir_index,filetype -L binaryblob /dev/mapper/cryptname # Format mount /dev/mapper/cryptname /mnt/crypt # mount the opened container ===== RAID ===== **howto create a RAID array with LUKS encryption, madm RAID tools and LVM2** tested on debian squeeze **replace sdX and sdY with the hdd devices of your choice - choose careful!** run **badblocks** check or **dd** to overwrite all data with random bit patterns badblocks -c 10240 -s -w -t random -v /dev/sdX badblocks -c 10240 -s -w -t random -v /dev/sdY "Warning: **Do not use badblocks here**. It only generates a random pattern which just repeats its randomness over and over again." uups slower and more secure: dd if=/dev/urandom of=/dev/sdX dd if=/dev/urandom of=/dev/sdY wait some hours or days.. ubuntu suggests to randomize only the start of the partition: dd if=/dev/urandom bs=1M count=8 of=/dev/sdX best practice: use some random AES ciphers - this is faster and should be secure: openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/sdxy ---- \\ **Create partitions** on //two// devices * mark them with the type code **FD** * all partitions should be of the same size! fdisk /dev/sdX .. fdisk /dev/sdY **Partition table limit! -> GPT** You cannot create a Linux partition larger than 2 TB using the fdisk command An GPT partition table is required, it can be created with parted http://www.cyberciti.biz/tips/fdisk-unable-to-create-partition-greater-2tb.html Check if the kernel supports EFI cat /boot/config-2.6.26-2-686 | grep EFI Replace version by with current kernel (uname -a) Create GPT partition table: mklabel gpt mkpart non-fs 0 2 mkpart ext3 2 130 mkpart ... raid system... The first partition is a fake MBR, the 2. is the /boot/partition gptsync /dev/sdX # gptsync sets up the MBR to point to the fake partition FIXME true?: Set type of 2. partition /boot/ to 'da' in fdisk After fixing partition types with fdisk, start parted to set mode of 1. to bios_grub. After this, the partition table is protected and fdisc cannot read it anymore. parted /dev/sdX set 1 bios_grub on quit -> http://www.wensley.org.uk/gpt If you are moving a root system to this disc, continue to copy the system and install bootlaoder from a chroot, see: [[linux:filesystems:boot|]] ---- \\ **Create the RAID array:** mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdX1 /dev/sdY1 This creates a RAID 1. Choose a free device number for X in /dev/mdX The device will be created and synchronization of the blocks starts. Check the sync progress and details of the array: cat /proc/mdstat mdadm --detail /dev/md1 **Create /etc/mdadm/mdadm.conf** cd /etc/mdadm echo 'DEVICE /dev/hd*[0-9] /dev/sd*[0-9]' >> mdadm.conf mdadm --detail --scan >> mdadm.conf Comment original DEVICE line out ---- \\ **Encrypting the Block Devices** cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y luksFormat /dev/mdX [/path/to/keyfile] If you add a key file, leave out "-y" **ciphers:** * aes-cbc-essiv:sha256 is deprecated: http://www.heise.de/security/artikel/Erfolgreicher-Angriff-auf-Linux-Verschluesselung-2072199.html * aes-xts-plain64 with --key-size ( = -s) 512 and sha512 as hashing algo is a good choice * "twofish" and "serpent" are trusted as well and "Whirlpool" can be used as hashing algo Another example using twofish: cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy ---- \\ **Unlocking the Block Devices** cryptsetup luksOpen /dev/mdX cryptname Open with key file: cryptsetup --key-file /path/to/keyfile luksOpen /dev/md1 cryptname The opened volume is available in /dev/mapper/cryptname after entering the correct passphrase or if the file is available ---- \\ **Create Logical Volume with Logical Volume Manager (LVM)** ..read why, here: [[https://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29#Common_uses]] for example: you can combine two RAID arrays to appear as one drive or create a swap inside the crypto container: apt-get install lvm2 pvcreate /dev/mapper/sharedstore ... vgcreate -v cryptvg /dev/mapper/cryptname Check results: pvscan vgdisplay vgdisplay shows the number of physical extents available in a volume group, e.g.: "Total PE 476931". Create a swap first lvm lvcreate cryptvg -n swap -L 4G To use the complete volume group cryptvg for a logical volume, we tell lvcreate the number of free extents to use with "-l" (check vgdisplay): lvcreate -l 476931 -n lvdata cryptvg Percentage or M / G are also possible: lvcreate -l 60%VG -n lvdata cryptvg lvcreate -l 50000G -n lvdata cryptvg This maps the new logical to device file: /dev/cryptvg/lvdata ---- \\ **Format the volume group:** mkfs.ext4 -L cryptvg /dev/cryptvg/lvXY Optimized parameters, testing: mkfs.ext4 -j -m 1 -O dir_index,filetype -L tresor /dev/cryptvg/lvXY sparse_super useful? creates fewer backups of superblock If you created a swap: mkswap /dev/cryptvg/lvswap ---- \\ **Mount the volume group:** add a line to /etc/fstab to make it persistent: /dev/cryptvg/lvdata /crypt ext4 ikeep,noatime 0 0 ---- \\ **Create startup and shutdown scripts:** Check http://linuxgazette.net/140/pfeiffer.html for a example scripts.. ---- \\ **Add a disc:** increase number of hdds: mdadm --grow /dev/md2 --raid-devices=2 add disc mdadm /dev/md2 --add /dev/sdd1 watch it sync: for i in {1..1000}; do cat /proc/mdstat ; echo '_____'; sleep 10 ; done; or watch cat /proc/mdstat ---- \\ **TEST** Quoting http://linuxgazette.net/140/pfeiffer.html : "Now that your new shiny encrypted logical volume is empty, you have a once in a lifetime chance of testing the storage mechanism. Don't miss to do this! Try simulating a disk failure. Switch off the power and reboot. Do a filesystem check. Create thousands of files and delete them. Copy loads of big ISO images. Do whatever could happen to your storage and see if your data is still there." ---- \\ **References:** * http://linuxgazette.net/140/pfeiffer.html * http://www.saout.de/tikiwiki/tiki-index.php * https://thesimplecomputer.info/full-disk-encryption-with-ubuntu ===== CryptFile ===== the only difference is to use a loop mounted file instead of a partition: create a file full of random data, setup loop device, luksFormat & format dd if=/dev/urandom of=/cryptfile bs=1M count=3900 #=MB losetup /dev/loop32 /cryptfile cryptsetup luksFormat /dev/loop32 cryptsetup luksOpen /dev/loop32 cryptfs mkfs.ext4 -L homecrypt /dev/mapper/cryptfs ===== btrfs on top of luks ===== Create a crypto partition as described above, then format the opened crypto container filesystem: mkfs.btrfs /dev/mapper/ # recommended options for rotational discs (for ssds set 'sdd' option): mount -o noatime,compress=lzo,noauto,autodefrag /dev/mapper/ / ===== Recommended options for installing on a pendrive, a SD card or a slow SSD drive ===== /dev/sdaX / btrfs x-systemd.device-timeout=0,noatime,compress=lzo,commit=0,ssd_spread,autodefrag 0 0 * https://wiki.debian.org/Btrfs