This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:filesystems:crypto_raid [2012/02/26 11:05] tkilla |
linux:filesystems:crypto_raid [2016/06/20 22:22] (current) tkilla [CryptFile] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Crypto | + | ====== Crypto ====== |
+ | |||
+ | ===== Abstract ===== | ||
+ | sdX = sda, sdb, sdg, sdp, sdomie all together we cry!!! | ||
+ | FATAL ERROR, PLEASE CHECK YOUR BRAIN!!!! | ||
+ | sdXy - y is the partition you want to encrypt | ||
+ | |||
+ | fdisk / | ||
+ | dd if=/ | ||
+ | cryptsetup -c aes-xts-plain64 -s 512 -y luksFormat / | ||
+ | cryptsetup luksOpen /dev/sdXy cryptname | ||
+ | mkfs.ext4 -j -m 1 -O dir_index, | ||
+ | mount / | ||
+ | |||
+ | |||
+ | |||
+ | ===== RAID ===== | ||
**howto create a RAID array with LUKS encryption, madm RAID tools and LVM2** | **howto create a RAID array with LUKS encryption, madm RAID tools and LVM2** | ||
Line 13: | Line 29: | ||
badblocks -c 10240 -s -w -t random -v / | badblocks -c 10240 -s -w -t random -v / | ||
- | or slower and more secure: | + | " |
+ | |||
+ | |||
+ | slower and more secure: | ||
dd if=/ | dd if=/ | ||
Line 21: | Line 40: | ||
wait some hours or days.. | wait some hours or days.. | ||
- | FIXME some howtos suggest | + | ubuntu suggests |
+ | |||
+ | dd if=/ | ||
+ | |||
+ | |||
+ | best practice: use some random AES ciphers - this is faster and should be secure: | ||
+ | |||
+ | openssl enc -aes-256-ctr -pass pass:" | ||
+ | |||
---- | ---- | ||
Line 34: | Line 62: | ||
fdisk /dev/sdY | fdisk /dev/sdY | ||
+ | **Partition table limit! -> GPT** | ||
+ | |||
+ | You cannot create a Linux partition larger than 2 TB using the fdisk command | ||
+ | An GPT partition table is required, it can be created with | ||
+ | parted | ||
+ | |||
+ | http:// | ||
+ | |||
+ | Check if the kernel supports EFI | ||
+ | |||
+ | cat / | ||
+ | |||
+ | Replace version by with current kernel (uname -a) | ||
+ | |||
+ | Create GPT partition table: | ||
+ | mklabel gpt | ||
+ | mkpart non-fs 0 2 | ||
+ | mkpart ext3 2 130 | ||
+ | mkpart ... raid system... | ||
+ | | ||
+ | The first partition is a fake MBR, the 2. is the / | ||
+ | |||
+ | gptsync /dev/sdX # gptsync sets up the MBR to point to the fake partition | ||
+ | |||
+ | FIXME true?: Set type of 2. partition /boot/ to ' | ||
+ | |||
+ | After fixing partition types with fdisk, start parted to set mode of 1. to bios_grub. After this, the partition table is protected and fdisc cannot read it anymore. | ||
+ | |||
+ | parted /dev/sdX | ||
+ | set 1 bios_grub on | ||
+ | quit | ||
+ | |||
+ | -> http:// | ||
+ | |||
+ | If you are moving a root system to this disc, continue to copy the system and install bootlaoder from a chroot, see: [[linux: | ||
---- | ---- | ||
\\ | \\ | ||
Line 48: | Line 111: | ||
cat / | cat / | ||
mdadm --detail /dev/md1 | mdadm --detail /dev/md1 | ||
+ | |||
+ | |||
+ | **Create / | ||
+ | |||
+ | cd /etc/mdadm | ||
+ | echo ' | ||
+ | mdadm --detail --scan >> mdadm.conf | ||
+ | |||
+ | Comment original DEVICE line out | ||
---- | ---- | ||
Line 54: | Line 126: | ||
**Encrypting the Block Devices** | **Encrypting the Block Devices** | ||
- | cryptsetup -c aes-cbc-essiv: | + | cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y luksFormat /dev/mdX [/ |
+ | |||
+ | If you add a key file, leave out " | ||
+ | |||
+ | **ciphers: | ||
+ | * aes-cbc-essiv: | ||
+ | * aes-xts-plain64 with --key-size ( = -s) 512 < | ||
+ | * " | ||
+ | |||
+ | Another example using twofish: | ||
+ | cryptsetup | ||
---- | ---- | ||
Line 63: | Line 146: | ||
cryptsetup luksOpen /dev/mdX cryptname | cryptsetup luksOpen /dev/mdX cryptname | ||
- | the opened volume is available in / | + | Open with key file: |
+ | |||
+ | cryptsetup --key-file / | ||
+ | |||
+ | The opened volume is available in / | ||
---- | ---- | ||
Line 70: | Line 157: | ||
**Create Logical Volume with Logical Volume Manager (LVM)** | **Create Logical Volume with Logical Volume Manager (LVM)** | ||
- | ..if you like. read why, here: [[https:// | + | ..read why, here: [[https:// |
- | for example: you can combine two RAID arrays to appear as one drive: | + | for example: you can combine two RAID arrays to appear as one drive or create a swap inside the crypto container: |
+ | apt-get install lvm2 | ||
+ | | ||
pvcreate / | pvcreate / | ||
... | ... | ||
Line 82: | Line 171: | ||
vgdisplay | vgdisplay | ||
- | vgdisplay shows you the number of physical extents available in a volume group, e.g.: "Total PE 476931" | + | vgdisplay shows the number of physical extents available in a volume group, e.g.: "Total PE 476931" |
+ | Create | ||
+ | lvm lvcreate | ||
- | | + | To use the complete volume group cryptvg for a logical volume, we tell lvcreate |
- | This maps the new logical to device file: /dev/backup/cryptvg | + | lvcreate -l 476931 -n lvdata cryptvg |
+ | |||
+ | Percentage or M / G are also possible: | ||
+ | lvcreate -l 60%VG -n lvdata cryptvg | ||
+ | lvcreate -l 50000G -n lvdata cryptvg | ||
+ | |||
+ | This maps the new logical to device file: / | ||
---- | ---- | ||
Line 93: | Line 190: | ||
**Format the volume group:** | **Format the volume group:** | ||
- | mkfs.ext4 -L cryptvg / | + | mkfs.ext4 -L cryptvg / |
- | FIXME optimize | + | Optimized |
- | mkfs.ext4 -j -m 1 -O dir_index, | + | mkfs.ext4 -j -m 1 -O dir_index, |
+ | sparse_super | ||
+ | |||
+ | If you created a swap: | ||
+ | mkswap / | ||
+ | | ||
---- | ---- | ||
\\ | \\ | ||
Line 105: | Line 207: | ||
add a line to /etc/fstab to make it persistent: | add a line to /etc/fstab to make it persistent: | ||
- | /dev/backup/cryptvg / | + | / |
- | + | ||
---- | ---- | ||
\\ | \\ | ||
Line 128: | Line 230: | ||
watch it sync: | watch it sync: | ||
for i in {1..1000}; do cat / | for i in {1..1000}; do cat / | ||
+ | or | ||
+ | watch cat / | ||
---- | ---- | ||
Line 140: | Line 244: | ||
---- | ---- | ||
\\ | \\ | ||
+ | |||
**References: | **References: | ||
* http:// | * http:// | ||
* http:// | * http:// | ||
- | * | + | * https:// |
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== CryptFile ===== | ||
+ | |||
+ | the only difference is to use a loop mounted file instead of a partition: | ||
+ | |||
+ | create a file full of random data, setup loop device, luksFormat & format | ||
+ | |||
+ | dd if=/ | ||
+ | losetup /dev/loop32 / | ||
+ | cryptsetup luksFormat / | ||
+ | cryptsetup luksOpen /dev/loop32 cryptfs | ||
+ | mkfs.ext4 -L homecrypt / | ||
+ | |||
+ | |||
+ | |||
+ | ===== btrfs on top of luks ===== | ||
+ | |||
+ | Create a crypto partition as described above, then format the opened crypto container filesystem: | ||
+ | |||
+ | mkfs.btrfs / | ||
+ | |||
+ | # recommended options for rotational discs (for ssds set ' | ||
+ | mount -o noatime, | ||
+ | |||
+ | |||
+ | ===== Recommended options for installing on a pendrive, a SD card or a slow SSD drive ===== | ||
+ | |||
+ | |||
+ | /dev/sdaX / btrfs x-systemd.device-timeout=0, | ||
+ | * https:// |