fr33.info

User Tools

Site Tools

linux:filesystems:crypto_raid

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux:filesystems:crypto_raid [2013/08/03 16:11]
tkilla 		linux:filesystems:crypto_raid [2016/06/20 22:22] (current)
tkilla [CryptFile]
Line 1: Line 1:
 ====== Crypto ====== ====== Crypto ======
 +
 +===== Abstract =====
 +sdX = sda, sdb, sdg, sdp, sdomie all together we cry!!!
 +FATAL ERROR, PLEASE CHECK YOUR BRAIN!!!!
 +sdXy - y is the partition you want to encrypt
 +
 +  fdisk /dev/sdX                                                                # partition the disc
 +  dd if=/dev/urandom of=/dev/sdXy                                               # write random data on the partition
 +  cryptsetup -c aes-xts-plain64 -s 512 -y luksFormat /dev/sdXy                  # create cryptocontäner
 +  cryptsetup luksOpen /dev/sdXy cryptname                                       # Open the contäner
 +  mkfs.ext4 -j -m 1 -O dir_index,filetype -L binaryblob /dev/mapper/cryptname   # Format 
 +  mount /dev/mapper/cryptname /mnt/crypt                                        # mount the opened container
 +
 +
  
 ===== RAID ===== ===== RAID =====
Line 15: Line 29:
   badblocks -c 10240 -s -w -t random -v /dev/sdY     badblocks -c 10240 -s -w -t random -v /dev/sdY  
  
-or slower and more secure:+"Warning: **Do not use badblocks here**. It only generates a random pattern which just repeats its randomness over and over again." uups 
 + 
 + 
 +slower and more secure:
  
   dd if=/dev/urandom of=/dev/sdX   dd if=/dev/urandom of=/dev/sdX
Line 23: Line 40:
 wait some hours or days.. wait some hours or days..
  
-FIXME some howtos suggest to run this step over the partitions, not the whole device.. unknown..+ubuntu suggests to randomize only the start of the partition: 
 + 
 +  dd if=/dev/urandom bs=1M count=8 of=/dev/sdX 
 + 
 + 
 +best practice: use some random AES ciphers - this is faster and should be secure: 
 + 
 +  openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/sdxy 
 + 
  
 ---- ----
Line 67: Line 93:
   set 1 bios_grub on   set 1 bios_grub on
   quit   quit
 +
 +-> http://www.wensley.org.uk/gpt
  
 If you are moving a root system to this disc, continue to copy the system and install bootlaoder from a chroot, see: [[linux:filesystems:boot|]] If you are moving a root system to this disc, continue to copy the system and install bootlaoder from a chroot, see: [[linux:filesystems:boot|]]
Line 98: Line 126:
 **Encrypting the Block Devices** **Encrypting the Block Devices**
  
-  cryptsetup -c aes-cbc-essiv:sha256 --s 256 luksFormat /dev/mdX [/path/to/keyfile]+  cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y luksFormat /dev/mdX [/path/to/keyfile]
  
 If you add a key file, leave out "-y" If you add a key file, leave out "-y"
 +
 +**ciphers:**
 +  * aes-cbc-essiv:sha256 is deprecated: http://www.heise.de/security/artikel/Erfolgreicher-Angriff-auf-Linux-Verschluesselung-2072199.html
 +  * aes-xts-plain64 with --key-size ( = -s) 512 <bits> and sha512 as hashing algo is a good choice
 +  * "twofish" and "serpent" are trusted as well and "Whirlpool" can be used as hashing algo
 +
 +Another example using twofish:
 +  cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy
 +
  
 ---- ----
Line 120: Line 157:
 **Create Logical Volume with Logical Volume Manager (LVM)** **Create Logical Volume with Logical Volume Manager (LVM)**
  
-..if you like. read why, here: [[https://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29#Common_uses]]+..read why, here: [[https://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29#Common_uses]]
  
-for example: you can combine two RAID arrays to appear as one drive:+for example: you can combine two RAID arrays to appear as one drive or create a swap inside the crypto container:
  
 +  apt-get install lvm2
 +  
   pvcreate /dev/mapper/sharedstore    pvcreate /dev/mapper/sharedstore 
   ...   ...
Line 132: Line 171:
   vgdisplay   vgdisplay
  
-vgdisplay shows you the number of physical extents available in a volume group, e.g.: "Total PE  476931"To use the complete volume group cryptvg for logical volume, we tell lvcreate the number of extents to use. +vgdisplay shows the number of physical extents available in a volume group, e.g.: "Total PE  476931" 
 +Create swap first 
 +  lvm lvcreate cryptvg -n swap -L 4G
  
-  lvcreate -l 476931 -n cryptvg cryptvg+To use the complete volume group cryptvg for a logical volume, we tell lvcreate the number of free extents to use with "-l" (check vgdisplay):
  
-This maps the new logical to device file: /dev/backup/cryptvg+  lvcreate -l 476931 -n lvdata cryptvg 
 + 
 +Percentage or M / G are also possible: 
 +  lvcreate -l 60%VG -n lvdata cryptvg 
 +  lvcreate -l 50000G -n lvdata cryptvg 
 +   
 +This maps the new logical to device file: /dev/cryptvg/lvdata
  
 ---- ----
Line 143: Line 190:
 **Format the volume group:** **Format the volume group:**
  
-  mkfs.ext4 -L cryptvg /dev/cryptvg/cryptvg+  mkfs.ext4 -L cryptvg /dev/cryptvg/lvXY
  
-FIXME optimize parameters, testing: +Optimized parameters, testing: 
-  mkfs.ext4 -j -m 1 -O dir_index,filetype,sparse_super -L tresor /dev/tresorvg/tresor+  mkfs.ext4 -j -m 1 -O dir_index,filetype -L tresor /dev/cryptvg/lvXY
  
 +sparse_super  useful? creates fewer backups of superblock
 +
 +If you created a swap:
 +  mkswap /dev/cryptvg/lvswap
 +  
 ---- ----
 \\ \\
Line 155: Line 207:
 add a line to /etc/fstab to make it persistent: add a line to /etc/fstab to make it persistent:
  
-  /dev/backup/cryptvg /crypt xfs ikeep,noatime 0 0 +  /dev/cryptvg/lvdata /crypt ext4 ikeep,noatime 0 0 
-  +
 ---- ----
 \\ \\
Line 192: Line 244:
 ---- ----
 \\ \\
 +
 **References:** **References:**
   * http://linuxgazette.net/140/pfeiffer.html   * http://linuxgazette.net/140/pfeiffer.html
   * http://www.saout.de/tikiwiki/tiki-index.php   * http://www.saout.de/tikiwiki/tiki-index.php
-  * +  * https://thesimplecomputer.info/full-disk-encryption-with-ubuntu 
 + 
  
  
Line 204: Line 259:
 create a file full of random data, setup loop device, luksFormat & format create a file full of random data, setup loop device, luksFormat & format
                                                                              
-  dd if=/dev/urandom of=testfile bs=1M count=3900    #=MB +  dd if=/dev/urandom of=/cryptfile bs=1M count=3900    #=MB 
-  losetup /dev/loop32 cryptfile+  losetup /dev/loop32 /cryptfile
   cryptsetup luksFormat /dev/loop32   cryptsetup luksFormat /dev/loop32
   cryptsetup luksOpen /dev/loop32 cryptfs   cryptsetup luksOpen /dev/loop32 cryptfs
   mkfs.ext4 -L homecrypt /dev/mapper/cryptfs   mkfs.ext4 -L homecrypt /dev/mapper/cryptfs
  
 +
 +
 +===== btrfs on top of luks =====
 +
 +Create a crypto partition as described above, then format the opened crypto container filesystem:
 +
 +  mkfs.btrfs /dev/mapper/<cryptname>
 +  
 +  # recommended options for rotational discs (for ssds set 'sdd' option):
 +  mount -o noatime,compress=lzo,noauto,autodefrag /dev/mapper/<cryptname> /<mountpoint>
 +
 +
 +===== Recommended options for installing on a pendrive, a SD card or a slow SSD drive =====
 +
 +
 +/dev/sdaX / btrfs x-systemd.device-timeout=0,noatime,compress=lzo,commit=0,ssd_spread,autodefrag 0 0
 +
 +
 +* https://wiki.debian.org/Btrfs
linux/filesystems/crypto_raid.1375539066.txt.gz · Last modified: 2013/08/03 16:11 by tkilla

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki