Pages

Wednesday, May 8, 2013

Multiple Encrypted Disks with Linux

This is a fallow up to the parent guide, Full Disk Encryption with Linux. If you have not yet read it, then you are advised to do so before continuing with this one.

Encrypting you entire hard drive is great. But what if you like me, have more than one hard drive in your computer? One thing that is not great, is having to enter multiple passwords on each boot. Well, you don't have to.

The magic word here is Key File. It is a small file containing some random bytes which can be used as a key to unlock an encryption without using a password. An if you are a person that sucks at coming up with great passwords, it will in most cases be more secure than any password you would assign an encryption. The insecure part is how you store it.

In this guide, we will store this key on our primary encrypted hard drive. It will not be accessible until the first drive has been unlocked. We can then use it to unlock any additional drives that you may have attached to your computer, and get away with only having to type in one single password to unlock multiple drives.


Preparing the hard drive


You can skip this step if you already have an additional and fully encrypted hard drive, and just want to know how to assign a key to it.

Otherwise, let' wipe your drive.

shred -v /dev/sd<Y>

Remember to change Y to the letter matching your additional drive.

Now let's partitioning this drive. We will just create one single partition which will hold the encryption. Also, we will not be using LVM in this guide as we do not need things like SWAP or an OS on it. We have this on the primary disk.

cryptsetup -y --cipher aes-xts-plain --key-size 512 luksFormat /dev/sd<Y>

We will also need it unlocked in order to use it.

cryptsetup luksOpen /dev/sd<Y> <Enc_Name_Add>

And last, creating a new file system inside the encryption.

mkfs.ext4 -L Additional <Enc_Name_Add>

You can use whatever file system or label that you wish.


Creating the key


dd if=/dev/urandom of=/root/encryption.key bs=4096 count=1
chmod 0440 /root/encryption.key

Now we have an 4096bit key and it is only accessible by root, which means that it is quite secure even on a booted system.


Assigning the key


In order to use this key, we need to assign it to the encryption.

cryptsetup luksAddKey /dev/sd<Y> /root/encryption.key

Now the encryption can be unlocked by both the assigned password and this key.


Adding the encryption to crypttab


We will also need to add the encryption and key to crypttab to let the boot loader know how to handle this. Open /etc/crypttab with a file editor and add the line below.

<Enc_Name_Add> /dev/sd<Y> /root/encryption.key luks


Adding the unlocked partition to fstab


If you would like the partition to be mounted during boot, you will need to add it to fstab. Open the file /etc/fstab and add the line below.

/dev/mapper/<Enc_Name_Add> /media/additional ext4 defaults 0 2


Update grub and boot loader


Now we just need to rebuilt the kernel image, reboot and we are done.

update-grub
update-initramfs -u

You can redo this guide for as many disks as you like.

No comments:

Post a Comment