blob: 3388a7d5f617c755a7952fe7a04b29d4f16a0a8d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
# [cryptsetup(8)][man-cryptsetup8]
```text
cryptsetup <action> [opts] <action args>
action:
open <dev> <name> --type <type> Open (decrypt) <dev> and map with <name>.
Mapped as /dev/mapper/<name>.
Type: {luks,plain,tcrypt,bitlk}
close <name> Close existing mapping <name>.
status <name> Print status for mapping <name>.
luksFormat <dev> Create new LUKS partition and set initial passphrase.
(Keyslot 0)
luksAddKey <dev> Add a new passphrase.
luksRemoveKey <dev> Remove existing passphrase.
luksChangeKey <dev> Change existing passphrase.
lusDump <dev> Dump LUKS header for device.
```
## Example: Create `LUKS` encrypted disk.
For this example we use a file as backing storage and set it up as
[loop(4)][man-loop4] device. The loop device can be replaced by any block
device file.
> Optional: Overwrite existing data on disk.\
> `sudo dd if=/dev/urandom of=/dev/sdX bs=1M`
First create the backing file and setup the loop device.
```sh
# Create 100MB file.
dd if=/dev/zero of=blkfile bs=1M count=100
# Attach file to first free (-f) loop device
sudo losetup -f ./blkfile
# List loop devices.
sudo losetup -l
# NAME SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE DIO LOG-SEC
# /dev/loop0 0 0 0 0 /home/johannst/blkfile 0 512
```
Create a new LUKS partition and format new filesystem.
```sh
# Initialize LUKS partition and set initial passphrase.
sudo cryptsetup luksFormat /dev/loop0
file blkfile
# blkfile: LUKS encrypted file, ver 2 [, , sha256] UUID: 8...
# Open (decrypt) the LUKS device, it will be mapped under /dev/mapper/loop0.
sudo cryptsetup open --type luks /dev/loop0 loop0
# Format partition with new filesystem.
sudo mkfs.vfat /dev/mapper/loop0
lsblk -f
# NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
# loop0 crypto_LU 2 8...
# └─loop0 vfat FAT16 D... 83.8M 0% /home/johannst/mnt
# Close (re-encrypt) LUKS device.
sudo cryptsetup close loop0
```
## Example: Using an existing LUKS device.
```sh
# Open (decrypt) the LUKS device, it will be mapped under /dev/mapper/loop0.
sudo cryptsetup open --type luks /dev/loop0 loop0
# Mount filesystem.
sudo mount /dev/mapper/loop0 <mntpoint>
# Use disk ...
# Unmount filesystem.
sudo umount <mntpoint>
# Close (re-encrypt) LUKS device.
sudo cryptsetup close loop0
```
[man-loop4]: https://man7.org/linux/man-pages/man4/loop.4.html
[man-cryptsetup8]: https://www.man7.org/linux/man-pages/man8/cryptsetup.8.html
|