Welcome to TQ CMS knowledge base. Here you will find useful information for all sorts of things.

How to encrypt hdd/partition/file with cryptsetup and LUKS support

This is a short howto to describe the basic usage of Device-Mapper, DM-Crypt, and Cryptsetup to mount and use encrypted partitions and container files.
This is partially in response to the recent articles about the numbers of USB flash thumbdrives that are regularly lost. If we learn to use encryption then that statistic is just sad but not worrying. (see The problem of lost USB flash thumbdrives)
Background
 
Device Mapper and DM-Crypt
Starting in version 2.6, the Linux kernel started providing the Device-Mapper interface. This interface allowed for the creation of layers of virtual block devices ontop of real block devices. These devices are used for things like RAID formats, snapshot or encryption. The DM-Crypt is the module for Device-Mapper that provides access to the cryptographic functions.
Cryptsetup
Cryptsetup is the primary userland tool for creating and managing encrypted partitions and containers for DM-Crypt.
Linux Unified Key Setup (LUKS)
LUKS provides a standard on-disk format for encrypted partitions to facilitate cross distribution compatability, to allow for multiple users/passwords, effective password revocation, and to provide additional security against low entropy attacks. To use LUKS, you must use an enabled version of cryptsetup. To the authors knowledge currently only Debian (Etch, Lenny and Sid), Ubuntu and Gentoo offer LUKS enabled versions of cryptsetup in their repositories.
Creating a New Encrypted Container File or Partition
 
Create the Container and Loopback Mount it
First we need to create the container file, and loopback mount it.
root@host:~$  dd if=/dev/urandom of=testfile bs=1M count=10
10+0 records in
10+0 records out
10485760 bytes (10 MB) copied, 1.77221 seconds, 5.9 MB
root@host:~$ losetup /dev/loop0 testfile
root@host:~$ Note: Skip this step for encrypted partitions. 
luksFormat
Before we can open an encrypted partition, we need to initialize it.
root@host:~$ cryptsetup -c aes-xts-plain64 -s 512 --use-random -y luksFormat /dev/loop0
WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
root@host:~$ Note: For encrypted partitions replace the loopback device with the device label of the partition. 
luksOpen
Now that the partition is formated, we can create a Device-Mapper mapping for it.
root@host:~$ cryptsetup luksOpen /dev/loop0 testfs
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
root@host:~$ Formating the Filesystem
The first time we create the Device-Mapper mapping, we need to format the new virtual device with a new filesystem.
root@host:~$ mkfs.ext2 /dev/mapper/testfs
mke2fs 1.39-WIP (09-Apr-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
2432 inodes, 9724 blocks
486 blocks (5.00%) reserved for the super user
First data block=1
2 block groups
8192 blocks per group, 8192 fragments per group
1216 inodes per group
Superblock backups stored on blocks:
        8193
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 34 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to overri
root@host:~$ Mounting the Virtual Device
Now, we can mount the new virtual device just like any other device.
root@host:~$ mount /dev/mapper/testfs /mnt/test/
root@host:~$ Mounting an Existing Encrypted Container File or Partition
root@host:~$ losetup /dev/loop0 testfile
root@host:~$ cryptsetup luksOpen /dev/loop0 testfs
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
root@host:~$ mount /dev/mapper/testfs /mnt/test/
root@host:~$ Note: Skip the losetup setup for encrypted partitions. 
Unmounting and Closing an Encrypted Container File or Partition
root@host:~$ umount /mnt/test
root@host:~$ cryptsetup luksClose /dev/mapper/testfs
root@host:~$ losetup -d /dev/loop0
root@host:~$ Note: Skip the losetup setup for encrypted partitions. 
Handling Multiple Users and Passwords
The LUKS header allows you to assign 8 different passwords that can access the encyrpted partition or container. This is useful for environments where the CEO & CTO can each have passwords for the device and the administrator(s) can have another. This makes it easy to change the password in case of employee turnover while keeping the data accessible.
Adding passwords to new slots
root@host:~$ cryptsetup luksAddKey /dev/loop0
Enter any LUKS passphrase:
Verify passphrase:
key slot 0 unlocked.
Enter new passphrase for key slot:
Verify passphrase:
Command successful.
root@host:~$ Deleting key slots
root@host:~$ cryptsetup luksDelKey /dev/loop0 1
Command successful.
root@host:~$ Displaying LUKS Header Information
root@host:~$ cryptsetup luksDump /dev/loop0
LUKS header information for /dev/loop0
Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha1
Payload offset: 4096
MK bits:        512
MK digest:      a9 3c c2 33 0b 33 db ff d2 b9 dc 6c 01 d6 90 48 1d c1 2e bb
MK salt:        98 46 a3 28 64 35 f1 55 f0 2b 8e af f5 71 16 64
                3c 30 1f 6c b1 4b 43 fd 23 49 28 a6 b0 e4 e2 14
MK iterations:  10
UUID:           089559af-41af-4dfe-b736-9d9d48d3bf53
Key Slot 0: ENABLED
        Iterations:             254659
        Salt:                   02 da 9c c3 c7 39 a5 62 72 81 37 0f eb aa 30 47
                                01 1b a8 53 93 23 83 71 20 03 1b 6c 90 84 a5 6e
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
root@host:~$
There is 56 guides in the database.

More news

Bootstrap
25 February, 2014

Bootstrap

I have implemented bootstrap into the project and changed all code in the administration to use this new framework and I really love the result that I see after a couple of hours of coding. To make things look so good has never been so easy as with
Guides
20 February, 2014

Guides

I have added some of my guides for different things when it comes to the different areas in the computer, I will continue to add guides and especially when it comes to things that I am using every now and then in my own work.
First phase completed
17 February, 2014

First phase completed

Then I had time to finish the dirty work with the page and now it only remains little touches here and there and I need to upload information about what I'm doing and my progress on the project as well.
Time for a change
16 February, 2014

Time for a change

Today I've decided to update my own personal website with the latest version of my project called TQ CMS and with a completely new design that is responsive. My goal with this project is to make it as easy as possible for the end user while

Spotlight

The next step

The next step

I have now resumed my programming after a couple of months of vacation which was very much needed. I got a call one day from a friend that needed a system which can handle peoples reports on various problems like kitchen problems, water problems etc and I decided to make a system for it. Little did I know that it would totally revolutionise my own project and that it would teach me much needed jquery skills to further enhance the CMS. I also