Cryptsetup, Luks, LVM | Cheatsheet
Introduction
cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings.
These include plain dm-crypt volumes and LUKS volumes. The difference is that LUKS uses a metadata header and can hence offer more features than plain dm-crypt. On the other hand, the header is visible and vulnerable to damage.
In addition, cryptsetup provides limited support for the use of loop-AES volumes, TrueCrypt, VeraCrypt, BitLocker and FileVault2 compatible volumes.
Prerequisites
- A clear understanding of the disk/partition layout (
DISK,DISK1,DISK1_1,DISK1_2,DISK1_3, etc.). - Defined variables such as
DISKU,DISKE,DISK1,DISK1_K,DISK1_H, etc. - A 4096-bit random key file generated (
dd if=/dev/urandom of=${DISK1_K} bs=8M count=1).
I will use DRIVE="" fyi, change to your disk before you using any of the below commands, they are very powerful and will break your system if you doing it wrong! Be careful
DISK is entire HDD andm 1,2 and 3 is partition in this wiki¶
- 1 =
Grub - 2 =
Boot/Esp - 3 =
Root - K =
KeyFile - U =
USB Drive For Keep Our KEY! - H =
Header Backup - E =
External Encrypted Drive
Variables For this page
DISKU="/dev/sda"
DISKE="/dev/sdb"
DISK1="/dev/nvme0n1"
DISK1_1="/dev/nvme0n1p3p1"
DISK1_2="/dev/nvme0n1p3p2"
DISK1_3="/dev/nvme0n1p3p3"
DISK1_K="$(hostname)"
DISK1_H="$(hostname)_header_backup"
Generate 4096-bit random key file¶
dd if=/dev/urandom of=${DISK1_K} bs=8M count=1
- Add a key file to next free key slot. This will prompt for a passphrase.
You can have up to 8 slots
cryptsetup luksAddKey /dev/${DISK1} ${DISK1_K}
Add a key file to specific key slot, e.g slot 2
cryptsetup luksAddKey --key-slot 7 /dev/${DISK1_3} ${DISK1_K}.key
View key Slots
cryptsetup luksDump ${DISK1_3}
Remove key from key slot. Enter pasphrase or specify key file to remove
The slot will automatically be detected and slot key removed.
cryptsetup luksRemoveKey ${DISK1_3}
cryptsetup luksRemoveKey ${DISK1_3} ${DISK1_K}.key
Encryption Setup
Add Keyfile to LUKS
Add a key file to the next free key slot:
cryptsetup luksAddKey /dev/${DISK1} ${DISK1_K}
Add a key file to a specific key slot (e.g., slot 7):
cryptsetup luksAddKey --key-slot 7 /dev/${DISK1_3} ${DISK1_K}.key
View Key Slots
cryptsetup luksDump ${DISK1_3}
Remove Key from Key Slot
cryptsetup luksRemoveKey ${DISK1_3}
cryptsetup luksRemoveKey ${DISK1_3} ${DISK1_K}.key
Add Password to LUKS Volume
Add a password to a LUKS volume when only having a key file:
cryptsetup -d ${DISK1_K}.key luksAddKey ${DISK1_3}
Create Header Backup
cryptsetup luksHeaderBackup ${DISK1_3} --header-backup-file ${DISK1_H}.img
Encrypt Drive
Encrypt the drive with specified parameters:
cryptsetup -d ${DISK1_K}.key --key-description kiss_my_fucking_ass --cipher twofish-xts-plain64 --hash sha512 --iter-time 5000 --use-urandom luksFormat ${DISK1}
Drive Operations
Decrypt and Open LUKS Drive
cryptsetup -d ${DISK1_K}.key luksOpen /dev/sdc usb
View Status
cryptsetup -v status /dev/mapper/rootfs
Partition Operations
dd if=/dev/zero of=/dev/mapper/${DISK1_VGName} status=progress
Urandomize the partition prior to formatting
dd if=/dev/urandom of=/dev/mapper/${DISK1_VGName} status=progress
Format LUKS and Filesystem
mkfs.ext4 /dev/mapper/${DISK1_VGName}
Mount and Unmount
cryptsetup luksOpen ${DISK1_3} <chosen_name>
mount /dev/mapper/${DISK1_3} /mnt/<chosen_name>
Close and unmount the LUKS partition
cryptsetup luksClose /dev/mapper/${DISK1_VGname}
For the lazy cows, edit $DRIVE
For the lazy cows
#!/bin/bash
DRIVE=""/dev/nvme0n1p4"
KEY=".key_files/virtual-vmware.key"
PVNAME="/dev/mapper/vmware"
LVMDRIVE="/dev/mapper/virtual-vmware"
MOUNTPATH="/mnt/vmware"
mkdir ~/.key_files
dd if=/dev/urandom of=${KEY} bs=8M count=1
cryptsetup -d ${KEY} \
--iter-time 5000 \
--use-random \
--cipher twofish-xts-plain64 \
--hash sha512 luksFormat ${DRIVE}
cryptsetup -d ${KEY} \
luksOpen ${DRIVE} vmware
pvcreate ${PVNAME}
vgcreate virtual ${PVNAME}
lvcreate -l1100%FREE -nvmware virtual
mkfs.ext4 ${LVMDRIVE}
mkdir ${MOUNTPATH}
mount ${LVMDRIVE} ${MOUNTPATH}
Encrypt folder with luks2
Reference(s)
- https://superuser.com/a/1051562
- https://www.digitalocean.com/community/tutorials/how-to-use-dm-crypt-to-create-an-encrypted-volume-on-an-ubuntu-vps
You can use dm-crypt for that. You need to create an empty file which will be used as a storage device. You can create one with a specific size with either dd or for example fallocate:
#!/bin/sh
dd if=/dev/urandom of=pathName bs=1M count=1024
cryptsetup -d ${DISK1_K}.key \
--key-description mcdonalds.txt \
--cipher twofish-xts-plain64 \
--hash sha512 \
--iter-time 5000 \
--use-urandom luksFormat pathName
This will create a 512 MB file in your home directory called cryptedDevice. Then you can set luks on top of that file cryptsetup -y luksFormat /home/user/cryptedDevice With Luks you can easily change size of the container etc.
To open the crypted file you can do
cryptsetup luksOpen /home/user/cryptedDevice pathName
- Then you need to format this partition with a file system
mkfs.ext4 -j /dev/mapper/pathName
And after that you can simply mount that device to a folder:
mount /dev/mapper/pathName /mnt/pathName
LUKS header on Linux
A forgotten password or passphrase may cause the LUKS decryption failure at boot time.
Currently, there is no way to recover LUKS passphrase. Sometimes sysadmin or user changes their LUKS password to an unknown value. Please note that LUKS currently allows a total of eight passphrase or key slots for encrypted disks. Linux sysadmin can use those keys or passphrases if created to reset the forgotten password. However, if a backup of the LUKS header exists, we can restore the header from backup and use a previously working passphrase/password.
List encrypted disks or volumes
dmsetup ls --target crypt
Backing up LUKS header
cryptsetup luksHeaderBackup /dev/DEVICE --header-backup-file /path/to/backupfile
Restoring LUKS header
cryptsetup luksHeaderRestore /dev/DEVICE --header-backup-file /path/to/backup_header_file
WARNING!
Device /dev/md1 already contains LUKS2 header. Replacing header will destroy existing keyslots.
Are you sure? (Type uppercase yes): YES Now open the encrypted disk and mount it
You must provide old password. If you can't rememember old password your data is lost
mkdir /mnt/gentoo
cryptsetup luksOpen /dev/sdX3 rootfs
mount /dev/mapper/gentoo-rootfs /mnt/gentoo
Reference(s)
- https://gitlab.com/cryptsetup/cryptsetup
- https://opensource.com/business/16/9/linux-users-guide-lvm
- https://linuxhandbook.com/lvm-guide/
- https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf
- https://gitlab.com/cryptsetup/LUKS2-docs
- https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/docs/on-disk-format-luks2.pdf
- https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/docs/on-disk-format.pdf