blog/New_Harddrive_fdisk,_cryptsetup,_mkfs.txt
ooooo ooo ooooo ooooo oooooooooo.
`888b. `8' `888' `888' `888' `Y8b
8 `88b. 8 .ooooo. oooo oooo ooo 888 888 888 888
8 `88b. 8 d88' `88b `88. `88. .8' 888ooooo888 888 888
8 `88b.8 888ooo888 `88..]88..8' 888 888 888 888
8 `888 888 .o `888'`888' 888 888 888 d88'
o8o `8 `Y8bod8P' `8' `8' o888o o888o o888bood8P'
888 888888 888 888 .d8888b.
888 o 888888 888 888 d88P Y88b
888 d8b 888888 888 888 .d88P
888 d888b 88888888b. 8888b. 888888 88888b. .d88b. 888 888888888 .d88P"
888d88888b888888 "88b "88b888 888 "88bd8P Y8b`Y8bd8P'888 888"
88888P Y88888888 888.d888888888 888 88888888888 X88K 888 888
8888P Y8888888 888888 888Y88b. 888 888Y8b. .d8""8b.Y88b.
888P Y888888 888"Y888888 "Y888 888 888 "Y8888 888 888 "Y888 888
__ _ _ _ _ _
/ _| __| (_)___| | __ ___ _ __ _ _ _ __ | |_ ___ ___| |_ _ _ _ __
| |_ / _` | / __| |/ / / __| '__| | | | '_ \| __/ __|/ _ \ __| | | | '_ \
| _| (_| | \__ \ < _ | (__| | | |_| | |_) | |_\__ \ __/ |_| |_| | |_) |
|_| \__,_|_|___/_|\_( ) \___|_| \__, | .__/ \__|___/\___|\__|\__,_| .__( )
|/ |___/|_| |_| |/
_ __
_ __ ___ | | __/ _|___
| '_ ` _ \| |/ / |_/ __|
| | | | | | <| _\__ \
|_| |_| |_|_|\_\_| |___/
________________________________________________________________________________
Today I picked up my new harddrive from the post office.
As I am now planning to actually use it, I have to partition, encrypt, and
format it. I did this several times already and it gets boring to consult
scroogle every time, so I am going to document my proceedings here.
================================================================================
=== Crypto: Why? How? ==========================================================
TODO:
* overwriting with random data allows plausible deniability when not used with
LUKS
* What purposes serves the setup described here? (Which are not served?)
================================================================================
=== Partitioning ===============================================================
I am going to create two partitions:
1. 10MB big, unencrypted, stores fdisk, luks, mkfs output (needed for recovery)
2. 500GB big, encrypted, stores the stuff I want to store in the first place
---[ bash ]---------------------------------------------------------------------
[root@eddie ~]# fdisk /dev/sdc
Command (m for help): o
Building a new DOS disklabel with disk identifier 0x9b5a99c6.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
[root@eddie ~]# fdisk /dev/sdc
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4, default 1):
Using default value 1
First sector (2048-3907029167, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-3907029167, default 3907029167): \
+5M
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4, default 2):
Using default value 2
First sector (12288-3907029167, default 12288):
Using default value 12288
Last sector, +sectors or +size{K,M,G} (12288-3907029167, default 3907029167): \
+500G
Command (m for help): p
Disk /dev/sdc: 2000.4 GB, 2000398934016 bytes
255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x9b5a99c6
Device Boot Start End Blocks Id System
/dev/sdc1 2048 12287 5120 83 Linux
/dev/sdc2 12288 1048588287 524288000 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
[root@eddie ~]# mke2fs -L p30jDcdBh-hint /dev/sdc1
mke2fs 1.41.12 (17-May-2010)
Filesystem label=p30jDcdBh-hint
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
1280 inodes, 5120 blocks
256 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=5242880
1 block group
8192 blocks per group, 8192 fragments per group
1280 inodes per group
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 31 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
[root@eddie ~]# mkdir /mnt/p30jDcdBh-hint
[root@eddie ~]# mount /dev/sdc1 /mnt/p30jDcdBh-hint
[root@eddie ~]# fdisk -l /dev/sdc > /mnt/p30jDcdBh-hint/partitions
---[ /bash ]--------------------------------------------------------------------
================================================================================
=== Setting up encryption (using LUKS) =========================================
I am using LUKS because it creates a header containing information about the
hash algorithmn and the block cypher, which I would have to remember by my self
if I was using plain dm-crypt.
I use a key-file for encryption, as I am unable to remember strong passwords.
---[ bash ]---------------------------------------------------------------------
[root@eddie ~]# cryptsetup -v luksFormat /dev/sdc2 --key-file /mnt/floppy/key.lk
WARNING!
========
This will overwrite data on /dev/sdc2 irrevocably.
Are you sure? (Type uppercase yes): YES
semid 884736: semop failed for cookie 0xd4de66d: incorrect semaphore state
Failed to set a proper state for notification semaphore identified by cookie \
value 223209069 (0xd4de66d) to initialize waiting for incoming notifications.
Command successful.
[root@eddie ~]# cryptsetup luksHeaderBackup /dev/sdc2 --header-backup-file \
/mnt/p30jDcdBh-hint/header.2
[root@eddie ~]# mkdir /mnt/p30jDcdBh
[root@eddie ~]# cryptsetup -v luksOpen /dev/sdc2 p30jDcdBh --key-file \
/mnt/floppy/key.lk
semid 1474560: semop failed for cookie 0xd4d72d9: incorrect semaphore state
Failed to set a proper state for notification semaphore identified by cookie \
value 223179481 (0xd4d72d9) to initialize waiting for incoming notifications.
Key slot 0 unlocked.
Command successful.
---[ /bash ]--------------------------------------------------------------------
================================================================================
=== Creating an ext4 filesystem ================================================
Let's see if ext4 is stable:
---[ bash ]---------------------------------------------------------------------
[root@eddie ~]# mke2fs -L p30jDcdBh -t ext4 /dev/mapper/p30jDcdBh
mke2fs 1.41.12 (17-May-2010)
Filesystem label=p30jDcdBh
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
32768000 inodes, 131071743 blocks
6553587 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
4000 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 24 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
---[ /bash ]--------------------------------------------------------------------
Remember to save the output of mkfs to allow easy recovery:
---[ bash ]---------------------------------------------------------------------
[root@eddie ~]# vim /mnt/p30jDcdBh-hint/p30jDcdBh.mkfs
---[ /bash ]--------------------------------------------------------------------
================================================================================
=== Mounting and testing, fstab and stuff ======================================
---[ bash ]---------------------------------------------------------------------
[root@eddie ~]# mount /dev/mapper/p30jDcdBh /mnt/p30jDcdBh
[root@eddie ~]# df -h | grep p30jDcdBh
/dev/sdc1 4.9M 1.1M 3.6M 23% /mnt/p30jDcdBh-hint
/dev/mapper/p30jDcdBh
493G 198M 467G 1% /mnt/p30jDcdBh
[root@eddie ~]# echo "/dev/sdc1 /mnt/p30jDcdBh-hint ext2 defaults 0 0" >> \
/etc/fstab
---[ /bash ]--------------------------------------------------------------------
You should also keep in mind all your commands are logged to .bash_history, so
you may want to delete that file if it contains information about the key file.
================================================================================
=== Resizing ===================================================================
=== Growing
---[ bash ]---------------------------------------------------------------------
[root@eddie ~]# umount /mnt/p30jDcdBh/
[root@eddie ~]# umount /mnt/hint-p30jDcdBh/
[root@eddie ~]# cryptsetup -v luksClose p30jDcdBh
semid 688128: semop failed for cookie 0xd4dda7f: incorrect semaphore state
Failed to set a proper state for notification semaphore identified by cookie \
value 223206015 (0xd4dda7f) to initialize waiting for incoming notifications.
Command successful.
[root@eddie ~]# fdisk /dev/sdc
Command (m for help): p
Disk /dev/sdc: 2000.4 GB, 2000398934016 bytes
255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x9b5a99c6
Device Boot Start End Blocks Id System
/dev/sdc1 2048 12287 5120 83 Linux
/dev/sdc2 12288 1048588287 524288000 83 Linux
Command (m for help): d
Partition number (1-4): 2
Command (m for help): p
Disk /dev/sdc: 2000.4 GB, 2000398934016 bytes
255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x9b5a99c6
Device Boot Start End Blocks Id System
/dev/sdc1 2048 12287 5120 83 Linux
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4, default 2):
Using default value 2
First sector (12288-3907029167, default 12288):
Using default value 12288
Last sector, +sectors or +size{K,M,G} (12288-3907029167, default 3907029167): \
+1500G
Command (m for help): p
Disk /dev/sdc: 2000.4 GB, 2000398934016 bytes
255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x9b5a99c6
Device Boot Start End Blocks Id System
/dev/sdc1 2048 12287 5120 83 Linux
/dev/sdc2 12288 3145740287 1572864000 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
[root@eddie ~]# mount /mnt/hint-p30jDcdBh/
[root@eddie ~]# fdisk -l /dev/sdc > /mnt/hint-p30jDcdBh/partitions
[root@eddie ~]# cryptsetup -v luksOpen /dev/sdc2 p30jDcdBh --key-file foobar.key
[root@eddie ~]# e2fsck -f /dev/mapper/p30jDcdBh
e2fsck 1.41.12 (17-May-2010)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
p30jDcdBh: 23683/32768000 files (2.5% non-contiguous), 108876078/131071743 \
blocks
[root@eddie ~]# resize2fs /dev/mapper/p30jDcdBh
resize2fs 1.41.12 (17-May-2010)
Resizing the filesystem on /dev/mapper/p30jDcdBh to 393215743 (4k) blocks.
The filesystem on /dev/mapper/p30jDcdBh is now 393215743 blocks long.
[root@eddie ~]# e2fsck -f /dev/mapper/p30jDcdBh
e2fsck 1.41.12 (17-May-2010)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
p30jDcdBh: 23683/98304000 files (2.5% non-contiguous), 112989103/393215743 \
blocks
[root@eddie ~]# mount /dev/mapper/p30jDcdBh /mnt/p30jDcdBh/
[root@eddie ~]# df -h | grep /p30jDcdBh
/dev/mapper/p30jDcdBh
1.5T 408G 994G 30% /mnt/p30jDcdBh
---[ /bash ]--------------------------------------------------------------------
================================================================================
=== Weblinks ===================================================================
01. Linux Unified Key Setup (LUKS):
http://en.wikipedia.org/wiki/LUKS
02. dm-crypt:
http://en.wikipedia.org/wiki/Dm-crypt
03. Uwe Hermann's blog: "HOWTO: Disk encryption with dm-crypt / LUKS and Debian"
http://www.hermann-uwe.de/blog/\
howto-disk-encryption-with-dm-crypt-luks-and-debian
04. LUKS-wiki
http://www.saout.de/tikiwiki/tiki-index.php?page=LUKS
05. LUKS-wiki: Encrypted Devices Using LUKS
http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS
06. LUKS-wiki: How to resize a LUKS-encrypted partition created over LVM2
http://www.saout.de/tikiwiki/tiki-index.php?page=ResizeLUKSPartitions