ooooo ooo ooooo ooooo oooooooooo. `888b. `8' `888' `888' `888' `Y8b 8 `88b. 8 .ooooo. oooo oooo ooo 888 888 888 888 8 `88b. 8 d88' `88b `88. `88. .8' 888ooooo888 888 888 8 `88b.8 888ooo888 `88..]88..8' 888 888 888 888 8 `888 888 .o `888'`888' 888 888 888 d88' o8o `8 `Y8bod8P' `8' `8' o888o o888o o888bood8P' 888 888888 888 888 .d8888b. 888 o 888888 888 888 d88P Y88b 888 d8b 888888 888 888 .d88P 888 d888b 88888888b. 8888b. 888888 88888b. .d88b. 888 888888888 .d88P" 888d88888b888888 "88b "88b888 888 "88bd8P Y8b`Y8bd8P'888 888" 88888P Y88888888 888.d888888888 888 88888888888 X88K 888 888 8888P Y8888888 888888 888Y88b. 888 888Y8b. .d8""8b.Y88b. 888P Y888888 888"Y888888 "Y888 888 888 "Y8888 888 888 "Y888 888 __ _ _ _ _ _ / _| __| (_)___| | __ ___ _ __ _ _ _ __ | |_ ___ ___| |_ _ _ _ __ | |_ / _` | / __| |/ / / __| '__| | | | '_ \| __/ __|/ _ \ __| | | | '_ \ | _| (_| | \__ \ < _ | (__| | | |_| | |_) | |_\__ \ __/ |_| |_| | |_) | |_| \__,_|_|___/_|\_( ) \___|_| \__, | .__/ \__|___/\___|\__|\__,_| .__( ) |/ |___/|_| |_| |/ _ __ _ __ ___ | | __/ _|___ | '_ ` _ \| |/ / |_/ __| | | | | | | <| _\__ \ |_| |_| |_|_|\_\_| |___/ ________________________________________________________________________________ Today I picked up my new harddrive from the post office. As I am now planning to actually use it, I have to partition, encrypt, and format it. I did this several times already and it gets boring to consult scroogle every time, so I am going to document my proceedings here. ================================================================================ === Crypto: Why? How? ========================================================== TODO: * overwriting with random data allows plausible deniability when not used with LUKS * What purposes serves the setup described here? (Which are not served?) ================================================================================ === Partitioning =============================================================== I am going to create two partitions: 1. 10MB big, unencrypted, stores fdisk, luks, mkfs output (needed for recovery) 2. 500GB big, encrypted, stores the stuff I want to store in the first place ---[ bash ]--------------------------------------------------------------------- [root@eddie ~]# fdisk /dev/sdc Command (m for help): o Building a new DOS disklabel with disk identifier 0x9b5a99c6. Changes will remain in memory only, until you decide to write them. After that, of course, the previous content won't be recoverable. Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite) Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. [root@eddie ~]# fdisk /dev/sdc Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4, default 1): Using default value 1 First sector (2048-3907029167, default 2048): Using default value 2048 Last sector, +sectors or +size{K,M,G} (2048-3907029167, default 3907029167): \ +5M Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4, default 2): Using default value 2 First sector (12288-3907029167, default 12288): Using default value 12288 Last sector, +sectors or +size{K,M,G} (12288-3907029167, default 3907029167): \ +500G Command (m for help): p Disk /dev/sdc: 2000.4 GB, 2000398934016 bytes 255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x9b5a99c6 Device Boot Start End Blocks Id System /dev/sdc1 2048 12287 5120 83 Linux /dev/sdc2 12288 1048588287 524288000 83 Linux Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. [root@eddie ~]# mke2fs -L p30jDcdBh-hint /dev/sdc1 mke2fs 1.41.12 (17-May-2010) Filesystem label=p30jDcdBh-hint OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) Stride=0 blocks, Stripe width=0 blocks 1280 inodes, 5120 blocks 256 blocks (5.00%) reserved for the super user First data block=1 Maximum filesystem blocks=5242880 1 block group 8192 blocks per group, 8192 fragments per group 1280 inodes per group Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 31 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. [root@eddie ~]# mkdir /mnt/p30jDcdBh-hint [root@eddie ~]# mount /dev/sdc1 /mnt/p30jDcdBh-hint [root@eddie ~]# fdisk -l /dev/sdc > /mnt/p30jDcdBh-hint/partitions ---[ /bash ]-------------------------------------------------------------------- ================================================================================ === Setting up encryption (using LUKS) ========================================= I am using LUKS because it creates a header containing information about the hash algorithmn and the block cypher, which I would have to remember by my self if I was using plain dm-crypt. I use a key-file for encryption, as I am unable to remember strong passwords. ---[ bash ]--------------------------------------------------------------------- [root@eddie ~]# cryptsetup -v luksFormat /dev/sdc2 --key-file /mnt/floppy/key.lk WARNING! ======== This will overwrite data on /dev/sdc2 irrevocably. Are you sure? (Type uppercase yes): YES semid 884736: semop failed for cookie 0xd4de66d: incorrect semaphore state Failed to set a proper state for notification semaphore identified by cookie \ value 223209069 (0xd4de66d) to initialize waiting for incoming notifications. Command successful. [root@eddie ~]# cryptsetup luksHeaderBackup /dev/sdc2 --header-backup-file \ /mnt/p30jDcdBh-hint/header.2 [root@eddie ~]# mkdir /mnt/p30jDcdBh [root@eddie ~]# cryptsetup -v luksOpen /dev/sdc2 p30jDcdBh --key-file \ /mnt/floppy/key.lk semid 1474560: semop failed for cookie 0xd4d72d9: incorrect semaphore state Failed to set a proper state for notification semaphore identified by cookie \ value 223179481 (0xd4d72d9) to initialize waiting for incoming notifications. Key slot 0 unlocked. Command successful. ---[ /bash ]-------------------------------------------------------------------- ================================================================================ === Creating an ext4 filesystem ================================================ Let's see if ext4 is stable: ---[ bash ]--------------------------------------------------------------------- [root@eddie ~]# mke2fs -L p30jDcdBh -t ext4 /dev/mapper/p30jDcdBh mke2fs 1.41.12 (17-May-2010) Filesystem label=p30jDcdBh OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 32768000 inodes, 131071743 blocks 6553587 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=4294967296 4000 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 102400000 Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 24 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. ---[ /bash ]-------------------------------------------------------------------- Remember to save the output of mkfs to allow easy recovery: ---[ bash ]--------------------------------------------------------------------- [root@eddie ~]# vim /mnt/p30jDcdBh-hint/p30jDcdBh.mkfs ---[ /bash ]-------------------------------------------------------------------- ================================================================================ === Mounting and testing, fstab and stuff ====================================== ---[ bash ]--------------------------------------------------------------------- [root@eddie ~]# mount /dev/mapper/p30jDcdBh /mnt/p30jDcdBh [root@eddie ~]# df -h | grep p30jDcdBh /dev/sdc1 4.9M 1.1M 3.6M 23% /mnt/p30jDcdBh-hint /dev/mapper/p30jDcdBh 493G 198M 467G 1% /mnt/p30jDcdBh [root@eddie ~]# echo "/dev/sdc1 /mnt/p30jDcdBh-hint ext2 defaults 0 0" >> \ /etc/fstab ---[ /bash ]-------------------------------------------------------------------- You should also keep in mind all your commands are logged to .bash_history, so you may want to delete that file if it contains information about the key file. ================================================================================ === Resizing =================================================================== === Growing ---[ bash ]--------------------------------------------------------------------- [root@eddie ~]# umount /mnt/p30jDcdBh/ [root@eddie ~]# umount /mnt/hint-p30jDcdBh/ [root@eddie ~]# cryptsetup -v luksClose p30jDcdBh semid 688128: semop failed for cookie 0xd4dda7f: incorrect semaphore state Failed to set a proper state for notification semaphore identified by cookie \ value 223206015 (0xd4dda7f) to initialize waiting for incoming notifications. Command successful. [root@eddie ~]# fdisk /dev/sdc Command (m for help): p Disk /dev/sdc: 2000.4 GB, 2000398934016 bytes 255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x9b5a99c6 Device Boot Start End Blocks Id System /dev/sdc1 2048 12287 5120 83 Linux /dev/sdc2 12288 1048588287 524288000 83 Linux Command (m for help): d Partition number (1-4): 2 Command (m for help): p Disk /dev/sdc: 2000.4 GB, 2000398934016 bytes 255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x9b5a99c6 Device Boot Start End Blocks Id System /dev/sdc1 2048 12287 5120 83 Linux Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4, default 2): Using default value 2 First sector (12288-3907029167, default 12288): Using default value 12288 Last sector, +sectors or +size{K,M,G} (12288-3907029167, default 3907029167): \ +1500G Command (m for help): p Disk /dev/sdc: 2000.4 GB, 2000398934016 bytes 255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x9b5a99c6 Device Boot Start End Blocks Id System /dev/sdc1 2048 12287 5120 83 Linux /dev/sdc2 12288 3145740287 1572864000 83 Linux Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. [root@eddie ~]# mount /mnt/hint-p30jDcdBh/ [root@eddie ~]# fdisk -l /dev/sdc > /mnt/hint-p30jDcdBh/partitions [root@eddie ~]# cryptsetup -v luksOpen /dev/sdc2 p30jDcdBh --key-file foobar.key [root@eddie ~]# e2fsck -f /dev/mapper/p30jDcdBh e2fsck 1.41.12 (17-May-2010) Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information p30jDcdBh: 23683/32768000 files (2.5% non-contiguous), 108876078/131071743 \ blocks [root@eddie ~]# resize2fs /dev/mapper/p30jDcdBh resize2fs 1.41.12 (17-May-2010) Resizing the filesystem on /dev/mapper/p30jDcdBh to 393215743 (4k) blocks. The filesystem on /dev/mapper/p30jDcdBh is now 393215743 blocks long. [root@eddie ~]# e2fsck -f /dev/mapper/p30jDcdBh e2fsck 1.41.12 (17-May-2010) Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information p30jDcdBh: 23683/98304000 files (2.5% non-contiguous), 112989103/393215743 \ blocks [root@eddie ~]# mount /dev/mapper/p30jDcdBh /mnt/p30jDcdBh/ [root@eddie ~]# df -h | grep /p30jDcdBh /dev/mapper/p30jDcdBh 1.5T 408G 994G 30% /mnt/p30jDcdBh ---[ /bash ]-------------------------------------------------------------------- ================================================================================ === Weblinks =================================================================== 01. Linux Unified Key Setup (LUKS): http://en.wikipedia.org/wiki/LUKS 02. dm-crypt: http://en.wikipedia.org/wiki/Dm-crypt 03. Uwe Hermann's blog: "HOWTO: Disk encryption with dm-crypt / LUKS and Debian" http://www.hermann-uwe.de/blog/\ howto-disk-encryption-with-dm-crypt-luks-and-debian 04. LUKS-wiki http://www.saout.de/tikiwiki/tiki-index.php?page=LUKS 05. LUKS-wiki: Encrypted Devices Using LUKS http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS 06. LUKS-wiki: How to resize a LUKS-encrypted partition created over LVM2 http://www.saout.de/tikiwiki/tiki-index.php?page=ResizeLUKSPartitions