This posting is mostly just a reference for myself since I don’t do this often enough for me to have it memorized. These are the steps I use to create LUKS encrypted disks to use as a backup target that I can take off-site. Since they’re off site and stored in my desk where others may have access to the disks, I want to make sure that I’m the only one with access to the data. I use bare OEM style hard drives in a Thermaltake BlacX hard drive docking station. I have one at home and one at the office.
Before I store a backup on a disk, it needs to be set it up for LUKS encryption. This posting explains that part of the process.
WARNING: Following these steps will erase disks and lose data!
Consider yourself duly warned. I also do everything from the command line except the final steps. There are GUI tools to do this as well, but the command line is much quicker for me.
To start, I load a drive into the dock and power it up. In this case, the drive I’m loading is a 500G Maxtor drive.
From a shell window, I issue the ‘dmesg’ command to determine which drive it came up as:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
marc@fozzie:~$ dmesg [535060.118638] usb 1-1.4.4: new high speed USB device using ehci_hcd and address 9 [535060.230194] usb-storage 1-1.4.4:1.0: Quirks match for vid 152d pid 2329: 8020 [535060.230358] scsi13 : usb-storage 1-1.4.4:1.0 [535061.228868] scsi 13:0:0:0: Direct-Access MAXTOR S TM3500630AS PQ: 0 ANSI: 2 CCS [535061.229582] sd 13:0:0:0: Attached scsi generic sg8 type 0 [535061.230173] sd 13:0:0:0: [sdi] 976773168 512-byte logical blocks: (500 GB/465 GiB) [535061.230918] sd 13:0:0:0: [sdi] Write Protect is off [535061.230922] sd 13:0:0:0: [sdi] Mode Sense: 34 00 00 00 [535061.230925] sd 13:0:0:0: [sdi] Assuming drive cache: write through [535061.232459] sd 13:0:0:0: [sdi] Assuming drive cache: write through [535061.232464] sdi: sdi1 [535061.249699] sd 13:0:0:0: [sdi] Assuming drive cache: write through [535061.249703] sd 13:0:0:0: [sdi] Attached SCSI disk |
So it came up as /dev/sdi. This particular disk I was once using with Fedora before I switched over to using Ubuntu, so I know there are partitions on it. I’ll need to get rid of those first using fdisk, and then create a single new partition on it:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
marc@fozzie:~$ sudo fdisk /dev/sdi WARNING: DOS-compatible mode is deprecated. It's strongly recommended to switch off the mode (command 'c') and change display units to sectors (command 'u'). Command (m for help): p Disk /dev/sdi: 500.1 GB, 500107862016 bytes 255 heads, 63 sectors/track, 60801 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x33dc2272 Device Boot Start End Blocks Id System /dev/sdi1 * 1 60802 488386583+ 8e Linux LVM Command (m for help): d Selected partition 1 Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 1 First cylinder (1-60801, default 1): Using default value 1 Last cylinder, +cylinders or +size{K,M,G} (1-60801, default 60801): Using default value 60801 Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. |
So now the disk is ready. Set up the encryption.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
marc@fozzie:~$ sudo cryptsetup --verify-passphrase luksFormat /dev/sdi1 -c aes -s 256 -h sha256 WARNING! ======== This will overwrite data on /dev/sdi1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: marc@fozzie:~$ sudo cryptsetup luksOpen /dev/sdi1 backups01 Enter passphrase for /dev/sdi1: marc@fozzie:~$ sudo fdisk /dev/mapper/backups01 Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel Building a new DOS disklabel with disk identifier 0x75dd258c. Changes will remain in memory only, until you decide to write them. After that, of course, the previous content won't be recoverable. Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite) WARNING: DOS-compatible mode is deprecated. It's strongly recommended to switch off the mode (command 'c') and change display units to sectors (command 'u'). Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 1 First cylinder (1-60800, default 1): Using default value 1 Last cylinder, +cylinders or +size{K,M,G} (1-60800, default 60800): Using default value 60800 Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. WARNING: Re-reading the partition table failed with error 22: Invalid argument. The kernel still uses the old table. The new table will be used at the next reboot or after you run partprobe(8) or kpartx(8) Syncing disks. marc@fozzie:~$ sudo mkfs.ext4 -Lbackups01 /dev/mapper/backups01 mke2fs 1.41.12 (17-May-2010) Filesystem label=backups01 OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 30531584 inodes, 122095743 blocks 6104787 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=4294967296 3727 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 102400000 Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 35 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. marc@fozzie:~$ sudo cryptsetup luksClose backups01 |
And thats it. At this point, I turn off the drive, wait a few seconds, and then turn it back on and Gnome automatically prompts me to unlock the volume:
After entering the correct password, it will automatically mount using the volume label I specified, backups01, and appear in the file manager, ready to use. When finished using the volume, I use the Nautilus “eject” button to unmount the drive and its ready to be taken off-site.
There are many ways to set up encrypted volumes, this way is the best, easiest and most convenient for me.
Pingback: Existing LUKS Partition and New Primary Boot Drive on Ubuntu 14.04 | Marc's Mind
Pingback: Mount LUKS encrypted hard drive at boot - TecHub
Pingback: Mount LUKS encrypted hard drive at boot – Internet and Tecnnology Answers for Geeks