Tags Archives: dm-crypt

How To Create a dm-crypt LUKS Volume Without LVM

 The following details the procedure for creating an encrypted 32GB dmcrypt LUKS volume on Ubuntu without using LVM.

 

 

Create an empty file to serve as storage device

 

To store our encrypted data, we need to create a file which will act as our storage device.

 

root@asus:/media/kevin# fallocate -l 32G /media/kevin/newvol

 

root@asus:/media/kevin# ll -h
total 33G
drwxr-x—+ 8 root root 4,0K Jul 19 23:05 ./
drwxr-xr-x 3 root root 4,0K Jul 11 17:42 ../
drwxrwxr-x 43 kevin kevin 4,0K Jul 19 22:06 DATA/
drwxrwxr-x 37 kevin kevin 4,0K Jun 16 08:35 DATAVOLUMELUKS/
drwxr-xr-x 2 kevin kevin 4,0K Jun 15 16:13 Downloads/
-rw-r–r– 1 root root 32G Jul 19 23:05 newvol
drwxrwxrwx 10 kevin kevin 4,0K Jul 11 19:11 PRIMARY_BACKUP/
drwxrwxrwx 6 kevin kevin 4,0K Jun 20 21:02 PRIMARY_MEDIA/
drwxr-xr-x 2 root root 4,0K Jun 15 19:55 USBSTICK/
root@asus:/media/kevin#

 

 

Create a dm-crypt LUKS Container inside the File

 

Before formatting the file we created above, we need to create a LUKS partition within the file. LUKS – the Linux Unified Key Setup, is a standard used for disk encryption.

 

create the container with this command:

 

root@asus:/media/kevin# cryptsetup -y luksFormat /media/kevin/newvol

 

WARNING!
========
This will overwrite data on /media/kevin/newvol irrevocably.

Are you sure? (Type ‘yes’ in capital letters): YES
Enter passphrase for /media/kevin/newvol:
Verify passphrase:
root@asus:/media/kevin#

 

use “file” to check that this is now a LUKS encrypted file:

 

file /media/kevin/newvol

 

 

root@asus:/media/kevin# file /media/kevin/newvol
/media/kevin/newvol: LUKS encrypted file, ver 2 [, , sha256] UUID: 15affa5e-c600-4a40-86e7-4a7d91fee29e
root@asus:/media/kevin#

 

Now we have the container in our file, we can open the container:

 

cryptsetup luksOpen /media/kevin/newvol DATAVOLUMELUKSNEW

 

 

This opens the LUKS device and maps it to a name we specify. In this case /dev/mapper/DATAVOLUMELUKSNEW. This opens the file as a local loopback device so the file system can handle the file as if it were a real device.

 

 

Create and Mount the File System

 

Now that we have created a LUKS container opened as a regular device on the system, we can format and create a filesystem on the device.

 

 

We will use:

 

mkfs.ext4 -j /dev/mapper/DATAVOLUMELUKSNEW

 

 

root@asus:/media/kevin# mkfs.ext4 -j /dev/mapper/DATAVOLUMELUKSNEW
mke2fs 1.45.6 (20-Mar-2020)
Creating filesystem with 8384512 4k blocks and 2097152 inodes
Filesystem UUID: 3d2880eb-dd75-4542-97d1-b69240101931
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624

 

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

 

root@asus:/media/kevin#

 

 

then mount the volume:

 

 

root@asus:/media/kevin# mkdir DATAVOLUMELUKSNEW
root@asus:/media/kevin# mount /dev/mapper/DATAVOLUMELUKSNEW /media/kevin/DATAVOLUMELUKSNEW
root@asus:/media/kevin# df
Filesystem 1K-blocks Used Available Use% Mounted on
tmpfs 1844344 2176 1842168 1% /run
/dev/nvme0n1p4 413839584 197374804 195373196 51% /
tmpfs 9221708 335416 8886292 4% /dev/shm
tmpfs 5120 4 5116 1% /run/lock
tmpfs 4096 0 4096 0% /sys/fs/cgroup
/dev/nvme0n1p1 98304 33565 64739 35% /boot/efi
tmpfs 1844340 80 1844260 1% /run/user/1000
geminivpn:/export/DATA 56721408 37371392 16450048 70% /media/kevin/DATA
intelvpn:/media/kevin/PRIMARY_MEDIA 2063187968 1228222464 730091520 63% /media/kevin/PRIMARY_MEDIA
intelvpn:/media/kevin/PRIMARY_BACKUP 1031070720 231892992 746732544 24% /media/kevin/PRIMARY_BACKUP
tmpfs 1844340 60 1844280 1% /run/user/131
tmpfs 1844340 60 1844280 1% /run/user/0
/dev/mapper/DATAVOLUMELUKSNEW 32880400 49176 31137940 1% /media/kevin/DATAVOLUMELUKSNEW
root@asus:/media/kevin#

 

 

 

We are mounting the volume as DATAVOLUMELUKSNEW as we want to move the data from the old DATAVOLUMELUKS to DATAVOLUMELUKSNEW

 

then we will unmount and delete the old DATAVOLUMELUKS and rename the new DATAVOLUMELUKSNEW as DATAVOLUMELUKS

 

root@asus:/media/kevin# mountdata
Enter passphrase for /home/kevin/BACKUP/DATAVOLUMELUKS:
Filesystem Size Used Avail Use% Mounted on
tmpfs 1,8G 2,2M 1,8G 1% /run
/dev/nvme0n1p4 395G 189G 187G 51% /
tmpfs 8,8G 328M 8,5G 4% /dev/shm
tmpfs 5,0M 4,0K 5,0M 1% /run/lock
tmpfs 4,0M 0 4,0M 0% /sys/fs/cgroup
/dev/nvme0n1p1 96M 33M 64M 35% /boot/efi
tmpfs 1,8G 80K 1,8G 1% /run/user/1000
geminivpn:/export/DATA 55G 36G 16G 70% /media/kevin/DATA
intelvpn:/media/kevin/PRIMARY_MEDIA 2,0T 1,2T 697G 63% /media/kevin/PRIMARY_MEDIA
intelvpn:/media/kevin/PRIMARY_BACKUP 984G 222G 713G 24% /media/kevin/PRIMARY_BACKUP
tmpfs 1,8G 60K 1,8G 1% /run/user/131
/dev/mapper/DATAVOLUMELUKSNEW 32G 49M 30G 1% /media/kevin/DATAVOLUMELUKSNEW
/dev/mapper/DATAVOLUMELUKS 20G 12G 6,6G 64% /media/kevin/DATAVOLUMELUKS
root@asus:/media/kevin#

 

 

next we do an rsync from DATAVOLUMELUKS to DATAVOLUMELUKSNEW:

 

rsync -av /media/kevin/DATAVOLUMELUKS/ /media/kevin/DATAVOLUMELUKSNEW/

 

we can then delete the old DATAVOLUMELUKS and switch to the new one:

 

umount /media/kevin/DATAVOLUMELUKS

 

cryptsetup luksClose DATAVOLUMELUKS

 

root@intel:/home/kevin/BACKUP# rm /home/kevin/BACKUP/DATAVOLUMELUKS
root@intel:/home/kevin/BACKUP#

 

root@intel:/media/kevin# mv /media/kevin/newvol /home/kevin/BACKUP/DATAVOLUMELUKS
root@intel:/media/kevin#

 

 

umount the new volume:

 

umount /media/kevin/DATAVOLUMELUKSNEW

 

cryptsetup luksClose DATAVOLUMELUKSNEW

 

and remount the new one:

 

cryptsetup luksOpen /home/kevin/BACKUP/DATAVOLUMELUKS DATAVOLUMELUKS

 

mount /dev/mapper/DATAVOLUMELUKS /media/kevin/DATAVOLUMELUKS

 

 

root@intel:/media/kevin# df -h
Filesystem Size Used Avail Use% Mounted on
tmpfs 785M 2,0M 783M 1% /run
/dev/sdb5 153G 51G 95G 35% /
tmpfs 3,9G 89M 3,8G 3% /dev/shm
tmpfs 5,0M 4,0K 5,0M 1% /run/lock
tmpfs 4,0M 0 4,0M 0% /sys/fs/cgroup
tmpfs 785M 104K 785M 1% /run/user/1000
/dev/sdd2 984G 222G 713G 24% /media/kevin/PRIMARY_BACKUP
/dev/sdd1 2,0T 1,2T 697G 63% /media/kevin/PRIMARY_MEDIA
geminivpn:/export/DATA 55G 37G 15G 71% /media/kevin/DATA
/dev/sda1 112G 108M 112G 1% /media/kevin/New Volume
/dev/sdc1 1,8T 1,5T 217G 88% /media/kevin/SECONDARY_MEDIA
tmpfs 785M 72K 785M 1% /run/user/0
/dev/mapper/DATAVOLUMELUKS 32G 7,9G 22G 27% /media/kevin/DATAVOLUMELUKS
root@intel:/media/kevin#

 

 

the temporary new mount point can now also be removed:

 

root@intel:/media/kevin# rmdir DATAVOLUMELUKSNEW
root@intel:/media/kevin#

 

 

 

 

 

 

Continue Reading

How To Install LUKS on LVM

LUKS stands for Linux Unified Key System. It’s a kernel-level encryption utility for Linux which is based on the dm-crypt system.

 

LUKS provides for transparent disk and volume encryption. This means that the files on the encrypted disk or volume can be accessed directly as usual after mounting just as with unencrypted disks.

 

It can be deployed at the partition level or by creating a file which serves as a container or volume which can then be mounted on the system just the same as mounting a disk drive.

It can also be used together with the disk management system LVM or Logical Volume Manager.  LVM provides an easy way to add, remove and resize disk drive partitions without having to lose data. One of the biggest advantages of LVM is that you can carry out these operations without having to reboot.

 

LVM operates by creating a layer of abstraction between the operating system and the disks or existing disk partitions. You assign your drives to LVM, creating “volume groups” (VGs) and then create LVM partitions known as “logical volumes” (LVs) according to your requirements.

 

Another advantage of LVM is that the logical volumes you create can span more than one disk, something which isn’t possible with conventional hardware drive level partitioning.

 

LVM presents these logical volumes to the operating system in just the same way as conventional hard drives. It also gives you the option to create snapshots of your logical volumes without having to first unmount the disk.

 

LVM is included in many distributions as standard.

 

LUKS can be deployed with LVM in two different ways.

 

The first way is by encrypting the disk with LUKS and then installing LVM on the encrypted disk after opening it for use. This is known as “LVM on LVM”.

 

Or the second way, known as “LUKS on LVM” which is to install LVM on the disk, and then install LUKS on selected logical volumes.

 

This page describes the second method, ie LUKS on LVM.

We assume that LVM is already installed and configured and that the logical volume you wish to encrypt with LUKS is available for use.

 

For detailed instructions on installing and configuring disks with LVM and creating logical volumes, see the article “How To Install LVM”.

 

Installing LUKS on LVM

 

LUKS uses a system called crypt-dm. This needs to be installed on your system if not already present.

 

On Debian/Ubuntu systems it can be installed with:

 

apt-get install cryptsetup

 

NEXT, install on the logical volume:

 

first, make sure the volume is unmounted.

 

Then enter:

 

cryptsetup luksFormat /dev/lvmvolgroup/PRIMARY_BACKUP

 

You will be prompted to set a password for the volume encryption. Make sure you remember this password else you will not be able to access your data!

 

root@len:/media/kevin# cryptsetup luksFormat /dev/mapper/lvmvolgroup-PRIMARY_BACKUP
WARNING: Device /dev/mapper/lvmvolgroup-PRIMARY_BACKUP already contains a ‘ext4’ superblock signature.

WARNING!
========
This will overwrite data on /dev/mapper/lvmvolgroup-PRIMARY_BACKUP irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/mapper/lvmvolgroup-PRIMARY_BACKUP:
Verify passphrase:

root@len:/media/kevin#

 

 

How to Unlock LUKS Partition

 

Having created the LUKS logical volume or partition, let us unlock it:

 

root@len:/media/kevin# cryptsetup open /dev/lvmvolgroup/PRIMARY_BACKUP PRIMARY_BACKUP
Enter passphrase for /dev/lvmvolgroup/PRIMARY_BACKUP:
root@len:/media/kevin#

 

Next you need to format ie create a file system, on the encrypted disk. Here we are creating an ext4 file system.

 

mkfs.ext4 /dev/mapper/PRIMARY_BACKUP

 

root@yoga:/home/kevin# mkfs.ext4 /dev/mapper/lvmvolgroup-PRIMARY_BACKUP
mke2fs 1.45.5 (07-Jan-2020)
Creating filesystem with 1302528 4k blocks and 325760 inodes
Filesystem UUID: 2ff2e594-86d2-4fa5-ab93-afa51ef3975e
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

 

Then you can mount the volume:

 

mount -t ext4 /dev/mapper/PRIMARY_BACKUP /media/kevin/PRIMARY_BACKUP

 

It needs to look like this:

 

root@len:/home/kevin# lsblk -f /dev/sdb
NAME FSTYPE LABEL UUID FSAVAIL FSUSE% MOUNTPOINT
sdb
└─sdb1 LVM2_mem bQlzkd-il4L-aZBq-wcOD-NTCA-Zwod-mwhm1J
├─lvmvolgroup-PRIMARY_MEDIA ext4 136f78a6-0aaf-47fc-9509-db182db94c41
├─lvmvolgroup-PRIMARY_ARCHIVE ext4 3ce12992-7189-4e6e-8088-b41201b88efc
└─lvmvolgroup-PRIMARY_BACKUP crypto_L efe57d86-a9a9-4279-8c21-33e5d11eb42d
└─PRIMARY_BACKUP ext4 413c3e6b-3cc1-4ed5-be6c-0d4518f740fb 139.1G 0% /home/kevi
root@len:/home/kevin#

 

Note that the PRIMARY_BACKUP device is ext4, whilst the lvmvolgroup-PRIMARY_BACKUP is crypto_L (ie crypto luks), which is correct.

 

Important: you have to open the device first using cryptosetup BEFORE you can apply the mkfs.ext4, as you are creating the file system on the device which belongs to the lvmvolgroup. It is not actually mounted in the OS at that point, it is only known to the luks cryptosetup system!

 

Another command for opening a LUKS volume is luksOpen:

 

root@len:/home/kevin# cryptsetup luksOpen /dev/lvmvolgroup/PRIMARY_BACKUP PRIMARY_BACKUP
Enter passphrase for /dev/lvmvolgroup/PRIMARY_BACKUP:
root@len:/home/kevin#

 

mount /dev/lvmvolgroup/PRIMARY_BACKUP /media/kevin/PRIMARY_BACKUP

 

You can use cryptsetup -v status to see the status for the mapping:

 

The LUKS volume can be dismounted and closed this way:

 

umount /media/kevin/PRIMARY_BACKUP
cryptsetup luksClose PRIMARY_BACKUP

 

if you try to close before unmounting, you get this:

 

root@yoga:~# cryptsetup luksClose
Device PRIMARY_BACKUP is still in use.
root@yoga:~#

 

So, first unmount, then close LUKS!

 

root@len:/dev/mapper# blkid | grep PRIMARY_BACKUP
/dev/mapper/lvmvolgroup-PRIMARY_BACKUP: UUID=”efe57d86-a9a9-4279-8c21-33e5d11eb42d” TYPE=”crypto_LUKS”
root@len:/dev/mapper#

 

How To Mount and Unmount LUKS Volumes

 

Note the difference between mount and unmount: you umount first then close cryptsetup,

 

To mount you open cryptsetup then mount.

 

NOTE also the difference between the mount path and cryptsetup path between opening:

 

cryptsetup uses /dev/mapper/lvmvolgroup-PRIMARY_BACKUP

 

whereas the mount command uses /dev/mapper/PRIMARY_BACKUP – ie NOT the logical volume designation!

 

To mount:

 

cryptsetup open /dev/mapper/lvmvolgroup-PRIMARY_BACKUP PRIMARY_BACKUP

 

mount /dev/mapper/PRIMARY_BACKUP /media/kevin/PRIMARY_BACKUP

 

To unmount:

 

umount /media/kevin/PRIMARY_BACKUP

 

cryptsetup close /dev/mapper/PRIMARY_BACKUP PRIMARY_BACKUP

 

root@len:/home/kevin# dmsetup info -C
Name Maj Min Stat Open Targ Event UUID
lvmvolgroup-PRIMARY_BACKUP 253 2 L–w 1 1 0 LVM-K2t1AvpcbTMrrsVLj8FywZHQPB5WQKAI1KzVECV1YHxyc2QlJMUnW1MMq12rBx7T
PRIMARY_BACKUP 253 3 L–w 0 1 0 CRYPT-LUKS2-6fbfecd4fa2c480bbf5ecd108c418680-PRIMARY_BACKUP
lvmvolgroup-PRIMARY_MEDIA 253 0 L–w 0 1 0 LVM-K2t1AvpcbTMrrsVLj8FywZHQPB5WQKAINq13O1AixaoG1l5VzuHpVFVmjZ11XkIF
lvmvolgroup-PRIMARY_ARCHIVE 253 1 L–w 1 1 0 LVM-K2t1AvpcbTMrrsVLj8FywZHQPB5WQKAIgkipEkwcdtML6GLmeLXYjEhjlf36BjMZ
root@len:/home/kevin#

 

root@len:/home/kevin# ll /dev/mapper
total 0
drwxr-xr-x 2 root root 140 Aug 6 22:25 ./
drwxr-xr-x 23 root root 4920 Aug 6 22:25 ../
crw——- 1 root root 10, 236 Aug 6 2020 control
lrwxrwxrwx 1 root root 7 Aug 6 2020 lvmvolgroup-PRIMARY_ARCHIVE -> ../dm-1
lrwxrwxrwx 1 root root 7 Aug 6 22:25 lvmvolgroup-PRIMARY_BACKUP -> ../dm-2
lrwxrwxrwx 1 root root 7 Aug 6 2020 lvmvolgroup-PRIMARY_MEDIA -> ../dm-0
lrwxrwxrwx 1 root root 7 Aug 6 22:25 PRIMARY_BACKUP -> ../dm-3

 

root@len:/home/kevin# cryptsetup close /dev/mapper/lvmvolgroup-PRIMARY_BACKUP
Device /dev/mapper/lvmvolgroup-PRIMARY_BACKUP is still in use.
root@len:/home/kevin#

 

 

 

Continue Reading