Luks Administrieren

Administering LUKS

For this section, we will be using a loopback file to demonstrate basic luks administration.

first you will need to create the loopback file and set it up.

# create an approx. 50 MB file
dd if=/dev/null of=secretfile.loop bs=52428800 count=1
# create the loopback device
losetup /dev/loop1 secretfile.loop

Formatting

Now that we have a device, we need to format it using luks
note: 'format' here means add the luks header and create a master key. this has nothing to do with the filesystem

cryptsetup -y -s 256 luksFormat /dev/loop1
--> enter password when prompted

Wenn man eine komplette Festplatte verschlüsslen will:

cryptsetup --verbose -y luksFormat --cipher aes-cbc-essiv:sha256 --key-size 256 /dev/device

Opening a device

Now that the device is formatted, we need to 'open' it. This means that it is set up to where we can use it in a meaningful way.

cryptsetup luksOpen /dev/loop1 encrypted
--> enter your password

this created the device /dev/mapper/encrypted. You can choose the name as you wish

Making a Filesystem and Mounting

Now we can 'format' it again. This time format means to create a filesystem on it. I'm going to use reiserfs.

mkreiserfs /dev/mapper/encrypted
mkdir /mnt/foo
mount /dev/mapper/encrypted /mnt/foo

Unmounting and Closing a device

To unmount and close a file, do this:

umount /mnt/foo
cryptsetup luksClose encrypted
# remove the loopback device:
losetup -d /dev/loop1

the device /dev/mapper/encrypted no longer exists. neither does /dev/loop1.

Password management

luks allows you to easily manage passwords to your encrypted partitions/files/etc...
this section explains how to add and delete passwords.

Adding a Password

if you want to add another password, setup the loopback device again and use this command:

losetup /dev/loop1 secretfile.loop
cryptsetup -y luksAddKey /dev/loop1
--> enter the first password
--> enter new password
--> reenter new password

what happened now was this:
you entered the first password to decrypt the master key. you then gave cryptsetup a new password to encrypt the master key with. it then stored this new encrypted version of the master key in slot1.
now you have two valid passwords for this file

to test this, you would use cryptsetup luksOpen /dev/loop1 foo and try both passwords (doing a cryptsetup luksClose foo in between of course)

note: the 'first password' can be any valid password. For example, if you have 5 valid passwords, and want to add a sixth one, you can enter any of those 5 to create the 6th.

Deleting a Password

This command deletes the password stored in slot1 (the second slot)

cryptsetup luksDelKey /dev/loop1 1
# the 1 at the very end specifies which slot to delete the password from.

Quelle: http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS