Encrypting containers (or partitions) with Cryptsetup and LUKS

Source: feraga.com

Howto use Cryptsetup with LUKS support. (Debian Linux).

This is a short howto to describe the basic usage of Device-Mapper, DM-Crypt, and Cryptsetup to mount and use encrypted partitions and container files.

This is partially in response to the recent articles about the numbers of USB flash thumbdrives that are regularly lost. If we learn to use encryption then that statistic is just sad but not worrying. (see The problem of lost USB flash thumbdrives)

Device Mapper and DM-CryptStarting in version 2.6, the Linux kernel started providing the Device-Mapper interface. This interface allowed for the creation of layers of virtual block devices ontop of real block devices. These devices are used for things like RAID formats, snapshot or encryption. The DM-Crypt is the module for Device-Mapper that provides access to the cryptographic functions.

CryptsetupCryptsetup is the primary userland tool for creating and managing encrypted partitions and containers for DM-Crypt.

Linux Unified Key Setup (LUKS)LUKS provides a standard on-disk format for encrypted partitions to facilitate cross distribution compatability, to allow for multiple users/passwords, effective password revocation, and to provide additional security against low entropy attacks. To use LUKS, you must use an enabled version of cryptsetup. To the authors knowledge currently only Debian (Etch, Lenny and Sid), Ubuntu and Gentoo offer LUKS enabled versions of cryptsetup in their repositories.

Creating a New Encrypted Container File or Partition

Create the Container and Loopback Mount itFirst we need to create the container file, and loopback mount it.

root@host:~$ dd if=/dev/urandom of=testfile bs=1M count=10
10+0 records in
10+0 records out
10485760 bytes (10 MB) copied, 1.77221 seconds, 5.9 MB
root@host:~$ losetup /dev/loop/0 testfile

Note: Skip this step for encrypted partitions.
luksFormatBefore we can open an encrypted partition, we need to initialize it.

root@host:~$ cryptsetup luksFormat /dev/loop/0



This will overwrite data on /dev/loop/0 irrevocably.

Are you sure? (Type uppercase yes): YES

Enter LUKS passphrase:

Verify passphrase:

Command successful.


Note: For encrypted partitions replace the loopback device with the device label of the partition.
luksOpenNow that the partition is formated, we can create a Device-Mapper mapping for it.

root@host:~$ cryptsetup luksOpen /dev/loop/0 testfs
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

Formating the FilesystemThe first time we create the Device-Mapper mapping, we need to format the new virtual device with a new filesystem.

root@host:~$ mkfs.ext2 /dev/mapper/testfs
mke2fs 1.39-WIP (09-Apr-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
2432 inodes, 9724 blocks
486 blocks (5.00%) reserved for the super user
First data block=1
2 block groups
8192 blocks per group, 8192 fragments per group
1216 inodes per group
Superblock backups stored on blocks:

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 34 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to overri

Mounting the Virtual DeviceNow, we can mount the new virtual device just like any other device.

root@host:~$ mount /dev/mapper/testfs /mnt/test/

Mounting an Existing Encrypted Container File or Partition

root@host:~$ losetup /dev/loop/0 testfile
root@host:~$ cryptsetup luksOpen /dev/loop/0 testfs
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
root@host:~$ mount /dev/mapper/testfs /mnt/test/

Note: Skip the losetup setup for encrypted partitions.

Unmounting and Closing an Encrypted Container File or Partition

root@host:~$ umount /mnt/test
root@host:~$ cryptsetup luksClose /dev/mapper/testfs
root@host:~$ losetup -d /dev/loop/0

Note: Skip the losetup setup for encrypted partitions.

Handling Multiple Users and Passwords

The LUKS header allows you to assign 8 different passwords that can access the encyrpted partition or container. This is useful for environments where the CEO & CTO can each have passwords for the device and the administrator(s) can have another. This makes it easy to change the password in case of employee turnover while keeping the data accessible.

Adding passwords to new slotsroot@host:~$ cryptsetup luksAddKey /dev/loop/0
Enter any LUKS passphrase:
Verify passphrase:
key slot 0 unlocked.
Enter new passphrase for key slot:
Verify passphrase:
Command successful.

Deleting key slotsroot@host:~$ cryptsetup luksDelKey /dev/loop/0 1
Command successful.

Displaying LUKS Header Information

root@host:~$ cryptsetup luksDump /dev/loop/0
LUKS header information for /dev/loop/0

Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
MK digest: a9 3c c2 33 0b 33 db ff d2 b9 dc 6c 01 d6 90 48 1d c1 2e bb
MK salt: 98 46 a3 28 64 35 f1 55 f0 2b 8e af f5 71 16 64
3c 30 1f 6c b1 4b 43 fd 23 49 28 a6 b0 e4 e2 14
MK iterations: 10
UUID: 089559af-41af-4dfe-b736-9d9d48d3bf53

Key Slot 0: ENABLED
Iterations: 254659
Salt: 02 da 9c c3 c7 39 a5 62 72 81 37 0f eb aa 30 47
01 1b a8 53 93 23 83 71 20 03 1b 6c 90 84 a5 6e
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Leave a Reply