08-Linux Hard Disk Encryption With LUKS - Linux Hardening

امنیت در لینوکس


8. Linux Hard Disk Encryption With LUKS

8.1 Install packages
root@deb:~# apt-get install cryptsetup cryptmount iproute2 net-tools moreutils
8.2 LUKS-formatting

#The LUKS-formatting command above has the following options:
#--verify-passphrase - ensures the passphrase is entered twice to avoid an incorrect passphrase being used
#-c aes -s 256 - uses 256-bit AES encryption
#-h sha256 - uses the 256-bit SHA hashing algorithm

root@deb:~# cryptsetup --verify-passphrase luksFormat /dev/vda2 -c aes -s 256 -h sha256
8.3 luksOpen
root@deb:~# cryptsetup luksOpen /dev/vda2 mydata
Enter passphrase for /dev/vda2:
8.4 Format encrypted disk

#The mkfs options above are as follows:
#-t ext4 - create an ext3 filesystem
#-m 2 - reduce the reserved super-user space down from the default of 5% to 2% of the total size - useful for large filesystems
#-O dir_index - speed-up lookups in large directories
#-O filetype - store filetype info in directories
#-O sparse_super - create fewer superblock backup copies - useful for large filesystems

root@deb:~# mkfs -t ext4 -m 2 -O dir_index,filetype,sparse_super /dev/mapper/mydata
8.5 Edit crypttab, fstab

When system is boot up, system ask you for passphrase to open encrypted disk and then mount it.

root@deb:~# cat /etc/crypttab
# <target name>    <source device>        <key file>    <options>
mydata        /dev/vda2    none luks
root@deb:~# cat /etc/fstab

/dev/mapper/mydata     /home   ext4   data=ordered,relatime,rw,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv1     0       2
