We should firstly enable the AES kernel module with:
modprobe aes
Although I encountered this error on Fedora 25 - running a modern CPU I was slightly confused:
modprobe: ERROR: could not insert 'padlock_aes': No such device
It turns out that you need to use the following module name instead:
modprobe aes_generic
modprobe dm_mod
modprobe dm_crypt
and to ensure its permanently enabled:
echo aes_generic >> /etc/modules-load.d/crypt.conf
echo dm_mod >> /etc/modules-load.d/crypt.conf
echo dm_crypt >> /etc/modules-load.d/crypt.conf
Identify the disk and re-create the partition table and create a new primary partition which we will use for our encrypted volume. (Do not create a file system on it yet!)
We can benchmark the different encryption algorithms to find the fastest available with:
cryptsetup benchmark
For this example I am sticking with AES.
Proceed by creating the dm-crypt device mapping:
cryptsetup -y -c aes -s 256 -h sha256 luksFormat /dev/sdb1
We can then open the locked device (entering your password) with:
cryptsetup open /dev/sdb1 mycryptdevice
The now unencrypted device should be available in:
/dev/mapper/mycryptdevice
We can then create new filesystem on it with:
mkfs.ext4 /dev/mapper/mycryptdevice
and mount it:
mount -t ext4 /dev/mapper/mycryptdevice /mnt
and finally removing the decrypted device with:
cryptsetup remove mycrypt
If you have persistent naming of the block device setup (since we are dealing with a USB device here) - we can also instruct the encrypted device to mount at boot:
echo "mycrypt /dev/sdc2 none none" >> /etc/crypttab
* The /etc/crypttab file defines which encrypted devices should be mounted at boot.
echo "/dev/mapper/mycrypt /crypt ext4 defaults 0 1" >> /etc/fstab
Upon reboot you should be prompted to enter the password for the encrypted partition.
0 comments:
Post a Comment