Thursday 12 January 2017

Encrypting a disk / volume in Fedora 25 with dm-crypt / luks

We should firstly enable the AES kernel module with:

modprobe aes

Although I encountered this error on Fedora 25 - running a modern CPU I was slightly confused:

modprobe: ERROR: could not insert 'padlock_aes': No such device

It turns out that you need to use the following module name instead:

modprobe aes_generic
modprobe dm_mod
modprobe dm_crypt

and to ensure its permanently enabled:

echo aes_generic >> /etc/modules-load.d/crypt.conf
echo dm_mod >> /etc/modules-load.d/crypt.conf
echo dm_crypt >> /etc/modules-load.d/crypt.conf

Identify the disk and re-create the partition table and create a new primary partition which we will use for our encrypted volume. (Do not create a file system on it yet!)

We can benchmark the different encryption algorithms to find the fastest available with:

cryptsetup benchmark

For this example I am sticking with AES.

Proceed by creating the dm-crypt device mapping:

cryptsetup -y -c aes -s 256 -h sha256 luksFormat /dev/sdb1

We can then open the locked device (entering your password) with:

cryptsetup open /dev/sdb1 mycryptdevice

The now unencrypted device should be available in:

/dev/mapper/mycryptdevice

We can then create new filesystem on it with:

mkfs.ext4 /dev/mapper/mycryptdevice

and mount it:

mount -t ext4 /dev/mapper/mycryptdevice /mnt

and finally removing the decrypted device with:

cryptsetup remove mycrypt

If you have persistent naming of the block device setup (since we are dealing with a USB device here) - we can also instruct the encrypted device to mount at boot:

echo "mycrypt /dev/sdc2 none none" >> /etc/crypttab

* The /etc/crypttab file defines which encrypted devices should be mounted at boot.

echo "/dev/mapper/mycrypt /crypt ext4 defaults 0 1" >> /etc/fstab

Upon reboot you should be prompted to enter the password for the encrypted partition.


0 comments:

Post a Comment