--- search: exclude: true --- # luks Setup ![](0.png) In this tutorial we're going to look at how to setup LUKS encryption on additional drives of a server. ## **Initial Setup** For this tutorial i hooked up 2 additional hard drives to a VM: [ 10.0.0.222/16 ] [ backup ] [~] → lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 1000G 0 disk ├─sda1 8:1 0 512M 0 part /boot ├─sda2 8:2 0 1M 0 part └─sda3 8:3 0 999.5G 0 part ├─lvm-swap 254:0 0 512M 0 lvm │ └─swap 254:5 0 512M 0 crypt [SWAP] ├─lvm-tmp 254:1 0 500M 0 lvm │ └─tmp 254:4 0 500M 0 crypt /tmp └─lvm-lvroot 254:2 0 998.5G 0 lvm └─root 254:3 0 998.5G 0 crypt / sdb 8:16 0 3.6T 0 disk └─sdb1 8:17 0 3.6T 0 part sdc 8:32 0 3.6T 0 disk └─sdc1 8:33 0 3.6T 0 part sr0 11:0 1 891.3M 0 rom the drives are /dev/sdb and /dev/sdc, they are both 3.6Tb big, and we want to encrypt them so they are unreadable unless we unlock them: ![]() [ 10.0.0.222/16 ] [ backup ] [~] → cryptsetup luksFormat /dev/sdb WARNING: Device /dev/sdb already contains a 'gpt' partition signature. WARNING! ======== This will overwrite data on /dev/sdb irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /dev/sdb: Verify passphrase: [ 10.0.0.222/16 ] [ backup ] [~] → cryptsetup luksFormat /dev/sdc WARNING: Device /dev/sdc already contains a 'gpt' partition signature. WARNING! ======== This will overwrite data on /dev/sdc irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /dev/sdc: Verify passphrase: You can check the luks information of each device: [ 10.0.0.222/16 ] [ backup ] [~] → cryptsetup luksDump /dev/sdb LUKS header information Version: 2 Epoch: 3 Metadata area: 16384 [bytes] Keyslots area: 16744448 [bytes] UUID: 63088dd8-bca3-4e6c-b909-145b2de744c7 Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: 16777216 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 4096 [bytes] Keyslots: 0: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: argon2id Time cost: 4 Memory: 508031 Threads: 2 Salt: e0 30 01 14 b3 8a 56 36 ef 7e b2 24 7b d6 a8 3b 06 2b c9 e9 5f 26 56 5a 78 c5 55 0d 4f 86 64 4f AF stripes: 4000 AF hash: sha256 Area offset:32768 [bytes] Area length:258048 [bytes] Digest ID: 0 Tokens: Digests: 0: pbkdf2 Hash: sha256 Iterations: 26640 Salt: 70 88 9e 5c 36 ae ae b4 d4 c5 85 3b f6 9c d5 8b 1d 13 24 93 29 fe c1 80 d9 18 7b b1 fe 3c 55 86 Digest: dd 9b 2c ba fa 3d 38 ec 56 92 28 d7 70 52 f1 a3 e5 fd 4d 3a 14 2c 85 52 bc e2 e0 99 c9 e6 bb 33 [ 10.0.0.222/16 ] [ backup ] [~] → cryptsetup luksDump /dev/sdc LUKS header information Version: 2 Epoch: 3 Metadata area: 16384 [bytes] Keyslots area: 16744448 [bytes] UUID: 8f559499-ca90-4b71-aead-c2252d0e10e0 Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: 16777216 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 4096 [bytes] Keyslots: 0: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: argon2id Time cost: 4 Memory: 482968 Threads: 2 Salt: 8f 6f b2 6d 46 a1 8f 31 0c cb 06 64 94 73 86 47 6e a8 1f 39 38 ff b9 27 10 6a 35 61 1b 9e 16 af AF stripes: 4000 AF hash: sha256 Area offset:32768 [bytes] Area length:258048 [bytes] Digest ID: 0 Tokens: Digests: 0: pbkdf2 Hash: sha256 Iterations: 24417 Salt: 06 6f e4 bd dd 10 0d 9e 29 41 ae 7e df d2 55 77 b9 94 0b b3 fb ba 38 41 c5 c4 63 8e 5d 00 7c 40 Digest: 86 62 5c 31 67 00 5c 46 69 5f 2f 81 fb 83 34 ec d0 73 44 e4 73 bc f9 f8 41 86 7a 06 55 97 77 3d Now we want to open the encrypted drives, so we use luksOpen: [ 10.0.0.222/16 ] [ backup ] [~] → cryptsetup luksOpen /dev/sdb VAULT1 Enter passphrase for /dev/sdb: [ 10.0.0.222/16 ] [ backup ] [~] → cryptsetup luksOpen /dev/sdc VAULT2 Enter passphrase for /dev/sdc: [ 10.0.0.222/16 ] [ backup ] [~] → ls -lash /dev/mapper/VAULT* 0 lrwxrwxrwx 1 root root 7 Nov 5 09:12 /dev/mapper/VAULT1 -> ../dm-6 0 lrwxrwxrwx 1 root root 7 Nov 5 09:13 /dev/mapper/VAULT2 -> ../dm-7 Now from here, we have 2 mapped drives located in /dev/mapper/, we named them VAULT1 and VAULT2, now to use them we need to mount them, so let's create 2 folders in /mnt/ and mount them there: [ 10.0.0.222/16 ] [ backup ] [~] → mkdir /mnt/VAULT1 [ 10.0.0.222/16 ] [ backup ] [~] → mkdir /mnt/VAULT2 Before we do thatm don't forget to format the unlocked drives in ext4 for example: [ 10.0.0.222/16 ] [ backup ] [~] → mkfs.ext4 /dev/mapper/VAULT1 mke2fs 1.46.5 (30-Dec-2021) /dev/mapper/VAULT1 contains `DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0x3ff,255,63), startsector 1, 976742143 sectors, extended partition table (last)' data Proceed anyway? (y,N) y Creating filesystem with 976742144 4k blocks and 244187136 inodes Filesystem UUID: bcc579f6-96b9-4c9a-8ad8-694470db5dac Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 102400000, 214990848, 512000000, 550731776, 644972544 Allocating group tables: done Writing inode tables: done Creating journal (262144 blocks): done Writing superblocks and filesystem accounting information: done [ 10.0.0.222/16 ] [ backup ] [~] → mount /dev/mapper/VAULT1 /mnt/VAULT1 [ 10.0.0.222/16 ] [ backup ] [~] → lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 1000G 0 disk ├─sda1 8:1 0 512M 0 part /boot ├─sda2 8:2 0 1M 0 part └─sda3 8:3 0 999.5G 0 part ├─lvm-swap 254:0 0 512M 0 lvm │ └─swap 254:5 0 512M 0 crypt [SWAP] ├─lvm-tmp 254:1 0 500M 0 lvm │ └─tmp 254:4 0 500M 0 crypt /tmp └─lvm-lvroot 254:2 0 998.5G 0 lvm └─root 254:3 0 998.5G 0 crypt / sdb 8:16 0 3.6T 0 disk └─VAULT1 254:6 0 3.6T 0 crypt /mnt/VAULT1 sdc 8:32 0 3.6T 0 disk └─VAULT2 254:7 0 3.6T 0 crypt sr0 11:0 1 891.3M 0 rom And here you can see that we managed to mount our external luks encrypted drive in /mnt/VAULT1, so we can now write to it: [ 10.0.0.222/16 ] [ backup ] [~] → cd /mnt/VAULT1 [ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1] → echo 'test' > test.txt [ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1] → ls -lash total 28K 4.0K drwxr-xr-x 3 root root 4.0K Nov 5 09:23 . 4.0K drwxr-xr-x 4 root root 4.0K Nov 5 09:15 .. 16K drwx------ 2 root root 16K Nov 5 09:21 lost+found 4.0K -rw-r--r-- 1 root root 5 Nov 5 09:23 test.txt Then we mount the other drive in the same way: [ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1] → mkfs.ext4 /dev/mapper/VAULT2 mke2fs 1.46.5 (30-Dec-2021) /dev/mapper/VAULT2 contains `DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0x3ff,255,63), startsector 1, 976742143 sectors, extended partition table (last)' data Proceed anyway? (y,N) y Creating filesystem with 976742144 4k blocks and 244187136 inodes Filesystem UUID: 8c41fdda-d272-4570-8562-f8f7ac4c87db Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 102400000, 214990848, 512000000, 550731776, 644972544 Allocating group tables: done Writing inode tables: done Creating journal (262144 blocks): done Writing superblocks and filesystem accounting information: done [ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1] → mount /dev/mapper/VAULT2 /mnt/VAULT2 [ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1] → lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 1000G 0 disk ├─sda1 8:1 0 512M 0 part /boot ├─sda2 8:2 0 1M 0 part └─sda3 8:3 0 999.5G 0 part ├─lvm-swap 254:0 0 512M 0 lvm │ └─swap 254:5 0 512M 0 crypt [SWAP] ├─lvm-tmp 254:1 0 500M 0 lvm │ └─tmp 254:4 0 500M 0 crypt /tmp └─lvm-lvroot 254:2 0 998.5G 0 lvm └─root 254:3 0 998.5G 0 crypt / sdb 8:16 0 3.6T 0 disk └─VAULT1 254:6 0 3.6T 0 crypt /mnt/VAULT1 sdc 8:32 0 3.6T 0 disk └─VAULT2 254:7 0 3.6T 0 crypt /mnt/VAULT2 sr0 11:0 1 891.3M 0 rom ## **Scripting** I think its obvious that you don't want to store your password in cleartext anywhere on your machine, so you'll have to type the password everytime you want to open the drives. So i have this script here to mount the drives quickly, i just run it at startup: ![]() [ 10.0.0.222/16 ] [ backup ] [~] → cat vault.sh #!/bin/bash echo "[+] MOUNTING VAULTS..." sudo cryptsetup luksOpen /dev/sdb VAULT1 sudo mkdir /mnt/VAULT1 2>/dev/null sudo mount /dev/mapper/VAULT1 /mnt/VAULT1 sudo cryptsetup luksOpen /dev/sdc VAULT2 sudo mkdir /mnt/VAULT2 2>/dev/null sudo mount /dev/mapper/VAULT2 /mnt/VAULT2 echo "[+] VAULTS MOUNTED"