oxeo0/selfhosting-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/selfhosting-blogposts.git synced 2025-05-16 12:16:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
selfhosting-blogposts/luks/index.md

327 lines
11 KiB
Markdown
Raw Permalink Blame History

---
search:
exclude: true
---
# luks Setup
![](0.png)
In this tutorial we're going to look at how to setup LUKS encryption on additional drives of a server.
## **Initial Setup**
For this tutorial i hooked up 2 additional hard drives to a VM:
[ 10.0.0.222/16 ] [ backup ] [~]
→ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 1000G 0 disk
├─sda1 8:1 0 512M 0 part /boot
├─sda2 8:2 0 1M 0 part
└─sda3 8:3 0 999.5G 0 part
├─lvm-swap 254:0 0 512M 0 lvm
│ └─swap 254:5 0 512M 0 crypt [SWAP]
├─lvm-tmp 254:1 0 500M 0 lvm
│ └─tmp 254:4 0 500M 0 crypt /tmp
└─lvm-lvroot 254:2 0 998.5G 0 lvm
└─root 254:3 0 998.5G 0 crypt /
sdb 8:16 0 3.6T 0 disk
└─sdb1 8:17 0 3.6T 0 part
sdc 8:32 0 3.6T 0 disk
└─sdc1 8:33 0 3.6T 0 part
sr0 11:0 1 891.3M 0 rom
the drives are /dev/sdb and /dev/sdc, they are both 3.6Tb big, and we want to encrypt them so they are unreadable unless we unlock them:
![]()
[ 10.0.0.222/16 ] [ backup ] [~]
→ cryptsetup luksFormat /dev/sdb
WARNING: Device /dev/sdb already contains a 'gpt' partition signature.
WARNING!
========
This will overwrite data on /dev/sdb irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sdb:
Verify passphrase:
[ 10.0.0.222/16 ] [ backup ] [~]
→ cryptsetup luksFormat /dev/sdc
WARNING: Device /dev/sdc already contains a 'gpt' partition signature.
WARNING!
========
This will overwrite data on /dev/sdc irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sdc:
Verify passphrase:
You can check the luks information of each device:
[ 10.0.0.222/16 ] [ backup ] [~]
→ cryptsetup luksDump /dev/sdb
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 63088dd8-bca3-4e6c-b909-145b2de744c7
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 4096 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 4
Memory: 508031
Threads: 2
Salt: e0 30 01 14 b3 8a 56 36 ef 7e b2 24 7b d6 a8 3b
06 2b c9 e9 5f 26 56 5a 78 c5 55 0d 4f 86 64 4f
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 26640
Salt: 70 88 9e 5c 36 ae ae b4 d4 c5 85 3b f6 9c d5 8b
1d 13 24 93 29 fe c1 80 d9 18 7b b1 fe 3c 55 86
Digest: dd 9b 2c ba fa 3d 38 ec 56 92 28 d7 70 52 f1 a3
e5 fd 4d 3a 14 2c 85 52 bc e2 e0 99 c9 e6 bb 33
[ 10.0.0.222/16 ] [ backup ] [~]
→ cryptsetup luksDump /dev/sdc
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 8f559499-ca90-4b71-aead-c2252d0e10e0
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 4096 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 4
Memory: 482968
Threads: 2
Salt: 8f 6f b2 6d 46 a1 8f 31 0c cb 06 64 94 73 86 47
6e a8 1f 39 38 ff b9 27 10 6a 35 61 1b 9e 16 af
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 24417
Salt: 06 6f e4 bd dd 10 0d 9e 29 41 ae 7e df d2 55 77
b9 94 0b b3 fb ba 38 41 c5 c4 63 8e 5d 00 7c 40
Digest: 86 62 5c 31 67 00 5c 46 69 5f 2f 81 fb 83 34 ec
d0 73 44 e4 73 bc f9 f8 41 86 7a 06 55 97 77 3d
Now we want to open the encrypted drives, so we use luksOpen:
[ 10.0.0.222/16 ] [ backup ] [~]
→ cryptsetup luksOpen /dev/sdb VAULT1
Enter passphrase for /dev/sdb:
[ 10.0.0.222/16 ] [ backup ] [~]
→ cryptsetup luksOpen /dev/sdc VAULT2
Enter passphrase for /dev/sdc:
[ 10.0.0.222/16 ] [ backup ] [~]
→ ls -lash /dev/mapper/VAULT*
0 lrwxrwxrwx 1 root root 7 Nov 5 09:12 /dev/mapper/VAULT1 -> ../dm-6
0 lrwxrwxrwx 1 root root 7 Nov 5 09:13 /dev/mapper/VAULT2 -> ../dm-7
Now from here, we have 2 mapped drives located in /dev/mapper/, we named them VAULT1 and VAULT2, now to use them we need to mount them, so let's create 2 folders in /mnt/ and mount them there:
[ 10.0.0.222/16 ] [ backup ] [~]
→ mkdir /mnt/VAULT1
[ 10.0.0.222/16 ] [ backup ] [~]
→ mkdir /mnt/VAULT2
Before we do thatm don't forget to format the unlocked drives in ext4 for example:
[ 10.0.0.222/16 ] [ backup ] [~]
→ mkfs.ext4 /dev/mapper/VAULT1
mke2fs 1.46.5 (30-Dec-2021)
/dev/mapper/VAULT1 contains `DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0x3ff,255,63), startsector 1, 976742143 sectors, extended partition table (last)' data
Proceed anyway? (y,N) y
Creating filesystem with 976742144 4k blocks and 244187136 inodes
Filesystem UUID: bcc579f6-96b9-4c9a-8ad8-694470db5dac
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000, 214990848, 512000000, 550731776, 644972544
Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done
[ 10.0.0.222/16 ] [ backup ] [~]
→ mount /dev/mapper/VAULT1 /mnt/VAULT1
[ 10.0.0.222/16 ] [ backup ] [~]
→ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 1000G 0 disk
├─sda1 8:1 0 512M 0 part /boot
├─sda2 8:2 0 1M 0 part
└─sda3 8:3 0 999.5G 0 part
├─lvm-swap 254:0 0 512M 0 lvm
│ └─swap 254:5 0 512M 0 crypt [SWAP]
├─lvm-tmp 254:1 0 500M 0 lvm
│ └─tmp 254:4 0 500M 0 crypt /tmp
└─lvm-lvroot 254:2 0 998.5G 0 lvm
└─root 254:3 0 998.5G 0 crypt /
sdb 8:16 0 3.6T 0 disk
└─VAULT1 254:6 0 3.6T 0 crypt /mnt/VAULT1
sdc 8:32 0 3.6T 0 disk
└─VAULT2 254:7 0 3.6T 0 crypt
sr0 11:0 1 891.3M 0 rom
And here you can see that we managed to mount our external luks encrypted drive in /mnt/VAULT1, so we can now write to it:
[ 10.0.0.222/16 ] [ backup ] [~]
→ cd /mnt/VAULT1
[ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1]
→ echo 'test' > test.txt
[ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1]
→ ls -lash
total 28K
4.0K drwxr-xr-x 3 root root 4.0K Nov 5 09:23 .
4.0K drwxr-xr-x 4 root root 4.0K Nov 5 09:15 ..
16K drwx------ 2 root root 16K Nov 5 09:21 lost+found
4.0K -rw-r--r-- 1 root root 5 Nov 5 09:23 test.txt
Then we mount the other drive in the same way:
[ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1]
→ mkfs.ext4 /dev/mapper/VAULT2
mke2fs 1.46.5 (30-Dec-2021)
/dev/mapper/VAULT2 contains `DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0x3ff,255,63), startsector 1, 976742143 sectors, extended partition table (last)' data
Proceed anyway? (y,N) y
Creating filesystem with 976742144 4k blocks and 244187136 inodes
Filesystem UUID: 8c41fdda-d272-4570-8562-f8f7ac4c87db
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000, 214990848, 512000000, 550731776, 644972544
Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done
[ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1]
→ mount /dev/mapper/VAULT2 /mnt/VAULT2
[ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1]
→ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 1000G 0 disk
├─sda1 8:1 0 512M 0 part /boot
├─sda2 8:2 0 1M 0 part
└─sda3 8:3 0 999.5G 0 part
├─lvm-swap 254:0 0 512M 0 lvm
│ └─swap 254:5 0 512M 0 crypt [SWAP]
├─lvm-tmp 254:1 0 500M 0 lvm
│ └─tmp 254:4 0 500M 0 crypt /tmp
└─lvm-lvroot 254:2 0 998.5G 0 lvm
└─root 254:3 0 998.5G 0 crypt /
sdb 8:16 0 3.6T 0 disk
└─VAULT1 254:6 0 3.6T 0 crypt /mnt/VAULT1
sdc 8:32 0 3.6T 0 disk
└─VAULT2 254:7 0 3.6T 0 crypt /mnt/VAULT2
sr0 11:0 1 891.3M 0 rom
## **Scripting**
I think its obvious that you don't want to store your password in cleartext anywhere on your machine, so you'll have to type the password everytime you want to open the drives. So i have this script here to mount the drives quickly, i just run it at startup:
![]()
[ 10.0.0.222/16 ] [ backup ] [~]
→ cat vault.sh
#!/bin/bash
echo "[+] MOUNTING VAULTS..."
sudo cryptsetup luksOpen /dev/sdb VAULT1
sudo mkdir /mnt/VAULT1 2>/dev/null
sudo mount /dev/mapper/VAULT1 /mnt/VAULT1
sudo cryptsetup luksOpen /dev/sdc VAULT2
sudo mkdir /mnt/VAULT2 2>/dev/null
sudo mount /dev/mapper/VAULT2 /mnt/VAULT2
echo "[+] VAULTS MOUNTED"
Reference in a new issue View git blame Copy permalink