system LUKS Encryption

Overview

The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux.

Creating a LUKS Encrypted USB Drive

Check the target device.

lsblk /dev/sda
  NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
  sda                                             8:0    1  14.4G  0 disk
  └─sda1                                          8:1    1  14.4G  0 part

Remove old data and create a new partition.

shred -n 1 -v /dev/sda
gdisk /dev/sda
  Command (? for help): p
  Command (? for help): n
  Command (? for help): w

Encrypt the new partition.

cryptsetup luksFormat /dev/sda

  WARNING!
  ========
  This will overwrite data on /dev/sda irrevocably.

  Are you sure? (Type 'yes' in capital letters): YES
  Enter passphrase for /dev/sda:
  Verify passphrase:

Open the crypted device.

cryptsetup luksOpen /dev/sda crypted_usb
  Enter passphrase for /dev/sda:

Create the filesystem end mount.

mkfs.vfat -F 32 -n GUISAM /dev/mapper/crypted_usb
mount /dev/mapper/crypted_usb /mnt/test/

Unmount and close the crypted device.

umount /mnt/test
cryptsetup luksClose crypted_usb

Connecting a Crypted USB Drive

Password request on Gnome desktop.

../_images/crypted_usb_01.png

Gnome notification.

../_images/crypted_usb_02.png

Dealing with the LUKS Passphrases

Look for the crypted device(s).

lsblk /dev/nvme0n1
  NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
  nvme0n1                                       259:0    0 238,5G  0 disk
  ├─nvme0n1p1                                   259:1    0   300M  0 part  /boot/efi
  └─nvme0n1p2                                   259:2    0 238,2G  0 part
    └─luks-408551ce-44cb-4dfa-ac3f-b68a2a43025f 254:0    0 238,2G  0 crypt /

Check the device key storage.

awk '/Key Slot/' <(cryptsetup luksDump /dev/nvme0n1p2)
  Key Slot 0: ENABLED
  Key Slot 1: ENABLED
  Key Slot 2: DISABLED
  Key Slot 3: DISABLED
  Key Slot 4: DISABLED
  Key Slot 5: DISABLED
  Key Slot 6: DISABLED
  Key Slot 7: DISABLED

Add a new key.

cryptsetup luksAddKey /dev/nvme0n1p2

Check the valid keys.

awk '/ENABLED/' <(cryptsetup luksDump /dev/nvme0n1p2)
  Key Slot 0: ENABLED
  Key Slot 1: ENABLED
  Key Slot 2: ENABLED

Remove a key.

cryptsetup --key-slot 2 luksRemoveKey /dev/nvme0n1p2