Create an encrypted file luks container

Today, we well create an encrypted file container with some key-file needed to open this container.

At the beginning, we must create a file at size we want. I create a 200GB file with random data:

dd if=/dev/urandom of=/mnt/example/ssd/private.img bs=2M count=102400
...
214748364800 bytes (215 GB, 200 GiB) copied, 1896,49 s, 113 MB/s

Now, create a key file, needed for open this file, again with random data. But it can be file of any type – photo, documents, video, movie…

dd if=/dev/urandom of=/mnt/example/ssd/secret.bin bs=1024 count=1 
...
1024 bytes (1,0 kB, 1,0 KiB) copied, 0,000155504 s, 6,6 MB/s

Now, format this file with luks. Be sure, that your password is strong. And answer YES to question:

cryptsetup luksFormat -v /mnt/example/ssd/private.img /mnt/example/ssd/secret.bin 

Now, we unlock this file:

sudo cryptsetup -v luksOpen /mnt/example/ssd/encrypted.img myEncryptedVolume -–key-file /mnt/example/ssd/secret.bin 

And check status of this luks container:

sudo cryptsetup -v status myEncryptedVolume

/dev/mapper/myEncryptedVolume is active.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: keyring
  device:  /dev/loop24
  loop:    /mnt/example/ssd/encrypted.img
  sector size:  512
  offset:  32768 sectors
  size:    419397632 sectors
  mode:    read/write
Command successful.

And now, like commands bellow, we close, open and format our file. Then mount it and copy files there 🙂

sudo cryptsetup luksClose myEncryptedVolume
sudo cryptsetup -v luksOpen /mnt/example/ssd/encrypted.img myEncryptedVolume -–key-file /mnt/example/ssd/secret.bin 
sudo cryptsetup -v status myEncryptedVolume
sudo mkfs -t ext4 /dev/mapper/myEncryptedVolume
mkdir /home/privates
sudo mount /dev/mapper/myEncryptedVolume /home/privates
...copy files there...
sudo umount /home/privates
sudo cryptsetup luksClose myEncryptedVolume

And that all 🙂

Total Page Visits: 115206 - Today Page Visits: 55

Encrypted LVM partition on software raid-1 with mdadm

At another post https://www.gonscak.sk/?p=201 I posted how to create raid1 software raid with mdadm in linux. Now I tried to add a crypted filesystem to this.

First, check, that we have working software raid:

sudo mdadm --misc --detail /dev/md0

/dev/md0:
           Version : 1.2
     Creation Time : Wed Aug 22 09:34:23 2018
        Raid Level : raid1
        Array Size : 1953381440 (1862.89 GiB 2000.26 GB)
     Used Dev Size : 1953381440 (1862.89 GiB 2000.26 GB)
      Raid Devices : 2
     Total Devices : 2
       Persistence : Superblock is persistent
     Intent Bitmap : Internal
       Update Time : Thu Aug 23 14:18:50 2018
             State : active 
    Active Devices : 2
   Working Devices : 2
    Failed Devices : 0
     Spare Devices : 0
Consistency Policy : bitmap
              Name : gw36:0  (local to host gw36)
              UUID : ded4f30e:1cfb20cb:c10b843e:df19a8ff
            Events : 3481
    Number   Major   Minor   RaidDevice State
       0       8       17        0      active sync   /dev/sdb1
       1       8       33        1      active sync   /dev/sdc1

Now, we synced drives and clean. It is time to encrypt.  If we have not loaded modules for encryption, load it:q

modprobe dm-crypt

Now create the volume with passphrase:

sudo cryptsetup --cipher=aes-xts-plain --verify-passphrase --key-size=512 luksFormat /dev/md0

And we can open it:

sudo cryptsetup  luksOpen /dev/md0 cryptdisk

Now we can create as many times a physical volume, volume group and logical volume.

sudo pvcreate /dev/mapper/cryptdisk
sudo vgcreate raid1 /dev/mapper/cryptdisk
sudo lvcreate --size 500G --name lv-home raid1

sudo pvs
  PV                     VG        Fmt  Attr PSize    PFree
  /dev/mapper/cryptdisk  raid1     lvm2 a--    <1,82t 1,33t
sudo vgs
  VG        #PV #LV #SN Attr   VSize    VFree
  raid1       1   1   0 wz--n-   <1,82t 1,33t
sudo lvs
  LV      VG        Attr       LSize
  lv-home raid1     -wi-ao---- 500,00g            

Next, we create a filesystem on this logical volume:

sudo mkfs.ext4 /dev/mapper/raid1-lv--home

And we can mount it:

sudo mount /dev/mapper/raid1-lv--home crypt-home/

Now we have an encrypted partition (disk) for our home directory.

Total Page Visits: 115206 - Today Page Visits: 55