Cryptsetup, Luks, LVM | Cheatsheet¶

cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings.

These include plain dm-crypt volumes and LUKS volumes. The difference is that LUKS uses a metadata header and can hence offer more features than plain dm-crypt. On the other hand, the header is visible and vulnerable to damage.

In addition, cryptsetup provides limited support for the use of loop-AES volumes, TrueCrypt, VeraCrypt, BitLocker and FileVault2 compatible volumes.

Installation¶

emerge

emerge --ask cryptsetup

I will use DRIVE="" fyi, change to your disk before you using any of the below commands, they are very powerful and will break your system if you doing it wrong! Be careful

`DISK` is entire HDD andm `1`,`2` and `3` is partition in this wiki¶

1 = `Grub`
2 = `Boot/Esp`
3 = `Root`
K = `KeyFile`
U = `USB Drive For Keep Our KEY!`
H = `Header Backup`
E = `External Encrypted Drive`

Variables For this page¶

DISKU="/dev/sda"
DISKE="/dev/sdb"
DISK1="/dev/nvme0n1"
DISK1_1="/dev/nvme0n1p3p1" 
DISK1_2="/dev/nvme0n1p3p2" 
DISK1_3="/dev/nvme0n1p3p3" 
DISK1_K="$(hostname)"
DISK1_H="$(hostname)_header_backup"

Generate 4096-bit random key file¶

dd if=/dev/urandom of=${DISK1_K} bs=8M count=1

Add a key file to next free key slot. This will prompt for a passphrase.¶

You can have up to 8 slots.

cryptsetup luksAddKey /dev/${DISK1} ${DISK1_K}

Add a key file to specific key slot, e.g slot 2¶

cryptsetup luksAddKey --key-slot 7 /dev/${DISK1_3} ${DISK1_K}.key

View key Slots¶

(use | grep Slot if needed)

cryptsetup luksDump ${DISK1_3}

Remove key from key slot. Enter pasphrase or specify key file to remove.¶

The slot will automatically be detected and slot key removed.

cryptsetup luksRemoveKey ${DISK1_3}
cryptsetup luksRemoveKey ${DISK1_3} ${DISK1_K}.key

Add password to a luks volume when we only have a keyfile¶

cryptsetup -d ${DISK1_K}.key luksAddKey ${DISK1_3}

Create header backup¶

cryptsetup luksHeaderBackup ${DISK1_3} --header-backup-file ${DISK1_H}.img

Encrypt entire drive¶

Of course you shouldn't use "key.key", "key.txt" or similar on your keyfile, use something else eg: "today's_recipe.txt" or "empty.log" or whatever. I will use mcdonalds.txt in this example as keyname.

cryptsetup -d ${DISK1_K}.key \
    --key-description mcdonalds.txt \
    --cipher twofish-xts-plain64 \
    --hash sha512 \
    --iter-time 5000 \
    --use-urandom luksFormat ${DISK1}

Decrypt and luksOpen our Drive With keyFile¶

cryptsetup -d ${DISK1_K}.key luksOpen /dev/sdc usb

View status of the map¶

cryptsetup -v status /dev/mapper/rootfs'

Zero the partition prior to formatting¶

dd if=/dev/zero of=/dev/mapper/${DISK1_VGName} status=progress

Urandomize the partition prior to formatting¶

dd if=/dev/urandom of=/dev/mapper/${DISK1_VGName} status=progress

Format LUKS and use ext4 filesystem¶

mkfs.ext4 /dev/mapper/${DISK1_VGName}

Decrypt and Mount¶

cryptsetup luksOpen ${DISK1_3} <choosen_name>
mount /dev/mapper/${DISK1_3} /mnt/<choosen_name>

Close and Unmount the LUKS partition¶

cryptsetup luksClose /dev/mapper/${DISK1_VGname}

BE REALLY CAREFUL IN THIS STEP

For the lazy cows, edit $DRIVE

#!/bin/bash
### Author: wuseman
### Encrypt and mount hdd

DRIVE=""/dev/nvme0n1p4"
KEY=".key_files/virtual-vmware.key"
PVNAME="/dev/mapper/vmware"
LVMDRIVE="/dev/mapper/virtual-vmware"
MOUNTPATH="/mnt/vmware"

mkdir ~/.key_files
dd if=/dev/urandom of=${KEY} bs=8M count=1

cryptsetup -d ${KEY} \
    --iter-time 5000 \
    --use-random \
    --cipher twofish-xts-plain64 \
    --hash sha512 luksFormat ${DRIVE}

cryptsetup -d ${KEY} \
    luksOpen ${DRIVE} vmware

pvcreate ${PVNAME}
vgcreate virtual  ${PVNAME}
lvcreate -l1100%FREE -nvmware virtual
mkfs.ext4 ${LVMDRIVE}
mkdir ${MOUNTPATH}
mount ${LVMDRIVE} ${MOUNTPATH}

Encrypt folder with luks2¶

Reference(s)

You can use dm-crypt for that. You need to create an empty file which will be used as a storage device. You can create one with a specific size with either dd or for example fallocate:

dd if=/dev/urandom of=pathName bs=1M count=1024

cryptsetup -d ${DISK1_K}.key \
    --key-description mcdonalds.txt \
    --cipher twofish-xts-plain64 \
    --hash sha512 \
    --iter-time 5000 \
    --use-urandom luksFormat pathName

This will create a 512 MB file in your home directory called cryptedDevice. Then you can set luks on top of that file cryptsetup -y luksFormat /home/user/cryptedDevice With Luks you can easily change size of the container etc.

To open the crypted file you can do

cryptsetup luksOpen /home/user/cryptedDevice pathName

Then you need to format this partition with a file system:

mkfs.ext4 -j /dev/mapper/pathName

And after that you can simply mount that device to a folder:

mount /dev/mapper/pathName /mnt/pathName

LUKS header on Linux¶

A forgotten password or passphrase may cause the LUKS decryption failure at boot time.

Currently, there is no way to recover LUKS passphrase. Sometimes sysadmin or user changes their LUKS password to an unknown value. Please note that LUKS currently allows a total of eight passphrase or key slots for encrypted disks. Linux sysadmin can use those keys or passphrases if created to reset the forgotten password. However, if a backup of the LUKS header exists, we can restore the header from backup and use a previously working passphrase/password.

List encrypted disks or volumes¶

dmsetup ls --target crypt

Backing up LUKS header¶

cryptsetup luksHeaderBackup /dev/DEVICE --header-backup-file /path/to/backupfile

Restoring LUKS header¶

cryptsetup luksHeaderRestore /dev/DEVICE --header-backup-file /path/to/backup_header_file

WARNING!
========
Device /dev/md1 already contains LUKS2 header. Replacing header will destroy existing keyslots.

Are you sure? (Type uppercase yes): YES

Now open the encrypted disk and mount it

You must provide old password. If you can't rememember old password your data is lost

mkdir /mnt/gentoo
cryptsetup luksOpen /dev/sdX3 rootfs
mount /dev/mapper/gentoo-rootfs /mnt/gentoo