Changes between Version 2 and Version 3 of luks


Ignore:
Timestamp:
Nov 15, 2007 4:01:34 PM (6 years ago)
Author:
dkg
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • luks

    v2 v3  
    1111 
    1212When you want to use a LUKS-formatted volume, the computer you're using asks you for a passphrase (or a passphrase file).  It uses that passphrase with one of the scrambled passphrases to unscramble the secret key.  The key is then used to unscramble sections of the underlying block device as they are requested by the OS.  This is represented as a new virtual block device available to the system.  A regular filesystem can be written to the virtual block device, and the actual data stored on disk will be encrypted. 
     13 
     14== how to use LUKS == 
     15 
     16on [http://debian.org debian] systems, to put a layer of encryption over `/dev/sda1`, running an ext3 filesystem, it would look something like this: 
     17 
     18{{{ 
     190 root@lemur:~# aptitude install cryptsetup 
     200 root@lemur:~# cryptsetup luksFormat /dev/sda1  
     21 
     22WARNING! 
     23======== 
     24This will overwrite data on /dev/sda1 irrevocably. 
     25 
     26Are you sure? (Type uppercase yes): YES 
     27Enter LUKS passphrase:  
     28Verify passphrase:  
     29Command successful. 
     300 root@lemur:~# cryptsetup luksOpen /dev/sda1 mynewdisk 
     31Enter LUKS passphrase:  
     32key slot 0 unlocked. 
     33Command successful. 
     340 root@lemur:~# mkfs -t ext3 -q /dev/mapper/mynewdisk 
     350 root@lemur:~# mount /dev/mapper/mynewdisk /mnt 
     360 root@lemur:~#  
     37}}} 
     38 
     39When you're done with the disk, you unmount it and release the encryption: 
     40{{{ 
     410 root@lemur:~# umount /dev/mapper/mynewdisk 
     420 root@lemur:~# cryptsetup luksClose mynewdisk 
     430 root@lemur:~#  
     44}}} 
     45 
     46If you want regular access to an encrypted block device (might not make sense for a portable drive, for example), you can add entries in `/etc/crypttab` to prompt for keys at boot time.  Note that if you do this, you need to be at the computer (or have remote console access) when it boots, or it will wait forever for you to get to the console and put in the keys! 
    1347 
    1448== advantages of LUKS == 
     
    2963 
    3064Once an encrypted block device is "!LuksOpen"ed on a computer, any process running as superuser on that computer has access to all the unencrypted data.  If you want individual files to be opaque to the system administrator, you probably should encrypt those files individually somewhere else before transferring the encrypted version to the computer in question. 
     65 
     66== other links == 
     67 
     68 * [http://www.freeotfe.org/ FreeOTFE] claims to be able to use LUKS volumes on windows. 
     69 * [https://www.debian-administration.org/articles/536 resizing encrpyted filesystems]