installation - "Guided - use entire disk and set up encrypted LVM" LUKS or plain dm-crypt?

19
2014-04
  • user50910

    Does the alternate installer's "Guided - use entire disk and set up encrypted LVM" use LUKS or plain dm-crypt?

  • Answers
  • Lekensteyn

    The encryption uses LUKS with dm-crypt (not plain dm-crypt).

    Quoting http://code.google.com/p/cryptsetup/wiki/DMCrypt:

    cryptsetup utility support several modes. Plain mode is just equivalent of direct configuration of dmcrypt target with passphrase hashing but without on-disk metadata.

    LUKS (Linux Unified Key Setup) is now the preferred way to set up disk encryption with dm-crypt using the cryptsetup utility

    It's more likely that Ubuntu uses the recommended and more secure way of disk encryption. Now, to verify so, read the contents of the disk (assuming that /dev/sda2 contains your encrypted partition):

    sudo dd if=/dev/sda2 bs=512 count=1 | xxd
    

    You'll see several options, such as the cipher being used and the ID of the encrypted partition.

    Side note: if you only have one partition to encrypt, I suggest you to avoid LVM at all and use LUKS only (which can be done with the manual partitioning method). This avoid the overhead of LVM which you don't need for just a single partition. On the other hand, if you have multiple partitions to encrypt (/, /home, swap), LVM on the top of LUKS is more convenient as you have to enter your passphrase only once. (physical - LUKS - LVM - /home, /, swap, etc)

  • andol

    Yes, it setups dm-crypt using LUKS.


  • Related Question

    encryption - How to configure LVM & LUKS to autodecrypt partition?
  • isoman

    I have recently installed ubuntu server 11.04 with the full lvm encryption(installed from the setup) . I wish now to use a key file to do automatic unlock. I have tried to follow this guide http://ubuntuforums.org/showthread.php?t=837416

    I generated a key with this command: sudo dd if=/dev/urandom of=/boot/grub/keyfile bs=1024 count=4

    i putted it in /boot/grub because i think that it's not encrypted . When i try to add the key with this commad sudo cryptsetup luksAddKey /dev/sdX /boot/grub/keyfile it asks me for the passphrase and when i put it nothing happen , nothing is printed to the screen ! I ignore it and continue the others steps and reboot but nothing happened and it ask for the passphrase .

    Thanks for the help .


  • Related Answers
  • Randy Orrison

    I've just been through this on my new home server, it took a lot of googling and guessing, but I've got it working. I'll attempt to reproduce the steps here. I'm using Ubuntu Server 11.10, and started with a pretty much standard install using encrypted LVM, so I'll just relate the changes I made from there.

    Setup:

    • /dev/sda1 is my unencrypted /boot partition
    • /dev/sda5 is my lvm partition which contains everything else -- root, swap, and home
    • /dev/sdc1 is the partition on my USB flash drive where I'll store the keyfile

    First, I created a keyfile, just in my home directory:

    dd if=/dev/urandom of=keyfile bs=512 count=4
    

    (you can use a larger blocksize or count for a larger key)

    Tell cryptsetup the new key (it's the contents that are important, not the filename):

    sudo cryptsetup luksAddKey /dev/sda5 keyfile
    

    Then, I formatted my USB flash drive with ext2 and gave it a label. I used a label, so that later I can mount it by label, and replace the USB flash drive in case something goes wrong with it.

    sudo mkfs -t ext2 /dev/sdc1
    sudo e2label /dev/sdc1 KEYS
    

    (of course, your device will vary)

    Now, copy the keyfile to the USB flash drive, owned by root mode 400:

    mkdir KEYS
    sudo mount /dev/sdc1 KEYS
    sudo cp keyfile KEYS
    sudo chown root KEYS/keyfile
    sudo chmod 400 KEYS/keyfile
    

    Modify /etc/crypttab. Mine originally contained

    sd5_crypt UUID=(...) none luks
    

    which I changed to

    sd5_crypt UUID=(...) /dev/disk/by-label/KEYS:/keyfile luks,keyscript=/lib/cryptsetup/scripts/passdev
    

    Finally, update the initramfs:

    sudo update-initramfs -uv
    

    It now boots using the keyfile on the USB flash drive. If I remove the flash drive (say, when I go on holiday) it doesn't boot and my data is secure.

    If anyone knows how to get it to ask for the passphrase if the USB flash drive is missing, that would be handy as a fallback. Hope this helps, any additions or corrections would be more than welcome!

  • The New Guy

    These instructions from howtoforge.com got me up and running with an automatically decrypting volume.

    How to: Automatically Unlock LUKS Encrypted Drives With A Keyfile

    Step 1: Create a random keyfile

    sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
    

    Step 2: Make the keyfile read-only to root

    sudo chmod 0400 /root/keyfile
    

    That will make the keyfile readable only by root. If someone get access to this keyfile, then you have a bigger problem on your computer anyway.

    Alternatively chown your desired keyfile to root:root and move it into the /root folder

    Step 3: Add the keyfile to LUKS

    LUKS/dm_crypt enabled devices may hold up to 10 different keyfiles/passwords. So, next to having the already setup password we're going to add this keyfile as additional authorization method.

    sudo cryptsetup luksAddKey /dev/sdX /root/keyfile
    

    sdX is of course your LUKS device.

    First you'll be prompted to enter an (existing) password to unlock the drive. If everything works well, you should get an output like this:

    Enter any LUKS passphrase:
    key slot 0 unlocked.
    Command successful.
    

    Step 4: Create a mapper

    LUKS devices need to create a mapper that can then be referenced in the fstab. Open /etc/crypttab

    sudo nano /etc/crypttab
    

    and add then a line like this:

    sdX_crypt      /dev/sdX  /root/keyfile  luks
    

    or you can use the UUID of the device:

    sdX_crypt      /dev/disk/by-uuid/247ad289-dbe5-4419-9965-e3cd30f0b080  /root/keyfile  luks
    

    sdX_crypt is the name of the mapper that is being created. You can use here any name e.g. "music" or "movies" or "sfdsfawe" ....

    Save and close the file by issuing ctrl-x, enter, enter. Ctrl-x closes nano but first it asks to save the file [yes = enter] and what the name shall be [same name = enter].

    What we have done there actually is telling that /root/keyfile shall be used instead of password entry to unlock the drive.

    Step 5: Mount the device in fstab

    Now, we have an unlocked device (well, not yet but when the system is being booted up) and we just need to mount it now. Open /etc/fstab:

    sudo nano /etc/fstab
    

    and add a new entry like:

    /dev/mapper/sdX_crypt  /media/sdX     ext3    defaults        0       2
    

    Make sure you have the correct mapper name that you added in step 4. Also make sure that the mount point/folder exists. After having added it, save again the file and close it (ctrl-x, enter, enter).

    Step 6: Reboot or remount

    That's it. Now you can reboot and the additional devices should be auto-unlocked and mounted. You can also test it by remounting all devices:

    sudo mount -a