Archive for May, 2011


As far as I know, there is no GUI tool to manage encryption keys. One may think that it is static. Actually no, if you go by the low level command line tool, you can manage up to 8 keys.
For example, you can :

  • Have several strong passwords if you share your machine (1 per user)
  • Delete a key that has been compromised, etc.

The tool

crypsetup uses the Linux Unified Key Setup (LUKS) format. Wikipedia will provide a short LUKS introduction : http://en.wikipedia.org/wiki/LUKS
The man page, and the –help option will provide all the options you may need : confirm that a block is encrypted, add / remove keys, or dump / backup the data. Is very straightforward, and can be done online (no need to unmount the volume).

Adding a new key : luksAddKey

Example :
[root@vm14 ~]# cryptsetup isLuks /dev/vda2
[root@vm14 ~]# echo $?
0 [to confirm that vda2 is the LUKS device]
[root@vm14 ~]# cryptsetup luksAddKey /dev/vda2
Enter any passphrase: [enter any existing key first, to authenticate]
Enter new passphrase for key slot:
Verify passphrase:

… And this is it. Now there is another key that can decrypt the block device. You can use any existing passphrase to decrypt. You can of course delete passphrase as well.


Read Full Post »


Several years ago, my neighbour’s laptop got stolen. More than the monetary loss, he was affected by his private data going in the wild. Laptops can contain password, bank details and all other sorts of private data.

Since then, I always encrypted my personal data. You probably do the same, unless you are the U.K.  government or you want to tell us a Defcon story.

Software encryption solutions

All major Linux distributions should offer encryption from installation.
On Fedora, cryptsetup is being used. It’s a device-mapper plugin and therefore works on the block device layer (it takes a block device to store speudo-random data and presents another block device with readable data).

What to encrypt

Now comes a crucial question : what needs to be encrypted ?
One can think that encrypting /home is safe enough, while keeping read/write performance for the rest of the drives. I do prefer encrypting the whole tree (except from /boot, required for getting the kernel & initramfs).
Think about it : /root, /etc, /tmp, /var, the swap, may also contain sensitive data (passwords, private keys, pictures, etc.). To my mind, performance is secondary, and a patch adds multi-CPU support in kernel 2.6.38.
Therefore, I encrypt the full physical volume (the sda2 partition for example).

To come next

Introduction to LUKS. managing encryption keys

Read Full Post »

Hello world!

Welcome to WordPress.com. After you read this, you should delete and write your own post, with a new title above. Or hit Add New on the left (of the admin dashboard) to start a fresh post.

Here are some suggestions for your first post.

  1. You can find new ideas for what to blog about by reading the Daily Post.
  2. Add PressThis to your browser. It creates a new blog post for you about any interesting  page you read on the web.
  3. Make some changes to this page, and then hit preview on the right. You can alway preview any post or edit you before you share it to the world.

Read Full Post »