Archive for the ‘Security’ Category


How would you feel in your external hard drive disappeared. Think about it : all data available to anyone. Encrypt it!
Now modern Linux distribution makes it so easy you do not have any excuses.
Note : Unfortunately, the method is probably not portable (I actually never tried)

How To

Insert the drive and get its /dev file. In the example below, it is going to be /dev/sdb2. Currently, there is nothing on this partition.

  1. Create the LUKS header, with a password
    # cryptsetup luksFormat /dev/sdb2

    This will overwrite data on /dev/sdb2 irrevocably.

    Are you sure? (Type uppercase yes): YES
    Enter LUKS passphrase:
    Verify passphrase:

  2. Open the device, I am calling the decrypted block device external (/dev/mapper/external), but it can be any name
    # cryptsetup luksOpen /dev/sdb2 external
    Enter passphrase for /dev/sdb2:
  3. Put some filesystem on that (ext4 in my case)
    # mkfs.ext4 /dev/mapper/external
    mke2fs 1.41.14 (22-Dec-2010)
    Filesystem label=
    OS type: Linux
    Block size=4096 (log=2)
    Fragment size=4096 (log=2)
    Stride=0 blocks, Stripe width=0 blocks
    10870784 inodes, 43452678 blocks
    2172633 blocks (5.00%) reserved for the super user
    First data block=0
    Maximum filesystem blocks=4294967296
    1327 block groups
    32768 blocks per group, 32768 fragments per group
    8192 inodes per group
    Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
    4096000, 7962624, 11239424, 20480000, 23887872

    Writing inode tables: done
    Creating journal (32768 blocks): done
    Writing superblocks and filesystem accounting information: done

    This filesystem will be automatically checked every 20 mounts or
    180 days, whichever comes first.  Use tune2fs -c or -i to override.

  4. Close the connection, for a clean unplug
    # cryptsetup luksClose  /dev/mapper/external
  5. Then unplug the device. Replug it, and magically, a password will be asked in order to mouint it! (works on my Fedora15 + KDE)
  6. Read Full Post »


As far as I know, there is no GUI tool to manage encryption keys. One may think that it is static. Actually no, if you go by the low level command line tool, you can manage up to 8 keys.
For example, you can :

  • Have several strong passwords if you share your machine (1 per user)
  • Delete a key that has been compromised, etc.

The tool

crypsetup uses the Linux Unified Key Setup (LUKS) format. Wikipedia will provide a short LUKS introduction : http://en.wikipedia.org/wiki/LUKS
The man page, and the –help option will provide all the options you may need : confirm that a block is encrypted, add / remove keys, or dump / backup the data. Is very straightforward, and can be done online (no need to unmount the volume).

Adding a new key : luksAddKey

Example :
[root@vm14 ~]# cryptsetup isLuks /dev/vda2
[root@vm14 ~]# echo $?
0 [to confirm that vda2 is the LUKS device]
[root@vm14 ~]# cryptsetup luksAddKey /dev/vda2
Enter any passphrase: [enter any existing key first, to authenticate]
Enter new passphrase for key slot:
Verify passphrase:

… And this is it. Now there is another key that can decrypt the block device. You can use any existing passphrase to decrypt. You can of course delete passphrase as well.

Read Full Post »


Several years ago, my neighbour’s laptop got stolen. More than the monetary loss, he was affected by his private data going in the wild. Laptops can contain password, bank details and all other sorts of private data.

Since then, I always encrypted my personal data. You probably do the same, unless you are the U.K.  government or you want to tell us a Defcon story.

Software encryption solutions

All major Linux distributions should offer encryption from installation.
On Fedora, cryptsetup is being used. It’s a device-mapper plugin and therefore works on the block device layer (it takes a block device to store speudo-random data and presents another block device with readable data).

What to encrypt

Now comes a crucial question : what needs to be encrypted ?
One can think that encrypting /home is safe enough, while keeping read/write performance for the rest of the drives. I do prefer encrypting the whole tree (except from /boot, required for getting the kernel & initramfs).
Think about it : /root, /etc, /tmp, /var, the swap, may also contain sensitive data (passwords, private keys, pictures, etc.). To my mind, performance is secondary, and a patch adds multi-CPU support in kernel 2.6.38.
Therefore, I encrypt the full physical volume (the sda2 partition for example).

To come next

Introduction to LUKS. managing encryption keys

Read Full Post »