Teknik Mengenkripsi Harddisk
Having used your computer for decades, your hard disk is full of personal data. And being a careful person you have a lot of backups, probably dating back till the eighties. What if somebody got a hold of them? Say by stealing your PC. Or maybe you have confidential data on your laptop, e.g. unanonymized data of a clinical trail Or maybe you sometimes enter your credit card number to order something in your browser which saves it on disk to help you entering that form the next time you want to order something. Either way you have to protect your data. That’s why you update your software and use a password for your user account. But that does not help you if somebody was to steal your hard disk. Unless of course you have encrypted it.
LUKS is a hard disk encryption standard for Linux, defining an on-disk-format for encrypted partitions. It uses a two level encryption and thus combines safety and comfort, meaning that you can use a reasonable long password and don’t have to remember 256 bits, i.e. 42 characters. Two level encryption means, that the password you specify is not used to encrypt your hard disk but instead encrypts the key that encrypts your hard disk. If you want details check out the paper TKS1 - An anti-forensic, two level, and iterated key setup scheme.
LUKS uses the kernel device mappers dm-crypt for actual encryption. dm-crypt is really hard to set up by hand and somewhat uncomfortable, that is why cryptsetup was created. It makes handling encrypted file systems as natural as mounting them.
Creating an Encrypted File System
Creating a LUKS encrypted file system on an existing partition is really simple. Just install the cryptsetup package and run the following command as root (assuming you want to create an encrypted ext4 file system on /dev/sda6).
Please don’t just run any commands you find here if you do not fully understand what they do, or they will erase your data.
% luksformat -t ext4 /dev/sda6
You will be prompted for a password three times, but don’t worry about that now, you can change it later. With LUKS you can even specify more than one password.
You don’t have to use luksformat to create an encrypted file system but it’s quite convenient. However, here are the commands luksformat calls:
% cryptsetup luksFormat /dev/sda6 % cryptsetup luksOpen /dev/sda6 crypt-part % mkfs -t ext4 /dev/mapper/crypt-part % cryptsetup luksClose crypt-part
Now, you have an encrypted file system on /dev/sda6. If you want to open it you have to give it a name, crypt-part in this case, with which you access it in /dev/mapper/. (See the man page for detailed information on all cryptsetup actions.
You can mount and unmount it with similar commands as above
% cryptsetup luksOpen /dev/sda6 crypt-part % mount /dev/mapper/crypt-part /mnt/crypt-part ... % umount /mnt/crypt-part % cryptsetup luksClose crypt-part
If you are paranoid you may want overwrite your partition with random bytes before encrypting it. But be warned, there is no fast way to do that (it’s around 5 MB/s on my computer). What I did instead was writing zeros in a file on the encrypted file system until the partition was full. That is a lot faster and I guess quite secure too (please correct me if I’m wrong, I’m no expert and did not analyse the result). Anyway, you want to make sure, that you do not have anything unencrypted on that partition, else your encryption might have been in vain.
Mounting on Boot
You probably don’t want to mount your partition manually after every reboot but want it to be mounted on boot automatically. For that you can use /etc/crypttab. It works just like /etc/fstab, it just does not mount your partitions but unlocks and opens them:
#target name source device key file options crypt-swap /dev/sda1 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,hash=sha256,size=256 crypt-part /dev/sda6 none luks
The third line results in running cryptsetup luksOpen /dev/sda6 crypt-part on boot prompting for you to enter your password. The second line does not use LUKS but encrypts your swap partition using a random key (again assuming that your swap partition is /dev/sda1). Be really careful here, because the swap option will cause mkswap /dev/mapper/crypt-swap to be run on every boot which overwrites /dev/sda1. By the way: Using a random key here will break hibernation, which might not be what you want, but there are ways around it (see below).
What is left to do is to put the changes to /etc/fstab:
# file system mount point type options /dev/mapper/crypt-part /mnt/crypt-part ext4 defaults /dev/mapper/crypt-swap none swap sw
Adding and Changing Passwords
LUKS allows for up to eight passwords and saves them in slots. You can add or remove a password (or a key file by specifying it as second parameter to the luksAddKey action) by running the first or the second line of the following code respectively:
% cryptsetup luksAddKey /dev/sda6 % cryptsetup luksKillSlot /dev/sda6 <key slot number>
If you want to change your password, you will have to add the new one first and then delete the old one.
Using Multiple Encrypted File Systems
You can use multiple encrypted partition, but you will have to enter a password for every partition on boot if you just do it like it is described above. If you do not want that, you can use a key script to derive a key from another encrypted partition. To do that, you first have to add this derived key as a new key to your LUKS partition. Let’s say you want to add such a key to /dev/sda7 (which you already created) derived from crypt-part. You just cryptsetup luksOpen crypt-part and run
% /lib/cryptsetup/scripts/decrypt_derived crypt-part > /mnt/crypt-part/key-file % cryptsetup luksAddKey /dev/sda7 /mnt/crypt-part/key-file
Be sure, that nobody else can read key-file and delete it afterwards. Now tell /etc/crypttab to open /dev/sda7 using the key script:
#target name source device key file options crypt-swap /dev/sda1 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,hash=sha256,size=256 crypt-part /dev/sda6 none luks crypt-part2 /dev/sda7 crypt-part luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
Now you will be asked for a password to open your encrypted partitions only once when you boot. If you want to use hibernation again, just use the same method for your swap drive.
Sure, using encrypted partitions will decrease performance, but not really that much considered to the added security it provides. And you don’t have to encrypt every partition. In my case I just encrypted /var, /home and some other partitions containing personal data. I did not encrypt the root file system (but I think I will do it eventually), /usr, /opt and use a ram based /tmp and I do not feel a performance drop on my Core 2 Duo E4500.