Linux and USB Full Disk Encryption
Written on 2018-02-24
With the new Notifiable Data Breaches scheme coming into effect as of the 22nd February 2018, I started looking at what options were available to have full disk encryption on the one thing that we all lose most often - USB drives.
The thought was to make them as easy to use in the normal workflow as normal, but useless if plugged into an unauthorised system.
So, this is what I came up with.
Firstly, create a place to put the keys, and then create a new key file - we're going to go with a 4096 byte key - which is massive, but you're going to store it in a 4Kb block on a disk anyway - so eh. We need to do all this as root, so don't forget that part!
# mkdir /etc/luks-keys/ # chmod 700 /etc/luks-keys # dd if=/dev/random of=/etc/luks-keys/new-key-file bs=1 count=4096Now plug in your USB key and see what it comes up as... In this example, mine is /dev/sdc1. Create the luks container.
# cryptsetup luksFormat /dev/sdc1 /etc/luks-keys/new-key-fileNext up, we want to grab the UUID of the new luks container. I'm going to use the example UUID of fea52a1b-9e8d-4144-af33-1a7f05371ead - so remember to replace this with the one you get from the below command.
# cryptsetup luksDump /dev/sdc1 LUKS header information for /dev/sdc1 Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha256 Payload offset: 4096 MK bits: 256 MK digest: 11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE FF 00 11 22 33 MK salt: 11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE FF 11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE DD MK iterations: 373000 UUID: fea52a1b-9e8d-4144-af33-1a7f05371ead Key Slot 0: ENABLED Iterations: 3827459 Salt: 00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff ff ee dd cc bb aa 99 88 77 66 55 44 33 22 11 00 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLEDRename the key we create this with to match the UUID, and make sure the world can't read it:
# mv /etc/luks-keys/new-key-file /etc/luks-keys/fea52a1b-9e8d-4144-af33-1a7f05371ead # chmod 400 /etc/luks-keys/fea52a1b-9e8d-4144-af33-1a7f05371eadSet up a udev rule to run a script each time we plug in a drive. If we have a drive that matches the UUID of a key file we have, we'll run a script to auto-open it. Plonk this as /etc/udev/rules.d/auto-mount.rules:
ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}=="crypto", RUN+="/usr/local/bin/auto-mount.sh"Then we set up our script that udev fires to check our device. Throw this as /usr/local/bin/auto-mount.sh:
#!/bin/bash if [ -f "/etc/luks-keys/${ID_FS_UUID}" ]; then logger "Key found for ${ID_FS_UUID}. Unlocking device" /usr/sbin/cryptsetup --key-file "/etc/luks-keys/${ID_FS_UUID}" open ${DEVNAME} luks-${ID_FS_UUID} else logger "No key found for ${ID_FS_UUID}. Not decrypting" fiUnplug your drive, plug it back in again and you should see your open, encrypted drive listed under /dev/mapper/luks-fea52a1b-9e8d-4144-af33-1a7f05371ead. Create your filesystem - in this case I used btrfs:
# mkfs.btrfs -L "Encrypted Filesystem" /dev/mapper/luks-fea52a1b-9e8d-4144-af33-1a7f05371eadThat should be just about it. You can mount your filesystem and away you go. Your normal filemanager should be able to mount / unmount the filesystem - but it may not be able to close the encrypted volume off. To do this, drop to a root shell and close it off.
# cryptsetup close luks-fea52a1b-9e8d-4144-af33-1a7f05371eadHappy Encrypting!
Comments
Comments powered by Disqus