How To Add an Internal Encrypted Drive

This article explains how to add a new encrypted disk to an already-running Ubuntu or Debian Linux server.

WARNING: Do not copy and paste these commands! They must be edited for your particular hardware, otherwise they can be destructive. This example is for educational purposes only.

Use at your own risk. This example assumes you already have an encrypted /etc/ directory, suitable for storing the keys of other disks. If you want to have your new internal disk pass-phrase protected, this example will not work.

# This is not a script!  Don't run it blindly!
echo "This is not a script."
exit 42

# When you add a new disk, partition it like usual.  Then set
# MYDEVICE to the device name you want to encrypt (without
# the leading /dev/, so just "sdc1" or "sde2").

# For /dev/sdb1:
MYDEVICE="sdb1"

# Following the Ubuntu installer's convention:
MYMAPPEDNAME="$MYDEVICE""_crypt"

####
# Before formatting, fill the new disk with randomness.
# From http://en.gentoo-wiki.com/wiki/Secure_deletion

# Confirm /dev/$MYDEVICE is the correct disk partition:
echo "WARNING: Be careful!  Whatever is on /dev/$MYDEVICE"
echo "will be permanently, irrevocably erased!  Seriously!"

# Last chance!  Triple-check that /dev/$MYDEVICE is your
# new disk parition.  You have been warned.

cryptsetup create random_sdx /dev/$MYDEVICE -d /dev/urandom
dd if=/dev/zero of=/dev/mapper/random_sdx bs=1M   # Wait a few hours
# /dev/$MYDEVICE is now fried.  You were warned.
cryptsetup remove random_sdx
#
####

# Now format it as a luks partition, and give it a passphrase.  (We will add the --key-file after this.)
cryptsetup --verbose --cipher "aes-cbc-essiv:sha256" --key-size 256 --verify-passphrase luksFormat /dev/$MYDEVICE

MYKEY="$MYMAPPEDNAME""_key"
# Create the (random) 256-bit key file.  256 bits = 32 bytes.
# (Note, /dev/random doesn't supply 32 bytes, it EOFs first.)
dd if=/dev/urandom of=/etc/keys/$MYKEY bs=32 count=1
chmod 400 /etc/keys/$MYKEY

# Add the --key-file as an additional key, for automatic unlocking:
cryptsetup luksAddKey /dev/$MYDEVICE /etc/keys/$MYKEY

# Add this new disk (and key path) to /etc/crypttab:
UUID=`cryptsetup luksUUID /dev/$MYDEVICE`
echo "
# <target device>   <source device>   <key file>   <options>
$MYMAPPEDNAME  /dev/disk/by-uuid/$UUID  /etc/keys/$MYKEY  luks
" >> /etc/crypttab

# Re-map all encrypted disks, using the keyfiles given in /etc/cryptdisks
/etc/init.d/cryptdisks restart

# Now you should have /dev/mapper/$MYMAPPEDNAME, an unformatted block device.  
# Format it.  

# Good options for a big fixed drive:
mkfs.ext4 -j -m 1 /dev/mapper/$MYMAPPEDNAME

# Now /dev/mapper/$MYMAPPEDNAME can be mounted and used.

# For a fixed disk, have the disk mount automatically
# at boot.  (Note, this configuration assumes /etc/
# is on an encrypted partition.  Storing any keyfile
# on an uncrypted disk breaks the security!)

# See the UUID of your new filesystem partition:
blkid /dev/mapper/$MYMAPPEDNAME
#/dev/mapper/sdb1_crypt: UUID="16b87d58-1e46-41d8-8a33-e2f614db2ee0" TYPE="ext4"

#
# Finally, edit your /etc/fstab for the correct mountpoint, filesystem type, UUID, and options.
#
nano /etc/fstab   # Edit to your environment.

 
See also:

Comments are closed.