in Blog-en, IT-en

Adding an encrypted drive in Debian using LUKS and LVM

This article details how to add an additional drive to an existing encrypted installation (using LVM over LUKS, see https://julien.coubronne.net/wp-admin/post.php?post=478)

Prepare your disk

First you need to identify which disk you want to add:

sudo fdisk -l

or

sudo lsblk

Let’s say I want to encrypt the disk “sdc”. It should have a primary partition to work with (sdc1). You could in theory encrypt the whole disk without a partition, but partitions have the positive effect of declaring that the disk is in use (and what type of partition it is). This limits the risk of confusion and errors when handling disks (for instance some programs may think the disk is unused).

Delete everything on the disk

It is sometimes recommended, if the drive has been used before, to wipe the entire disk before creating the LUKS container in order to remove any trace of old file systems and data. I could not find a clear case where not having done so could be leveraged (except from: “For example, some users have managed to run e2fsck on a partition containing a LUKS container, possibly because of residual ext2 superblocks from an earlier use. This can do arbitrary damage up to complete and permanent loss of all data in the LUKS container“).

Of course, if the LUKS container created does not occupy the whole disk, then clearly you could access the information that was once there (on the un-encrypted part of the disk). Hence it seems justified to do it everytime.

However, a fair warning:

  • Wiping the whole disk may take a lot of time
  • Wiping the whole disk usually involves writing on every sector of the disk, which in some cases where the disk is already “weak”, it could trigger its “death”. I’ve lost a 2 TB disk like so. (we could even say that this was a “good” thing, in the sense that the disk failed before I put my trust on it)

There are different ways to “wipe” disks in linux: wiping with zeros (which seems sufficient against all attacks that don’t use specialized hardware such as an electron microscope). You can also use random data and several passes, but then it takes much longer.

dd if=/dev/zero bs=1024 of=/dev/sdc

Note on “bs” size: depending on your disk, changing the bs size may result in faster speed. You may try to launch the command several times with different sizes (you launch the command and then stop after awhile, it shows you the speed).

Create a partition table

We’ll create a primary partition for the whole disk with:

sudo fdisk /dev/sdc
Command (m for help): n
 Partition type
 p   primary (0 primary, 0 extended, 4 free)
 e   extended (container for logical partitions)
 Select (default p):

Using default response p.
 Partition number (1-4, default 1):
 First sector (2048-976773167, default 2048):
 Last sector, +sectors or +size{K,M,G,T,P} (2048-976773167, default 976773167):

Created a new partition 1 of type 'Linux' and of size 465,8 GiB.

Command (m for help): w
 The partition table has been altered.
 Calling ioctl() to re-read partition table.
 Syncing disks

You can see here that I used “n” to create a new partition (you may have to create first a GPT partition file if your disk size is >2 Tb), then hit “enter” to keep the default value proposed (in this case: primary partition, number 1, whole disk). Don’t forget to write the changes (“w”) before leaving the fdisk prompt.

You now have a working /dev/sdc1 ready to be crypted.

Create the encrypted volume

We will now use cryptsetup to create an encrypted volume on the partition we just created.

sudo cryptsetup luksFormat /dev/sdc1

It will ask for a passphrase. I would advise to use a “real” passphrase, even if afterwards we’ll be using a key file (so that in the event you loose one of them, you may still access your volumes). Of course, uses a strong passphrase.

Create a key file

The use of a key file will allow us to auto-mount the encrypted volume without typing the passphrase. This is usefull if you have several additional encrypted disks in a system (a NAS for example) which is already encrypted (i.e?, on boot: I type the passphrase for the base system, which then uses the different key files to mount each encrypted drives). This could also be used with an USB key (the drives would only mount if the key is present). The key files need to be stored in a safe place! (i.e. an USB key that is physically secured, or another encrypted drive).

sudo dd if=/dev/urandom of=/etc/keys/sdc1.luks bs=4k count=1

Once finished, attribute the key file to the volume:

sudo cryptsetup luksAddKey /dev/sdc1 /etc/keys/sdc1.luks

You can now open the volume with the key file

sudo cryptsetup --key-file /etc/keys/sdc1.luks luksOpen /dev/sdc1 sdc1_crypt

LVM

Using LVM on top of LUKS may not be necessary according to your needs. In this case, it’s a bit redundant as the scheme is: one “disk” volume = one LVM physical volume = one LVM virtual group = one LVM logical volume.

However, you could have a situation where you would want to create several partition on this drive, or where you would like to use two different drives in the same LVM VG.

If you want to use LVM with your volume, you can use the following commands. Otherwise, jump to “create a file system”.

Create the PV

sudo pvcreate /dev/mapper/sdb1_crypt

Create the VG

vgcreate 1Tera01-vg /dev/mapper/sdb1_crypt

Create the LV

sudo lvcreate -l 100%FREE -n data01 /dev/1Tera01-vg

Create a file system

Adapt here the path to your own situation.

sudo mkfs.ext4 /dev/1Tera01-vg/data01

Create a mounting point

sudo mkdir /mnt/data01

Mount the file system

sudo mount /dev/1Tera01-vg/data01 /mnt/data01

Automatise the mounting process

You can identify the right disks by UUID with:

~$ sudo blkid
/dev/mapper/sda5_crypt: UUID="CV4mwk-QYWt-UfLq-zMzN-TVYD-uqvH-6Fnglw" TYPE="LVM2_member"
/dev/mapper/debianas--vg-root: UUID="7872de5d-e2f6-4144-a108-3e1269b816fd" TYPE="ext4"
/dev/sda1: UUID="a37efce5-702b-4df7-8238-6f9f7c28c0a1" TYPE="ext2" PARTUUID="7df34db4-01"
/dev/sda5: UUID="68968090-9ee4-475e-874a-5226f5ef3997" TYPE="crypto_LUKS" PARTUUID="7df34db4-05"
/dev/sdb1: UUID="c01be27a-91ed-4b3b-b13a-bd70102a8989" TYPE="crypto_LUKS" PARTUUID="0005bc20-01"
/dev/sdc1: LABEL="WDGreen1To" UUID="67f42084-c46d-49b0-9635-2e7796726531" TYPE="ext4" PARTUUID="0c006e98-e980-4314-baa5-62f3037bb1bc"
/dev/sde1: LABEL="WDBlue500Go" UUID="96324882-452f-4c1e-a361-fef72c9a91e9" TYPE="ext4" PARTUUID="00056907-01"
/dev/sdd1: LABEL="Samsung500Go" UUID="b0d159a0-b862-4b4a-8d4b-68be9f61e9cd" TYPE="ext4" PARTUUID="000b2662-01"
/dev/mapper/debianas--vg-swap_1: UUID="902f2a00-d25e-4e5a-b40b-f0f64ab0d3a8" TYPE="swap"
/dev/mapper/debianas--vg-home: UUID="a8cfd166-a104-460f-ab46-d8c2ef0fcc54" TYPE="ext4"
/dev/mapper/sdb1_crypt: UUID="kU4q5Q-HTGZ-lo6Z-ia5D-15Qd-NfeZ-yL0Ecc" TYPE="LVM2_member"
/dev/mapper/1Tera01--vg-data01: UUID="9f99efbb-b967-4fc1-83a0-7277f8922360" TYPE="ext4"

In /etc/crypttab

sdc1_crypt UUID="67f42084-c46d-49b0-9635-2e7796726531" /etc/keys/sdc1.luks luks

This tells cryptsetup to create the cryptographic volume sdc1_crypt from the base device /dev/sdc1 (identified by its UUID, see above), using the key file created above (and stored in /etc/keys), and letting it know that it’s dealing with a LUKS volume.

In /etc/fstab

/dev/mapper/1Tera01--vg-data01 /mnt/data01 ext4 defaults

This tells fstab to mount the logical volume “data01”, which belongs to the virtual group “1Tera01-vg” [note: which itself exists on the physical volume “/dev/mapper/sdb1_crypt”] to the mount point “/mnt/data01” [Note: the volume can also be referred to as “/dev/1Tera01-vg/data01”].

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.