machizero Installation: LUKS on raw disks
Under construction
Prepare an USB Key with a FAT32 EFI system partition
Identify the USB Key device path by lsblk. (e.g. /dev/sdc)
root #
lsblk --width 999 --output PATH,VENDOR,SERIAL,TRAN,TYPE,SIZE,MOUNTPOINT,PTTYPE,PARTTYPENAME,PARTLABEL,FSTYPE
PATH VENDOR SERIAL TRAN TYPE SIZE MOUNTPOINT PTTYPE PARTTYPENAME PARTLABEL FSTYPE /dev/sda ATA WD-WMXXXXXXXX66 sata disk 298.1G dos /dev/sda1 part 100M dos HPFS/NTFS/exFAT ntfs /dev/sda2 part 298G dos HPFS/NTFS/exFAT ntfs /dev/sdb Seagate S2XXXXXXXXXX22 usb disk 931.5G gpt /dev/sdb1 part 256M /boot gpt EFI System vfat /dev/sdb2 part 32G [SWAP] gpt Linux swap swap /dev/sdb3 part 899.3G / gpt Linux filesystem ext4 /dev/sdc SanDisk 00XXXXXXXXXXXX61 usb disk 1.9G gpt /dev/sdc1 part 1.9G gpt EFI System primary vfat
(If necessary) Format the USB Key
If there is no EFI System partition on the USB Key, it must be formatted.
mount the partition(s) to check if data is necessary to backup before proceed.
root #
mkdir --parents --verbose /tmp/efiboot
mkdir: created directory '/tmp/efiboot'
root #
mount --verbose /dev/sdc1 /tmp/efiboot
mount: /dev/sdc1 mounted on /tmp/efiboot.
root #
ls --almost-all --classify=always -l /tmp/efiboot
total 77,000,704 drwxr-xr-x 3 root root 4,096 Aug 17 2022 efi/ -rwxr-xr-x 1 root root 16,777,216 Jun 19 2022 LUKS.ADATA_SU650_2LXXXXXXXXC1_20220619.header* -rwxr-xr-x 1 root root 16,777,216 Jun 19 2022 LUKS.ADATA_SU650_2LXXXXXXXXC1_20220619.header.bak20220619* -rwxr-xr-x 1 root root 16,777,216 Jun 19 2022 LUKS.ADATA_SU650_2LXXXXXXXXK7_20220619.header* -rwxr-xr-x 1 root root 16,777,216 Jun 19 2022 LUKS.ADATA_SU650_2LXXXXXXXXK7_20220619.header.bak20220619* ... ...
After checking and backup, umount the USB Key.
root #
cd && umount --verbose /tmp/efiboot
umount: /tmp/efiboot unmounted
The following command will delete everything on the drive. Make sure the device path (e.g. /dev/sdc) is correct. Perform backup before proceed if necessary.
Use parted to manage the partition(s) of the USB Key.
root #
parted --align optimal /dev/sdX
GNU Parted 3.5 Using /dev/sdc Welcome to GNU Parted! Type 'help' to view a list of commands.
root #
parted --align optimal /dev/sdc print free
Model: SanDisk U3 Cruzer Micro (scsi) Disk /dev/sdc: 2055MB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 17.4kB 1049kB 1031kB Free Space 1 1049kB 2054MB 2053MB fat32 primary boot, esp 2054MB 2055MB 844kB Free Space
TODO
(parted)
mklabel gpt
(parted)
mkpart primary fat32 0% 100%
(parted)
align-check optimal 1
(parted)
set 1 boot on
(parted)
print free
(parted)
quit
Format the partition into type FAT32.
root #
mkfs.fat -F32 /dev/sde1
Commands mkfs.fat and mkfs.vfat are identical.
root #
diff --report-identical-files $(which mkfs.fat) $(which mkfs.vfat)
Files /usr/sbin/mkfs.fat and /usr/sbin/mkfs.vfat are identical
root #
ls --classify=always -l /usr/sbin/mkfs.{,?}fat
-rwxr-xr-x 1 root root 60,600 May 13 2022 /usr/sbin/mkfs.fat* lrwxrwxrwx 1 root root 8 May 13 2022 /usr/sbin/mkfs.vfat -> mkfs.fat*
TODO
mount the USB Key's EFI System Partition to /tmp/efiboot
root #
mkdir --verbose --parents /tmp/efiboot
mkdir: created directory '/tmp/efiboot'
root #
mount --verbose --type vfat /dev/sdc1 /tmp/efiboot
mount: /dev/sdc1 mounted on /tmp/efiboot.
Resume from reboot? Issue these commands from top until where last left off.
root #
mount --verbose --type vfat /dev/sdc1 /tmp/efiboot
Leave for now? Issue these commands way up to the top of the manual.
root #
cd && umount --verbose /tmp/efiboot
root #
shutdown -h now
root #
ls --almost-all --classify=always -l /tmp/efiboot
total 77,000,704 drwxr-xr-x 3 root root 4,096 Aug 17 2022 efi/ -rwxr-xr-x 1 root root 16,777,216 Jun 19 2022 LUKS.ADATA_SU650_2LXXXXXXXXC1_20220619.header* -rwxr-xr-x 1 root root 16,777,216 Jun 19 2022 LUKS.ADATA_SU650_2LXXXXXXXXC1_20220619.header.bak20220619* -rwxr-xr-x 1 root root 16,777,216 Jun 19 2022 LUKS.ADATA_SU650_2LXXXXXXXXK7_20220619.header* -rwxr-xr-x 1 root root 16,777,216 Jun 19 2022 LUKS.ADATA_SU650_2LXXXXXXXXK7_20220619.header.bak20220619* ... ...
Choose the LUKS encryption scheme
machizero scheme | Sakaki's scheme | |
---|---|---|
Keyfile | Argon2id, native in LUKS | AES256 bit key, derived from passphrase (ref) TODO more details |
Hard drive | Serpent | Serpent (ref) |
Overwrite the hard disk with crypto-grade randomness by cryptsetup
If the drive was in use previously, wipe it to avoid old data on the media be recoverable.
If the drive is brand new, which is most likely all the bits are zeroes. It is also a good idea to fill it up with random bits to prevent usage patterns be revealed.[1] free space indistinguishable from encrypted data. Free space patterns can be used to derive the type of filesystem in use, which may weaken the encryption.[2] Moreover, it breaks plausible deniability.
Reference: This method is used in the cryptsetup FAQ item 2.19.[3]
The following commands will WIPE everything on the drive. Wiped data is never recoverable by any means. Make sure the device path (e.g. /dev/sdc) is correct. Perform backup before proceed if necessary.
root #
cryptsetup open --verbose --type plain --key-file /dev/random /dev/sdX2wipe to_be_wiped
Command successful.
(Optional) check that cryptsetup creates a link the device mapper.
root #
ls -l /dev/mapper
total 0 crw------- 1 root root 10, 236 Nov 19 2023 control lrwxrwxrwx 1 root root 7 Nov 19 05:41 to_be_wiped -> ../dm-0
(Optional) Briefly check first and last 1024 bytes data in the drive. This example shows the drive is blank.
root #
head --byte 1024 /tmp/drive | hexdump -C
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000400
root #
tail --byte 1024 /tmp/drive | hexdump -C
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000400
The following command is going to take a considerably long time depending on the size of the hard drive.
root #
printf 'Start: ' ; date ; time { time { cat /dev/zero > /dev/mapper/to_be_wiped ; echo $? ; } && time sync ; } ; printf 'Complete: ' ; date
(Optional) Briefly check the data in the drive is replaced with random data.
root #
head --byte 1024 /tmp/drive | hexdump -C
00000000 a0 39 4b 97 4f d8 25 15 93 29 ce 39 81 73 08 f1 |.9K.O.%..).9.s..| 00000010 09 3a 86 ba 43 d1 f1 40 ca 5a 13 e5 b1 40 d7 c4 |.:..C..@.Z...@..| 00000020 2a 9c 2e 9b ac 3a 3e 3e 93 f2 5e 9d 44 92 27 56 |*....:>>..^.D.'V| 00000030 3f 54 f2 25 cd b8 30 2f 8c 9b 1b 3b af bd f0 81 |?T.%..0/...;....| 00000040 67 d6 17 42 f4 df 41 36 63 2b 72 1f c3 f3 e9 c8 |g..B..A6c+r.....| 00000050 ac fd f5 53 20 ef 80 3b 9c c6 27 07 31 17 76 94 |...S ..;..'.1.v.| 00000060 84 0a cd 1b b8 2e 2b ff 17 6f 3b f5 66 b9 1e cd |......+..o;.f...| 00000070 31 99 e2 31 aa d3 0b 27 1a 47 3f 70 f2 c5 71 45 |1..1...'.G?p..qE| 00000080 c0 88 64 a3 0b d6 42 c4 12 e7 43 cc 2f 78 93 da |..d...B...C./x..| 00000090 a3 22 72 e7 08 06 da e5 ff 7b 48 3c c1 c4 08 f8 |."r......{H<....| 000000a0 4d 2b 87 52 e4 2e 33 2a b2 8e 60 1c 3e 70 d1 f8 |M+.R..3*..`.>p..| 000000b0 e2 91 30 06 03 d7 4a 68 a5 fb b6 75 ca ba 56 72 |..0...Jh...u..Vr| 000000c0 db d9 87 b8 50 18 c2 13 0d c2 b9 58 2b 5d ad c6 |....P......X+]..| 000000d0 7d 40 90 ff ce e0 8d 10 ee a3 e4 d1 7a 08 9a 33 |}@..........z..3| 000000e0 4d a7 93 62 2c 65 bc be f2 fb 3c ad 83 0c 45 52 |M..b,e....<...ER| 000000f0 3c be 99 3b 09 53 67 a7 32 cf 99 fa 13 99 d4 38 |<..;.Sg.2......8| 00000100 ce 77 de aa 92 85 8c 1c 80 bc 71 fb 83 dd d2 c1 |.w........q.....| 00000110 43 0d a8 96 a4 4e 68 b0 dd 0c 48 73 4b 7c b1 aa |C....Nh...HsK|..| 00000120 ed ee c9 79 13 cc a7 60 3f 06 f1 4f 4e 26 f3 a1 |...y...`?..ON&..| 00000130 51 74 1f 91 1e 0c e3 87 be 94 93 48 f2 f2 ac ce |Qt.........H....| 00000140 b8 fb 22 84 96 ee 63 71 fb 0d f9 99 93 ff 37 80 |.."...cq......7.| 00000150 65 ea 11 62 20 77 36 ef 88 ed 19 77 cc fc d6 93 |e..b w6....w....| 00000160 a8 1b 39 64 9d 11 7d 58 ef de 2d bd 32 b8 4c 2e |..9d..}X..-.2.L.| 00000170 86 bc 7c 54 02 cd 27 52 96 fd 72 84 33 08 3a 86 |..|T..'R..r.3.:.| 00000180 43 8a e7 10 b7 48 f2 c5 86 59 e9 47 f6 e4 9c 1a |C....H...Y.G....| 00000190 46 de da 36 dc 08 74 cf 38 7f 16 43 f0 8b f8 c9 |F..6..t.8..C....| 000001a0 49 9a f4 7e 7a cb 25 1c 4a f2 8c 2c 68 65 41 41 |I..~z.%.J..,heAA| 000001b0 e9 74 39 65 ca 86 3e 05 28 ba e0 84 1d 9b bf 08 |.t9e..>.(.......| 000001c0 7a 0e 68 4d f1 7c 41 8e fb 71 32 94 ce 09 86 b3 |z.hM.|A..q2.....| 000001d0 9d 2e 26 fe 82 5f 59 25 6b 97 20 c2 cb 07 79 60 |..&.._Y%k. ...y`| 000001e0 7d bc f5 8e 86 6c a7 09 c8 0c 04 90 87 0d d6 c6 |}....l..........| 000001f0 ae 14 bb 90 79 06 fa ad d1 60 5e 55 e4 01 a8 ae |....y....`^U....| 00000200 d1 dc 9e 72 04 f7 0c 12 10 14 ed 2f 38 f7 74 89 |...r......./8.t.| 00000210 15 70 66 16 f4 04 ff a4 98 a5 42 77 3a 31 27 b9 |.pf.......Bw:1'.| 00000220 58 da c8 8a 2c 7a 86 8a e3 9a db 63 1a 86 78 ae |X...,z.....c..x.| 00000230 c9 e9 5c c9 f1 b8 ee e4 99 08 af 03 4c 00 a9 a9 |..\.........L...| 00000240 ba 4c 91 37 e2 b6 62 76 d4 78 3c 18 ed 21 7b 5a |.L.7..bv.x<..!{Z| 00000250 09 6f 56 eb 44 9e e5 9b 7f e0 52 f5 1f 9f 04 a9 |.oV.D.....R.....| 00000260 3b 6d 39 94 f5 1b 4c 65 ac e6 68 6f 9c 8f f2 67 |;m9...Le..ho...g| 00000270 2e 89 77 4a de 28 bb 92 42 91 ee 1c ec 4a 49 66 |..wJ.(..B....JIf| 00000280 34 d9 7b 77 26 f5 4d a1 9f 0a fb e6 43 ad a7 75 |4.{w&.M.....C..u| 00000290 80 ef 9f 55 05 7b b0 f1 3c 25 f0 e6 09 88 ee 13 |...U.{..<%......| 000002a0 5f 0e 8e 67 5e 67 56 88 d5 06 b0 f7 da 0c d5 ca |_..g^gV.........| 000002b0 b8 c7 3c 28 07 b1 27 d2 a3 d4 ce 0a ed 81 7a d3 |..<(..'.......z.| 000002c0 27 34 53 ba db 99 56 02 09 c0 07 71 80 9a 11 d4 |'4S...V....q....| 000002d0 fe ab a0 df 71 b1 a8 06 52 4e f0 1e c9 51 6f 95 |....q...RN...Qo.| 000002e0 97 51 58 65 86 2a ea 75 63 a8 43 9d 2e 97 70 8b |.QXe.*.uc.C...p.| 000002f0 d6 33 3d 10 6b 32 26 d6 58 4a 7d 1c 8f 44 34 f5 |.3=.k2&.XJ}..D4.| 00000300 a3 61 fb b8 0d 8b 7c 4c 92 f6 6c 57 4c e2 38 44 |.a....|L..lWL.8D| 00000310 06 6b e9 52 e3 11 bb d0 8e 6c 04 c2 8e e4 26 20 |.k.R.....l....& | 00000320 cc 9c c4 75 0d 53 e1 73 4c f1 db 4a 8d a4 e6 eb |...u.S.sL..J....| 00000330 9a e7 d5 2f fc ee 45 f2 3f 09 80 2d 24 34 5f 0c |.../..E.?..-$4_.| 00000340 ab 91 48 36 10 59 11 94 e9 f7 cf dc 19 40 10 9e |..H6.Y.......@..| 00000350 a7 73 0c 6e af 58 49 84 af 71 81 19 55 77 a7 c0 |.s.n.XI..q..Uw..| 00000360 ff 4d 0c 48 3b ae 77 b1 2a 6b 9a 2e 18 98 59 64 |.M.H;.w.*k....Yd| 00000370 c5 b5 b7 ae 6c f7 c6 c7 9a e9 12 c7 84 0e 26 21 |....l.........&!| 00000380 eb 52 22 a8 6f d2 73 c3 8b 20 0d b7 cb f8 de 64 |.R".o.s.. .....d| 00000390 ba f5 6e 88 4e d4 f9 39 40 d3 6b de d5 a9 02 54 |..n.N..9@.k....T| 000003a0 6a 05 b4 63 e7 19 03 c9 5c a8 0f ea 09 9b 7e 99 |j..c....\.....~.| 000003b0 a7 cf 9d 7e cd 8e 87 ec 63 50 bb a2 b3 f2 13 88 |...~....cP......| 000003c0 36 5e 56 c2 d8 4b 15 81 76 32 85 81 d4 67 8f 89 |6^V..K..v2...g..| 000003d0 b1 82 d0 93 5b 08 15 eb 83 d2 2e af ee c6 19 7c |....[..........|| 000003e0 bd 78 c9 cc 74 30 23 3b 6b e9 dc b6 da c4 62 ca |.x..t0#;k.....b.| 000003f0 bf 62 09 ef 19 f4 db 10 15 f8 88 60 a1 01 36 31 |.b.........`..61| 00000400
root #
tail --byte 1024 /tmp/drive | hexdump -C
00000000 be eb b5 42 90 ee 66 70 de 9c b3 98 78 ad a4 14 |...B..fp....x...| 00000010 ba d2 e4 d3 ed 5e ad a7 a4 e4 98 73 be 3a c2 65 |.....^.....s.:.e| 00000020 01 47 01 3b f7 57 5b 4a 99 f6 53 13 a6 d5 63 cb |.G.;.W[J..S...c.| 00000030 ad 75 bb d8 9b 38 83 92 ee da e6 43 a0 6f e2 41 |.u...8.....C.o.A| 00000040 61 b0 81 44 39 8b d8 93 3d 07 bc 1a 32 42 4e 85 |a..D9...=...2BN.| 00000050 0b dc ca 1b ba 77 fa cd 3d 12 d8 18 85 df 78 bd |.....w..=.....x.| 00000060 28 0a 69 78 c3 87 53 ea 15 7c e2 71 ce 42 a2 bb |(.ix..S..|.q.B..| 00000070 37 c3 cb 23 23 95 39 81 aa 4f 68 90 15 d5 8f ab |7..##.9..Oh.....| 00000080 e5 04 b8 7d 5a 48 63 a2 a7 46 d0 2c 1b db 98 db |...}ZHc..F.,....| 00000090 08 66 19 f9 0f 85 54 65 fb 09 10 46 e7 6b a5 72 |.f....Te...F.k.r| 000000a0 77 03 6d 65 3b 15 99 ad 93 48 00 0b 1b c4 c6 6e |w.me;....H.....n| 000000b0 c9 70 bc 73 10 40 17 9e 3a 2e 53 6c 83 a2 85 69 |.p.s.@..:.Sl...i| 000000c0 c4 65 2c ed a7 07 37 fc 07 39 f4 46 66 a0 82 fc |.e,...7..9.Ff...| 000000d0 d3 3c 4f e7 2e 41 e4 ba 48 35 c7 35 af 67 9f 0e |.<O..A..H5.5.g..| 000000e0 f0 71 af 82 bd 66 c0 cf e6 f1 32 62 e4 30 6a 63 |.q...f....2b.0jc| 000000f0 c6 2e 03 4c 44 0e 40 78 b5 de c6 58 c7 a3 fe 2f |...LD.@x...X.../| 00000100 fa 81 ee 4d f9 9a 8a c0 22 8d 45 b7 b4 ed cd f7 |...M....".E.....| 00000110 e0 13 03 d8 5a 10 28 e1 22 70 7d f5 3a 29 2a 01 |....Z.(."p}.:)*.| 00000120 9c 15 fe 5b c1 c6 13 d1 29 b2 94 d7 e8 e6 c1 5b |...[....)......[| 00000130 77 17 26 aa 1b e6 fe b1 48 ab 59 6f 44 3f 3f 45 |w.&.....H.YoD??E| 00000140 88 d7 f6 8d ce dd ad a7 88 4c 01 e2 a8 8c 7a 5e |.........L....z^| 00000150 eb d4 76 3f a5 65 97 0e 35 a6 98 1b 3d 3e 36 53 |..v?.e..5...=>6S| 00000160 95 64 ca b7 0d aa fa 59 f8 e5 b4 de 36 01 f7 73 |.d.....Y....6..s| 00000170 48 4e c7 b9 d9 6b 9c c6 55 ce 47 ef 3a 90 1d bc |HN...k..U.G.:...| 00000180 c0 bb 86 b6 ea d2 a9 93 31 01 d1 2f d0 78 95 db |........1../.x..| 00000190 d1 d0 1f 2e 97 10 01 f9 99 b5 64 7e fb 4d 9e 33 |..........d~.M.3| 000001a0 20 dc 4f 18 2b 28 6e 50 2e 18 c0 bd 52 77 55 2b | .O.+(nP....RwU+| 000001b0 ce 02 11 be 52 bc 2f 43 b8 8d 3e e3 c1 1e b7 34 |....R./C..>....4| 000001c0 0f 32 7f f3 32 d9 a8 e7 8c 5f 8d 74 a2 9a d2 14 |.2..2...._.t....| 000001d0 e1 bb 60 ae 19 39 3e 93 84 f6 05 1c 70 d2 72 bf |..`..9>.....p.r.| 000001e0 46 93 31 55 b1 d0 e1 bc 0c dd c1 33 79 23 1c d3 |F.1U.......3y#..| 000001f0 93 10 09 93 75 e2 20 bf cc 52 ec c2 83 b1 29 d2 |....u. ..R....).| 00000200 27 f3 a3 6a 76 27 79 8e 6e ca c5 d4 d0 65 07 ad |'..jv'y.n....e..| 00000210 ab ac 96 e5 95 09 2c 07 11 8e 79 72 9d 21 01 5f |......,...yr.!._| 00000220 1b ea 2d 50 5d 01 1b 40 91 02 e8 72 1b 79 b3 58 |..-P]..@...r.y.X| 00000230 75 fb 82 f1 18 de 70 d5 27 d8 f7 f8 e6 c9 14 dd |u.....p.'.......| 00000240 7a 66 47 27 3d 28 4f e9 8b 1b d4 40 9a 41 0e 08 |zfG'=(O....@.A..| 00000250 e8 66 c6 45 62 2b 98 cb 92 0d 98 41 c4 f4 4a cd |.f.Eb+.....A..J.| 00000260 5c 23 a7 c0 f6 05 06 9b 66 bc 44 d7 2d 54 b6 ac |\#......f.D.-T..| 00000270 9c 9c 71 29 d6 e2 62 7f bf 1e 31 99 4c 58 1f 60 |..q)..b...1.LX.`| 00000280 0e e8 33 ff 8b fe bf ff 57 9f 83 4b 7d 34 42 ca |..3.....W..K}4B.| 00000290 60 57 db 97 ac 0a 46 bf c3 77 2a 1e af fe af 41 |`W....F..w*....A| 000002a0 ca d1 22 aa 39 64 ad 47 25 9d d8 2e 9d d6 e6 22 |..".9d.G%......"| 000002b0 74 21 3c 56 81 55 e0 17 d8 ff b2 a9 b9 0f 78 94 |t!<V.U........x.| 000002c0 bb 2b c5 ea 35 17 fb a9 47 d8 31 30 e3 c6 78 75 |.+..5...G.10..xu| 000002d0 8d 94 97 55 80 60 0d c8 a7 cf df 24 ba cf e0 52 |...U.`.....$...R| 000002e0 16 4e da 6e 3c 4e a7 53 8c 8d 0e bf cb 6f c1 01 |.N.n<N.S.....o..| 000002f0 68 56 7a 0d ac 0d 51 b9 11 33 93 4d dd 29 6c 19 |hVz...Q..3.M.)l.| 00000300 ac 73 28 2a 79 f0 d0 30 47 30 ea a9 dc 0b e0 80 |.s(*y..0G0......| 00000310 59 51 15 72 15 f5 1a 73 89 5c f1 b6 95 3e 8c 0c |YQ.r...s.\...>..| 00000320 3b 85 56 34 ee db df 5b 9e fb 32 bf 2c b3 83 2e |;.V4...[..2.,...| 00000330 c1 9d 4c 28 c7 cb 98 39 5a 40 cc 38 fd fa 51 dd |..L(...9Z@.8..Q.| 00000340 52 81 e5 99 db 80 a3 1d 22 31 ed eb 78 6f 10 f6 |R......."1..xo..| 00000350 a0 66 db b0 98 fb 8d 00 ac 39 7f 35 bc 49 cf 59 |.f.......9.5.I.Y| 00000360 c7 ad 25 35 7d 05 da d2 18 80 93 99 02 6d 57 bb |..%5}........mW.| 00000370 2d 71 e2 ac 25 34 de 68 4a 73 e9 34 ff 09 c1 44 |-q..%4.hJs.4...D| 00000380 f6 cd 59 85 c4 e3 ea 80 db ff 3c 58 ac d7 ef de |..Y.......<X....| 00000390 98 92 9d cd e1 a6 47 a7 c6 f3 82 5a a4 0d 9e 17 |......G....Z....| 000003a0 a7 f1 4d 38 59 90 66 27 8f ad 66 fc 8b 61 78 f8 |..M8Y.f'..f..ax.| 000003b0 1a 9c 66 1e ca 13 e2 c9 82 98 ef 04 29 1a 56 92 |..f.........).V.| 000003c0 2d 02 e3 54 03 be af b0 c8 f8 81 ad 59 85 82 7c |-..T........Y..|| 000003d0 5d 33 a8 65 8f 5f 86 28 4c 6d 50 5f f4 c4 92 5e |]3.e._.(LmP_...^| 000003e0 72 6d 84 89 45 37 ed ee 5c 9c 62 a6 ce 44 78 3f |rm..E7..\.b..Dx?| 000003f0 9e 58 d4 9a ff 57 60 b6 27 1f ad 46 98 8c 96 83 |.X...W`.'..F....| 00000400
root #
cryptsetup close --verbose to_be_wiped
Command successful.
(Optional) Check cryptsetup closes the device mapper successfully.
root #
ls -l /dev/mapper
total 0 crw------- 1 root root 10, 236 Nov 19 2023 control
If there are multiple drives will be using in the encrypted pool, repeat the steps above for each drive.
Format disk with LUKS2 (with detached header)
Gather disk information for creating the header.
root #
ls -l /dev/disk/by-id/
total 0 ... ...
root #
LUKS_DEV='/dev/sdb'
root #
LUKS_DATE='20220619'
root #
LUKS_LABEL="ADATA_SU650_2LXXXXXXXXK7_${LUKS_DATE}"
root #
echo "$LUKS_LABEL"' ; Length='$(wc -c <<< "$LUKS_LABEL") '; Max length=47 ; '$(if [ $(wc -c <<< "$LUKS_LABEL") -le 47 ]; then echo 'OK'; else echo 'NAME TOO LONG'; fi)
ADATA_SU650_2LXXXXXXXXK7_20220619 ; Length=34 ; Max length=47 ; OK
Create a function, so the same encryption settings can be reused in different drives.
root #
cryptsetup_luksFormat() {
# --label max 47 chars --subsystem max 47 chars \
cryptsetup luksFormat --verbose --type luks2 \
--header=/tmp/efiboot/LUKS."$LUKS_LABEL".header \
--label "$LUKS_LABEL" --subsystem machizero \
--use-random \
--pbkdf argon2id --pbkdf-force-iterations 19 --pbkdf-memory 4194304 --pbkdf-parallel 4 \
--hash blake2b-512 \
--cipher serpent-xts-plain64 --key-size 512 \
"$LUKS_DEV"
cryptsetup config --verbose --key-slot 0 --priority prefer /tmp/efiboot/LUKS."$LUKS_LABEL".header
}
cryptsetup_luksFormat
cryptsetup luksDump --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header | less
Gather the information for the other drive(s).
root #
LUKS_DEV='/dev/sda'
root #
LUKS_DATE='20220619'
root #
LUKS_LABEL="ADATA_SU650_2LXXXXXXXXC1_${LUKS_DATE}"
root #
echo "$LUKS_LABEL"' ; Length='$(wc -c <<< "$LUKS_LABEL") '; Max length=47 ; '$(if [ $(wc -c <<< "$LUKS_LABEL") -le 47 ]; then echo 'OK'; else echo 'NAME TOO LONG'; fi)
ADATA_SU650_2LXXXXXXXXC1_20220619 ; Length=34 ; Max length=47 ; OK
Reuse the function to create the LUKS header(s).
root #
cryptsetup_luksFormat
root #
cryptsetup luksDump --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header | less
As deteched header is used while cryptsetup luksFormat, no data will be altered in the drive(s).
(Optional) Check the LUKS header(s) are created.
root #
ls -l /tmp/efiboot
(Optiional) Cleanup the variables and function.
root #
unset LUKS_DEV LUKS_DATE LUKS_LABEL
root #
unset -f cryptsetup_luksFormat
(Optional) Add a fallback passphrase
In case the main passphrase is forgotten, the drive can be unlocked by this fallback passphrase. This will not be used on a daily basis, as we intentionally increase the iterations to make it taking longer time to unlock.
root #
LUKS_DATE='20220619'
root #
LUKS_LABEL="ADATA_SU650_2LXXXXXXXXK7_${LUKS_DATE}"
echo "$LUKS_LABEL"' ; Length='$(wc -c <<< "$LUKS_LABEL") '; Max length=47 ; '$(if [ $(wc -c <<< "$LUKS_LABEL") -le 47 ]; then echo 'OK'; else echo 'LABEL TOO LONG'; fi)
root #
output=
root #
cryptsetup_luksAddKey() {
cryptsetup luksAddKey --verbose --type luks2 \
--pbkdf argon2id --pbkdf-force-iterations 101 --pbkdf-memory 4194304 --pbkdf-parallel 4 \
--hash blake2b-512 \
/tmp/efiboot/LUKS."$LUKS_LABEL".header
- The ignored priority means, that slot is never used, if not explicitly requested by --key-slot option.
cryptsetup config --verbose --key-slot 1 --priority ignore /tmp/efiboot/LUKS."$LUKS_LABEL".header
}
root #
cryptsetup_luksAddKey
root #
cryptsetup luksDump --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header | less
Again, repeat the procedure for different drive(s).
root #
LUKS_DATE='20220619'
root #
LUKS_LABEL="ADATA_SU650_2LXXXXXXXXC1_${LUKS_DATE}"
echo "$LUKS_LABEL"' ; Length='$(wc -c <<< "$LUKS_LABEL") '; Max length=47 ; '$(if [ $(wc -c <<< "$LUKS_LABEL") -le 47 ]; then echo 'OK'; else echo 'LABEL TOO LONG'; fi)
root #
cryptsetup_luksAddKey
root #
cryptsetup luksDump --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header | less
(Optional) Check the LUKS header(s) are created.
root #
ls -l /tmp/efiboot
(Optiional) Cleanup the variables and function.
root #
unset LUKS_DEV LUKS_DATE LUKS_LABEL
root #
unset -f cryptsetup_luksFormat
(Optional) Add TRIM support presistent into header
If SSD used as the encrypted drive(s), allow the use of discard (TRIM) requests for the device.
The TRIM command enables an operating system to notify the SSD of pages which no longer contain valid data. For a file deletion operation, the operating system will mark the file's sectors as free for new data, then send a TRIM command to the SSD. After trimming, the SSD will not preserve any contents of the block when writing new data to a page of flash memory, resulting in less write amplification (fewer writes), higher write throughput (no need for a read-erase-modify sequence), thus increasing drive life.[4].
This command can have a negative security impact because it can make filesystem-level operations visible on the physical device.
man page of cryptsetup
--persistent Used with luksOpen or refresh The specified activation flags (--allow-discards) are persistently written into metadata (--header) and used next time. If you need to remove a persistent flag, use --persistent without the flag you want to remove (e.g. to disable persistently stored discard flag, use --persistent without --allow-discards).
root #
LUKS_DATE='20220619'
root #
LUKS_LABEL="ADATA_SU650_2LXXXXXXXXK7_${LUKS_DATE}"
echo "$LUKS_LABEL"' ; Length='$(wc -c <<< "$LUKS_LABEL") '; Max length=47 ; '$(if [ $(wc -c <<< "$LUKS_LABEL") -le 47 ]; then echo 'OK'; else echo 'LABEL TOO LONG'; fi)
root #
output=
root #
cryptsetup_luksOpen() {
cryptsetup luksOpen --verbose --readonly \
--header /tmp/efiboot/LUKS."$LUKS_LABEL".header \
--allow-discards --persistent \
"$LUKS_DEV" LUKS."$LUKS_LABEL"
ls /dev/mapper/
cryptsetup luksClose --verbose --deferred LUKS."$LUKS_LABEL"
}
root #
cryptsetup_luksOpen
root #
cryptsetup luksDump --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header | less
Repeat the steps on other drives.
root #
LUKS_DATE='20220619'
root #
LUKS_LABEL="ADATA_SU650_2LXXXXXXXXC1_${LUKS_DATE}"
echo "$LUKS_LABEL"' ; Length='$(wc -c <<< "$LUKS_LABEL") '; Max length=47 ; '$(if [ $(wc -c <<< "$LUKS_LABEL") -le 47 ]; then echo 'OK'; else echo 'LABEL TOO LONG'; fi)
root #
cryptsetup_luksOpen
root #
cryptsetup luksDump --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header | less
(Optional) Check the LUKS header(s) are created.
root #
ls -l /tmp/efiboot
(Optiional) Cleanup the variables and function.
root #
unset LUKS_DEV LUKS_DATE LUKS_LABEL
root #
unset -f cryptsetup_luksOpen
Backup the LUKS header
If the LUKS header is damaged, the drive cannot be decrypted. It is wise to backup the header and store the backup in a secure place.
cryptsetup luksHeaderBackup essentially copies (won't overwrite if exist) the original header, then chmod u-w.
root #
LUKS_DATE='20220619'
root #
LUKS_LABEL="ADATA_SU650_2LXXXXXXXXK7_${LUKS_DATE}"
root #
output=
root #
cryptsetup luksHeaderBackup --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header \
--header-backup-file /tmp/efiboot/LUKS."$LUKS_LABEL".header.bak"$LUKS_BAK_DATE"
root #
cryptsetup luksDump --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header.bak"$LUKS_BAK_DATE" | less
root #
diff -s /tmp/efiboot/LUKS."$LUKS_LABEL".header*
root #
stat /tmp/efiboot/LUKS."$LUKS_LABEL".header*
Do it for other drive(s)
root #
LUKS_DATE='20220619'
root #
LUKS_LABEL="ADATA_SU650_2LXXXXXXXXC1_${LUKS_DATE}"
echo "$LUKS_LABEL"' ; Length='$(wc -c <<< "$LUKS_LABEL") '; Max length=47 ; '$(if [ $(wc -c <<< "$LUKS_LABEL") -le 47 ]; then echo 'OK'; else echo 'LABEL TOO LONG'; fi)
root #
cryptsetup luksHeaderBackup --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header \
--header-backup-file /tmp/efiboot/LUKS."$LUKS_LABEL".header.bak"$LUKS_BAK_DATE"
root #
cryptsetup luksDump --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header.bak"$LUKS_BAK_DATE" | less
root #
diff -s /tmp/efiboot/LUKS."$LUKS_LABEL".header*
root #
stat /tmp/efiboot/LUKS."$LUKS_LABEL".header*
(Optional) Check the LUKS header(s) are created.
root #
ls -l /tmp/efiboot
(Optiional) Cleanup the variables and function.
root #
unset LUKS_DEV LUKS_DATE LUKS_LABEL
root #
unset -f cryptsetup_luksOpen
root #
...
root #
...
TODO (LUKS on raw disks content)
References
- ↑ ArchWiki, Data-at-rest encryption, Preparing the disk, Prevent disclosure of usage patterns on the encrypted drive
- ↑ Unix & Linux Stack Exchange, Pre-encryption wipe, why?, Free space patterns can be used to derive the type of filesystem you use.
- ↑ Cryptsetup FAQ item 2.19 How can I wipe a device with crypto-grade randomness?
- ↑ Wikipedia, Trim, Operation.