From Fedora Project Wiki

m (User:Dlehman/Drafts/DiskEncryptionUserGuide moved to Docs/Drafts/DiskEncryptionUserGuide: Moving into Docs namespace for review and editing.)
(Create filesystems: Changed the filesystem from ext2 to a modern filesystem btrfs in the example.)
 
(18 intermediate revisions by 10 users not shown)
Line 1: Line 1:
{{autolang|base=yes}}
== What is block device encryption? ==
== What is block device encryption? ==
Block device encryption protects the data on a block device by encrypting it. To access the device's decrypted contents, a user must provide a passphrase or key as authentication. This provides additional security beyond existing OS security mechanisms in that it protects the device's contents even if it has been physically removed from the system.
Block device encryption encrypts/decrypts the data transparently as it is written/read from block devices, the underlying block device sees only encrypted data.
 
To mount encrypted block devices the sysadmin (or user, depending on context) must provide a passphrase to activate the decryption key.  
 
Encryption provides additional security beyond existing OS security mechanisms in that it protects the device's contents even if it has been physically removed from the system. Some systems require the encryption key to be the same as for decryption, and other systems require a specific key for encryption and specific second key for enabling decryption.


== Encrypting block devices using dm-crypt/LUKS ==
== Encrypting block devices using dm-crypt/LUKS ==
[http://luks.endorphin.org LUKS] (Linux Unified Key Setup) is a specification for block device encryption. It establishes an on-disk format for the data, as well as passphrase/key management policy.
[https://gitlab.com/cryptsetup/cryptsetup/ LUKS] (Linux Unified Key Setup) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase/key management policy.


LUKS uses the kernel device mapper subsystem, via the <code>dm-crypt</code> module, to provide a low-level mapping that handles encryption and decryption of the device's data. User-level operations, such as creating and accessing encrypted devices, are accomplished through use of the <code>cryptsetup</code> utility.
LUKS uses the kernel device mapper subsystem via the <code>dm-crypt</code> module. This arrangement provides a low-level mapping that handles encryption and decryption of the device's data. User-level operations, such as creating and accessing encrypted devices, are accomplished through the use of the <code>cryptsetup</code> utility.


=== Overview of LUKS ===
=== Overview of LUKS ===
* LUKS encrypts entire block devices
* What LUKS does:
** This makes it well-suited for protecting the contents of mobile devices:
** LUKS encrypts entire block devices
*** Removable storage media
*** LUKS is thereby well-suited for protecting the contents of mobile devices such as:
*** Laptop disk drives
**** Removable storage media
**** Laptop disk drives
** The underlying contents of the encrypted block device are arbitrary.
** The underlying contents of the encrypted block device are arbitrary.
*** This makes it useful for encrypting <code>swap</code> devices.
*** This makes it useful for encrypting <code>swap</code> devices.
*** This can be useful with certain databases that use specially formatted block devices for data storage.  
*** This can also be useful with certain databases that use specially formatted block devices for data storage.
** LUKS uses the existing device mapper kernel subsystem.
*** This is the same subsystem used by LVM, so it is well tested.
** LUKS provides passphrase strengthening.
*** This protects against dictionary attacks.
** LUKS devices contain multiple key slots.
*** This allows users to add backup keys/passphrases.
* What LUKS does '''not''' do:
** LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device.
** LUKS is not well-suited for applications requiring file-level encryption.
** LUKS is not well-suited for applications requiring file-level encryption.
* LUKS uses the existing device mapper kernel subsystem.
** This is the same subsystem used by LVM, so it is well tested.
* LUKS provides passphrase strengthening.
** This protects against dictionary attacks.
* LUKS devices contain multiple key slots.
** This allows users to add backup keys/passphrases.
** LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device.


=== How will I access the encrypted devices after installation? (System Startup) ===
=== How will I access the encrypted devices after installation? (System Startup) ===
During system boot, you will be presented with a passphrase prompt. After the correct passphrase has been provided, the system will continue to boot normally. If you used different passphrases for some devices you may need to enter more than one passphrase during the boot sequence.
During system startup you will be presented with a passphrase prompt. After the correct passphrase has been provided the system will continue to boot normally. If you used different passphrases for multiple encrypted devices you may need to enter more than one passphrase during the startup.


{{admon/tip|Tip|Consider using the same passphrase for all encrypted block devices in a given system. This will simplify the boot sequence and you will have fewer passphrases to remember. Just make sure you choose a good passphrase!}}
{{admon/tip|Tip|Consider using the same passphrase for all encrypted block devices within a given system. This will simplify system startup and you will have fewer passphrases to remember. Just make sure you choose a good passphrase!}}


=== Choosing a Good Passphrase ===
=== Choosing a Good Passphrase ===
While dm-crypt/LUKS supports both keys and passphrases, the anaconda installer only supports the use of passphrases for creating and accessing encrypted block devices during installation.
While dm-crypt/LUKS supports both keys and passphrases, the anaconda installer only supports the use of passphrases for creating and accessing encrypted block devices during installation.


LUKS does provide passphrase strengthening, but it is still a good idea to choose a good (meaning "difficult to guess") passphrase. Note the use of the term "passphrase", as opposed to the term "password". This is intentional, and means that you should provide a phrase containing multiple words to increase the security of your data.
LUKS does provide passphrase strengthening but it is still a good idea to choose a good (meaning "difficult to guess") passphrase. Note the use of the term "passphrase", as opposed to the term "password". This is intentional. Providing a phrase containing multiple words to increase the security of your data is important.


== Creating Encrypted Block Devices in Anaconda ==
== Creating Encrypted Block Devices in Anaconda ==
You can create encrypted devices during system installation. This allows you to easily configure a system with encrypted partitions, including the root partition.
You can create encrypted devices during system installation. This allows you to easily configure a system with encrypted partitions.
 
To enable block device encryption, check the "Encrypt System" checkbox when selecting automatic partitioning or the "Encrypt" checkbox when creating an individual partition, software RAID array, or logical volume. After you finish partitioning, you will be prompted for an encryption passphrase. This passphrase will be required to access the encrypted devices. If you have pre-existing LUKS devices and provided correct passphrases for them earlier in the install process the passphrase entry dialog will also contain a checkbox. Checking this checkbox indicates that you would like the new passphrase to be added to an available slot in each of the pre-existing encrypted block devices.


Just activate the "Encrypt system" checkbox when selecting automatic partitioning or the "Encrypt" checkbox when creating an individual partition, software RAID array, or logical volume. After you finish partitioning, you will be prompted for an encryption passphrase. This passphrase will be required to access the encrypted devices. If you have pre-existing LUKS devices, and provided correct passphrases for them earlier in the install process, the passphrase entry dialog will also contain a checkbox. Activating this checkbox indicates that you would like the new passphrase to also be added to an available slot in each of your pre-existing encrypted block devices.
{{admon/tip|Tip|Checking the "Encrypt System" checkbox on the "Automatic Partitioning" screen and then choosing "Create custom layout" does not cause any block devices to be encrypted automatically.}}


{{admon/tip|Tip|If you activate the "Encrypt system" checkbox on the "Automatic Partitioning" screen and then choose "Create custom layout", block devices you create will not be encrypted automatically.}}
{{admon/tip|Tip|You can use <code>kickstart</code> to set a separate passphrase for each new encrypted block device.}}


=== What Kinds of Block Devices Can Be Encrypted? ===
=== What Kinds of Block Devices Can Be Encrypted? ===
Block devices of most types can be encrypted using LUKS. From anaconda, you can encrypt partitions, LVM physical volumes, LVM logical volumes, and software RAID arrays.
Most types of block devices can be encrypted using LUKS. From anaconda you can encrypt partitions, LVM physical volumes, LVM logical volumes, and software RAID arrays.


=== Limitations of Anaconda's Block Device Encryption Support ===
=== Limitations of Anaconda's Block Device Encryption Support ===
==== Filling the Device with Random Data Before Encrypting ====
==== Filling the Device with Random Data Before Encrypting ====
Filling a device with random data prior to encrypting improves the strength of the encryption. However, it can take a very long time to fill the device with random data. For this reason, anaconda does not offer this option. Users who wish to perform this step can do so manually, perhaps using a <code>kickstart %pre</code> script. Instructions can be found [[#randomize_device|here]].
Filling a device with random data prior to encrypting improves the strength of the encryption. However, it can take a very long time to fill the device with random data. It is because of those time requirements that anaconda does not offer this option. This step can be performed manually, using a <code>kickstart %pre</code> script. Instructions can be found [[#randomize_device|here]].


==== Using a Key Comprised of Randomly Generated Data to Access Encrypted Devices ====
==== Using a Key Comprised of Randomly Generated Data to Access Encrypted Devices ====
In addition to passphrases, LUKS devices can be accessed with a key comprised of randomly generated data. Users who wish to set up one or more keys to access the encrypted devices on their systems can do so manually on the installed system or through the use of a <code>kickstart %post</code> script. Instructions can be found [[#new_key|here]].
In addition to passphrases, LUKS devices can be accessed with a key comprised of randomly generated data. Setting up one or more keys to access the encrypted devices can be done on the installed system or through the use of a <code>kickstart %post</code> script. Instructions can be found [[#new_key|here]].


== Creating Encrypted Block Devices on the Installed System After Installation ==
== Creating Encrypted Block Devices on the Installed System After Installation ==
You can also create and configure encrypted block devices on the system after installation.
Encrypted block devices can be created and configured after installation.
=== Create the block devices ===
=== Create the block devices ===
Create the block devices you wish to encrypt using parted, pvcreate, lvcreate, mdadm, &c.
Create the block devices you want to encrypt by using <code>parted</code>, <code>pvcreate</code>, <code>lvcreate</code> and <code>mdadm</code>.


=== <span id="randomize_device">Optional: Fill the device with random data</span> ===
=== <span id="randomize_device">Optional: Fill the device with random data</span> ===
Line 61: Line 70:
{{admon/warning|Warning|The commands below will destroy any existing data on the device.}}
{{admon/warning|Warning|The commands below will destroy any existing data on the device.}}


* Best way, which provides high quality random data but takes a long time (several minutes per gigabyte on most systems)
* The best way, which provides high quality random data but takes a long time (several minutes per gigabyte on most systems)
*:<pre>dd if=/dev/urandom of=<device></pre>
*:<pre>dd if=/dev/urandom of=<device></pre>
* Fastest way, which provides lower quality random data
* Fastest way, which provides lower quality random data
Line 67: Line 76:


=== Format the device as a dm-crypt/LUKS encrypted device ===
=== Format the device as a dm-crypt/LUKS encrypted device ===
In this step you format <device> (eg: <code>/dev/sda3</code>) as a LUKS encrypted device.


{{admon/warning|Warning|The command below will destroy any existing data on the device.}}
{{admon/warning|Warning|The command below will destroy any existing data on the device.}}
Line 75: Line 83:
{{admon/tip|Tip|For more information, read the <code>cryptsetup(8)</code> man page.}}
{{admon/tip|Tip|For more information, read the <code>cryptsetup(8)</code> man page.}}


After supplying the passphrase twice, the device should be formatted for use. To verify this, use the following command:
After supplying the passphrase twice the device will be formatted for use. To verify, use the following command:


<pre>cryptsetup isLuks <device> && echo Success</pre>
<pre>cryptsetup isLuks <device> && echo Success</pre>
Line 90: Line 98:
<pre>cryptsetup luksUUID <device></pre>
<pre>cryptsetup luksUUID <device></pre>


An example of a reliable, informative, and unique mapping name would be <code>luks-<uuid></code>, where <uuid> is replaced with the device's LUKS UUID (eg:  
An example of a reliable, informative and unique mapping name would be <code>luks-<uuid></code>, where <uuid> is replaced with the device's LUKS UUID (eg:  
<code>luks-50ec957a-5b5a-47ee-85e6-f8085bbc97a8</code>). This naming convention might seem unwieldy, but you should not need to type it often.
<code>luks-50ec957a-5b5a-47ee-85e6-f8085bbc97a8</code>). This naming convention might seem unwieldy but is it not necessary to type it often.


<pre>cryptsetup luksOpen <device> <name></pre>
<pre>cryptsetup luksOpen <device> <name></pre>
Line 104: Line 112:


=== Create filesystems on the mapped device, or continue to build complex storage structures using the mapped device ===
=== Create filesystems on the mapped device, or continue to build complex storage structures using the mapped device ===
Just use the mapped device node (<code>/dev/mapper/<name></code>) as you would use any other block device. To create an <code>ext2</code> filesystem on the mapped device, use the following command:
Use the mapped device node (<code>/dev/mapper/<name></code>) as any other block device. To create an <code>btrfs</code> filesystem on the mapped device, use the following command:


<pre>mke2fs /dev/mapper/<name></pre>
<pre>mkfs.btrfs /dev/mapper/<name></pre>


To mount this filesystem on <code>/mnt/test</code>, use the following command:
To mount this filesystem on <code>/mnt/test</code>, use the following command:
Line 115: Line 123:


=== Add the mapping information to <code>/etc/crypttab</code> ===
=== Add the mapping information to <code>/etc/crypttab</code> ===
In order for the system to set up a mapping for the device, an entry must be present in the <code>/etc/crypttab</code> file. If you are creating the file it should be owned by root (<code>root:root</code>) and should have mode <code>0744</code>. Add a line of the following form the the file:
In order for the system to set up a mapping for the device, an entry must be present in the <code>/etc/crypttab</code> file. If the file doesn't exist, create it and change the owner and group to root (<code>root:root</code>) and change the mode to <code>0744</code>. Add a line to the file with the following format:


<pre><name>  <device>  none</pre>
<pre><name>  <device>  none</pre>
Line 124: Line 132:


=== Add an entry to <code>/etc/fstab</code> ===
=== Add an entry to <code>/etc/fstab</code> ===
Add an entry to /etc/fstab, if desired, to establish a persistent association between the device and a mountpoint. Be sure to use the decrypted device, <code>/dev/mapper/<name></code>.
Add an entry to <code>/etc/fstab</code> file. This is only necessary if you want to establish a persistent association between the device and a mountpoint. Use the decrypted device, <code>/dev/mapper/<name></code> in the <code>/etc/fstab</code> file.


In many cases it is desirable to list devices in <code>/etc/fstab</code> by UUID or by a filesystem label. The main purpose of this is to provide a constant identifier in the even that the device name (eg: <code>/dev/sda4</code>) changes. Since the LUKS device names are based solely on the LUKS UUID, device names of the form <code>/dev/mapper/luks-<luks_uuid></code> are guaranteed to remain constant, and are therefore suitable for use in <code>/etc/fstab</code>.
In many cases it is desirable to list devices in <code>/etc/fstab</code> by UUID or by a filesystem label. The main purpose of this is to provide a constant identifier in the event that the device name (eg: <code>/dev/sda4</code>) changes. LUKS device names in the form of <code>/dev/mapper/luks-<luks_uuid></code> are based only on the device's LUKS UUID, and are therefore guaranteed to remain constant. This fact makes them suitable for use in <code>/etc/fstab</code>.


{{admon/tip|Tip|For details on the format of the <code>/etc/fstab</code> file, read the <code>fstab(5)</code> man page.}}
{{admon/tip|Tip|For details on the format of the <code>/etc/fstab</code> file, read the <code>fstab(5)</code> man page.}}


== Common Post-Installation Tasks ==
== Common Post-Installation Tasks ==
=== Backup LUKS headers ===
If the sectors containing the LUKS headers are damaged - by user error or HW failure - all data in the encrypted block device is lost. Backing up the headers can help recovering data in such cases.
To backup the LUKS headers, use the following command:
<pre>cryptsetup luksHeaderBackup --header-backup-file <file> <device></pre>
To restore the LUKS headers, use the following command:
{{admon/warning|Warning|The command below can destroy data, if wrong headers are applied or wrong device is selected! Be sure to backup headers from recovering device first.}}
<pre>cryptsetup luksHeaderRestore --header-backup-file <file> <device></pre>
See also https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#6-backup-and-data-recovery
=== <span id="new_key">Set a randomly generated key as an additional way to access an encrypted block device</span> ===
=== <span id="new_key">Set a randomly generated key as an additional way to access an encrypted block device</span> ===
==== Generate a key ====
==== Generate a key ====
This will generate a 256-bit key in the file <code>$HOME/keyfile</code>.
This will generate a 256-bit key in the file <code>$HOME/keyfile</code>.
Line 148: Line 173:
<pre>cryptsetup luksAddKey <device></pre>
<pre>cryptsetup luksAddKey <device></pre>


After being prompted for any existing passprase for the device for authentication, you will be prompted to enter the new passphrase.
After being prompted for any one of the existing passprases for authentication, you will be prompted to enter the new passphrase.


=== Remove a passphrase or key from a device ===
=== Remove a passphrase or key from a device ===
<pre>cryptsetup luksRemoveKey <device></pre>
<pre>cryptsetup luksRemoveKey <device></pre>


You will be prompted for the passphrase you wish to remove, and then for any remaining passphrase for authentication.
You will be prompted for the passphrase you wish to remove and then for any one of the remaining passphrases for authentication.
 
[[Category:Draft_documentation]]

Latest revision as of 20:26, 19 November 2024

What is block device encryption?

Block device encryption encrypts/decrypts the data transparently as it is written/read from block devices, the underlying block device sees only encrypted data.

To mount encrypted block devices the sysadmin (or user, depending on context) must provide a passphrase to activate the decryption key.

Encryption provides additional security beyond existing OS security mechanisms in that it protects the device's contents even if it has been physically removed from the system. Some systems require the encryption key to be the same as for decryption, and other systems require a specific key for encryption and specific second key for enabling decryption.

Encrypting block devices using dm-crypt/LUKS

LUKS (Linux Unified Key Setup) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase/key management policy.

LUKS uses the kernel device mapper subsystem via the dm-crypt module. This arrangement provides a low-level mapping that handles encryption and decryption of the device's data. User-level operations, such as creating and accessing encrypted devices, are accomplished through the use of the cryptsetup utility.

Overview of LUKS

  • What LUKS does:
    • LUKS encrypts entire block devices
      • LUKS is thereby well-suited for protecting the contents of mobile devices such as:
        • Removable storage media
        • Laptop disk drives
    • The underlying contents of the encrypted block device are arbitrary.
      • This makes it useful for encrypting swap devices.
      • This can also be useful with certain databases that use specially formatted block devices for data storage.
    • LUKS uses the existing device mapper kernel subsystem.
      • This is the same subsystem used by LVM, so it is well tested.
    • LUKS provides passphrase strengthening.
      • This protects against dictionary attacks.
    • LUKS devices contain multiple key slots.
      • This allows users to add backup keys/passphrases.
  • What LUKS does not do:
    • LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device.
    • LUKS is not well-suited for applications requiring file-level encryption.

How will I access the encrypted devices after installation? (System Startup)

During system startup you will be presented with a passphrase prompt. After the correct passphrase has been provided the system will continue to boot normally. If you used different passphrases for multiple encrypted devices you may need to enter more than one passphrase during the startup.

Tip
Consider using the same passphrase for all encrypted block devices within a given system. This will simplify system startup and you will have fewer passphrases to remember. Just make sure you choose a good passphrase!

Choosing a Good Passphrase

While dm-crypt/LUKS supports both keys and passphrases, the anaconda installer only supports the use of passphrases for creating and accessing encrypted block devices during installation.

LUKS does provide passphrase strengthening but it is still a good idea to choose a good (meaning "difficult to guess") passphrase. Note the use of the term "passphrase", as opposed to the term "password". This is intentional. Providing a phrase containing multiple words to increase the security of your data is important.

Creating Encrypted Block Devices in Anaconda

You can create encrypted devices during system installation. This allows you to easily configure a system with encrypted partitions.

To enable block device encryption, check the "Encrypt System" checkbox when selecting automatic partitioning or the "Encrypt" checkbox when creating an individual partition, software RAID array, or logical volume. After you finish partitioning, you will be prompted for an encryption passphrase. This passphrase will be required to access the encrypted devices. If you have pre-existing LUKS devices and provided correct passphrases for them earlier in the install process the passphrase entry dialog will also contain a checkbox. Checking this checkbox indicates that you would like the new passphrase to be added to an available slot in each of the pre-existing encrypted block devices.

Tip
Checking the "Encrypt System" checkbox on the "Automatic Partitioning" screen and then choosing "Create custom layout" does not cause any block devices to be encrypted automatically.
Tip
You can use kickstart to set a separate passphrase for each new encrypted block device.

What Kinds of Block Devices Can Be Encrypted?

Most types of block devices can be encrypted using LUKS. From anaconda you can encrypt partitions, LVM physical volumes, LVM logical volumes, and software RAID arrays.

Limitations of Anaconda's Block Device Encryption Support

Filling the Device with Random Data Before Encrypting

Filling a device with random data prior to encrypting improves the strength of the encryption. However, it can take a very long time to fill the device with random data. It is because of those time requirements that anaconda does not offer this option. This step can be performed manually, using a kickstart %pre script. Instructions can be found here.

Using a Key Comprised of Randomly Generated Data to Access Encrypted Devices

In addition to passphrases, LUKS devices can be accessed with a key comprised of randomly generated data. Setting up one or more keys to access the encrypted devices can be done on the installed system or through the use of a kickstart %post script. Instructions can be found here.

Creating Encrypted Block Devices on the Installed System After Installation

Encrypted block devices can be created and configured after installation.

Create the block devices

Create the block devices you want to encrypt by using parted, pvcreate, lvcreate and mdadm.

Optional: Fill the device with random data

Filling <device> (eg: /dev/sda3) with random data before encrypting it greatly increases the strength of the encryption. The downside is that it can take a very long time.

Warning
The commands below will destroy any existing data on the device.
  • The best way, which provides high quality random data but takes a long time (several minutes per gigabyte on most systems)
    dd if=/dev/urandom of=<device>
  • Fastest way, which provides lower quality random data
    badblocks -c 10240 -s -w -t random -v <device>

Format the device as a dm-crypt/LUKS encrypted device

Warning
The command below will destroy any existing data on the device.
cryptsetup luksFormat <device>
Tip
For more information, read the cryptsetup(8) man page.

After supplying the passphrase twice the device will be formatted for use. To verify, use the following command:

cryptsetup isLuks <device> && echo Success

To see a summary of the encryption information for the device, use the following command:

cryptsetup luksDump <device>

Create a mapping to allow access to the device's decrypted contents

To access the device's decrypted contents, a mapping must be established using the kernel device-mapper.

It is useful to choose a meaningful name for this mapping. LUKS provides a UUID (Universally Unique Identifier) for each device. This, unlike the device name (eg: /dev/sda3), is guaranteed to remain constant as long as the LUKS header remains intact. To find a LUKS device's UUID, run the following command:

cryptsetup luksUUID <device>

An example of a reliable, informative and unique mapping name would be luks-<uuid>, where <uuid> is replaced with the device's LUKS UUID (eg: luks-50ec957a-5b5a-47ee-85e6-f8085bbc97a8). This naming convention might seem unwieldy but is it not necessary to type it often.

cryptsetup luksOpen <device> <name>

There should now be a device node, /dev/mapper/<name>, which represents the decrypted device. This block device can be read from and written to like any other unencrypted block device.

To see some information about the mapped device, use the following command:

dmsetup info <name>
Tip
For more information, read the dmsetup(8) man page.

Create filesystems on the mapped device, or continue to build complex storage structures using the mapped device

Use the mapped device node (/dev/mapper/<name>) as any other block device. To create an btrfs filesystem on the mapped device, use the following command:

mkfs.btrfs /dev/mapper/<name>

To mount this filesystem on /mnt/test, use the following command:

Important
The directory /mnt/test must exist before executing this command.
mount /dev/mapper/<name> /mnt/test

Add the mapping information to /etc/crypttab

In order for the system to set up a mapping for the device, an entry must be present in the /etc/crypttab file. If the file doesn't exist, create it and change the owner and group to root (root:root) and change the mode to 0744. Add a line to the file with the following format:

<name>  <device>  none

The <device> field should be given in the form "UUID=<luks_uuid>", where <luks_uuid> is the LUKS uuid as given by the command cryptsetup luksUUID <device>. This ensures the correct device will be identified and used even if the device node (eg: /dev/sda5) changes.

Tip
For details on the format of the /etc/crypttab file, read the crypttab(5) man page.

Add an entry to /etc/fstab

Add an entry to /etc/fstab file. This is only necessary if you want to establish a persistent association between the device and a mountpoint. Use the decrypted device, /dev/mapper/<name> in the /etc/fstab file.

In many cases it is desirable to list devices in /etc/fstab by UUID or by a filesystem label. The main purpose of this is to provide a constant identifier in the event that the device name (eg: /dev/sda4) changes. LUKS device names in the form of /dev/mapper/luks-<luks_uuid> are based only on the device's LUKS UUID, and are therefore guaranteed to remain constant. This fact makes them suitable for use in /etc/fstab.

Tip
For details on the format of the /etc/fstab file, read the fstab(5) man page.

Common Post-Installation Tasks

Backup LUKS headers

If the sectors containing the LUKS headers are damaged - by user error or HW failure - all data in the encrypted block device is lost. Backing up the headers can help recovering data in such cases.

To backup the LUKS headers, use the following command:

cryptsetup luksHeaderBackup --header-backup-file <file> <device>

To restore the LUKS headers, use the following command:

Warning
The command below can destroy data, if wrong headers are applied or wrong device is selected! Be sure to backup headers from recovering device first.
cryptsetup luksHeaderRestore --header-backup-file <file> <device>

See also https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#6-backup-and-data-recovery

Set a randomly generated key as an additional way to access an encrypted block device

Generate a key

This will generate a 256-bit key in the file $HOME/keyfile.

dd if=/dev/urandom of=$HOME/keyfile bs=32 count=1
chmod 600 $HOME/keyfile

Add the key to an available keyslot on the encrypted device

cryptsetup luksAddKey <device> ~/keyfile

Add a new passphrase to an existing device

cryptsetup luksAddKey <device>

After being prompted for any one of the existing passprases for authentication, you will be prompted to enter the new passphrase.

Remove a passphrase or key from a device

cryptsetup luksRemoveKey <device>

You will be prompted for the passphrase you wish to remove and then for any one of the remaining passphrases for authentication.