From Fedora Project Wiki

m (Security Guide/9/LUKSDiskEncryption moved to Security Guide/LUKSDiskEncryption: Removing versions from the SG.)
 
(20 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Moved to guide}}
{{autolang|base=yes}}
<!-- page was renamed from Fedora Security Guide/9/LUKSDiskEncryption
<!-- page was renamed from Fedora Security Guide/9/LUKSDiskEncryption
-->
-->
Line 8: Line 10:
Linux Unified Key Setup-on-disk-format (or LUKS) allows you to encrypt partitions on your Linux computer.  This is particularly important when it comes to mobile computers and removable media.  LUKS allows multiple user keys to decrypt a master key which is used for the bulk encryption of the partition.
Linux Unified Key Setup-on-disk-format (or LUKS) allows you to encrypt partitions on your Linux computer.  This is particularly important when it comes to mobile computers and removable media.  LUKS allows multiple user keys to decrypt a master key which is used for the bulk encryption of the partition.


== LUKS Implementation in Fedora 9 ==
== LUKS Implementation in Fedora ==


Fedora 9 utilizes LUKS to perform file system encryption.  By default, the option to encrypt the file system is checked during the installation.  You are prompted for a passphrase that will be asked every time you boot the computer.  This passphrase "unlocks" the bulk encryption key that is used to decrypt your partition.
Fedora 9, and later, utilizes LUKS to perform file system encryption.  By default, the option to encrypt the file system is unchecked during the installation.  If you select the option to encrypt you hard drive, you will be prompted for a passphrase that will be asked every time you boot the computer.  This passphrase "unlocks" the bulk encryption key that is used to decrypt your partition.


If you choose to modify the default partition table you can choose which partitions you want to encrypt.  This is set in the partition table settings.
If you choose to modify the default partition table you can choose which partitions you want to encrypt.  This is set in the partition table settings.


Fedora 9's default implementation of LUKS is AES 128 with a SHA256 hashing.  Ciphers that are available are:
Fedora 9's default implementation of LUKS is AES 128 with a SHA256 hashing.  Ciphers that are available are:
* aes - Advanced Encryption Standard - FIPS PUB 197
* AES - Advanced Encryption Standard - [http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS PUB 197]
* twofish - Twofish: A 128-Bit Block Cipher
* twofish - Twofish: A 128-Bit Block Cipher
* serpent
* serpent
Line 21: Line 23:
* cast6 - RFC 2612
* cast6 - RFC 2612


== Encrypted Home Directories ==
== Manually Encrypting Directories ==


{{admon/warning | Data erasure! | Following this procedure will remove all data on the partition that you are encrypting.  You WILL lose all your information!  Make sure you backup your data to an external source before beginning this procedure!}}
{{admon/warning | Data erasure! | Following this procedure will remove all data on the partition that you are encrypting.  You WILL lose all your information!  Make sure you backup your data to an external source before beginning this procedure!}}
If you are running a version of Fedora prior to Fedora 9 and want to encrypt a partition or you want to encrypt a partition after the fact in Fedora 9, or later, the following directions are for you.  The below example demonstrates encrypting your <code>/home</code> partition but any partition can be used.


The following procedure will reconfigure and format your <code>/home</code>.  The procedure is for single-user computers or computers that are shared between trusted users.
The following procedure will reconfigure and format your <code>/home</code>.  The procedure is for single-user computers or computers that are shared between trusted users.
Line 34: Line 38:
# if it fails use ''fuser'' to find and kill processes hogging ''/home'': <code>fuser -mvk /home</code>
# if it fails use ''fuser'' to find and kill processes hogging ''/home'': <code>fuser -mvk /home</code>
# verify ''/home'' is not mounted any longer: <code>cat /proc/mounts | grep home</code>
# verify ''/home'' is not mounted any longer: <code>cat /proc/mounts | grep home</code>
# fill your partition with random data: <code>dd if=/dev/urandom of=/dev/VG00/LV_home</code>
# fill your partition with random data: <code>shred -v -n1 /dev/VG00/LV_home</code> (Other packages that perform a similar function are "scrub" and "wipe")


{{admon/note || You're looking at a process that takes many hours, but it is imperative to do this in order to have good protection against break-in attempts. Just let it run overnight.
{{admon/note || This process can take some time and proceeds at the sequential write speed of your device. It's an important step to ensure no unencrypted data is left on a used device,
and to obfuscate which parts of the device contain encrypted as opposed to just random data.
}}
}}
# initialize your partition: <code>cryptsetup --verbose --verify-passphrase luksFormat /dev/VG00/LV_home</code>
# initialize your partition: <code>cryptsetup --verbose --verify-passphrase luksFormat /dev/VG00/LV_home</code>
Line 56: Line 61:


== Links of Interest / For More Information ==
== Links of Interest / For More Information ==
* [http://luks.endorphin.org/ LUKS - Linux Unified Key Setup]
* [http://code.google.com/p/cryptsetup/ LUKS - Linux Unified Key Setup]
* [https://bugzilla.redhat.com/attachment.cgi?id=161912 HOWTO: Creating an encrypted Physical Volume (PV) using a second hard drive, pvmove, and a Fedora LiveCD]
* [https://bugzilla.redhat.com/attachment.cgi?id=161912 HOWTO: Creating an encrypted Physical Volume (PV) using a second hard drive, pvmove, and a Fedora LiveCD]




{| border="1"
|-
|[[Security_Guide/9/Encryption| 4. Encryption]] ||[[Security_Guide/9| Table of Contents]] ||[[Security_Guide/UsingGpg| 4.2 GnuPG]]
[[Category:Documentation]]
[[Category:Documentation]]
[[Category:Security Guide]]

Latest revision as of 16:42, 22 March 2014

Old page
The data in this page has been incorporated into a formal guide and is no longer being maintained.

Chapter 4, Section 1 - Linux Unified Key Setup-on-disk-format (LUKS)

Introduction to LUKS

Linux Unified Key Setup-on-disk-format (or LUKS) allows you to encrypt partitions on your Linux computer. This is particularly important when it comes to mobile computers and removable media. LUKS allows multiple user keys to decrypt a master key which is used for the bulk encryption of the partition.

LUKS Implementation in Fedora

Fedora 9, and later, utilizes LUKS to perform file system encryption. By default, the option to encrypt the file system is unchecked during the installation. If you select the option to encrypt you hard drive, you will be prompted for a passphrase that will be asked every time you boot the computer. This passphrase "unlocks" the bulk encryption key that is used to decrypt your partition.

If you choose to modify the default partition table you can choose which partitions you want to encrypt. This is set in the partition table settings.

Fedora 9's default implementation of LUKS is AES 128 with a SHA256 hashing. Ciphers that are available are:

  • AES - Advanced Encryption Standard - FIPS PUB 197
  • twofish - Twofish: A 128-Bit Block Cipher
  • serpent
  • cast5 - RFC 2144
  • cast6 - RFC 2612

Manually Encrypting Directories

Data erasure!
Following this procedure will remove all data on the partition that you are encrypting. You WILL lose all your information! Make sure you backup your data to an external source before beginning this procedure!

If you are running a version of Fedora prior to Fedora 9 and want to encrypt a partition or you want to encrypt a partition after the fact in Fedora 9, or later, the following directions are for you. The below example demonstrates encrypting your /home partition but any partition can be used.

The following procedure will reconfigure and format your /home. The procedure is for single-user computers or computers that are shared between trusted users.

The following procedure will wipe all your existing data, so be sure to have a tested backup before you start. This also requires you to have a separate partition for /home (in my case that is /dev/VG00/LV_home). All the following must be done as root. Any of these steps failing means you must not continue until the step succeeded.

Step-by-Step Instructions

  1. enter runlevel 1: telinit 1
  2. unmount your existing /home: umount /home
  3. if it fails use fuser to find and kill processes hogging /home: fuser -mvk /home
  4. verify /home is not mounted any longer: cat /proc/mounts | grep home
  5. fill your partition with random data: shred -v -n1 /dev/VG00/LV_home (Other packages that perform a similar function are "scrub" and "wipe")
This process can take some time and proceeds at the sequential write speed of your device. It's an important step to ensure no unencrypted data is left on a used device, and to obfuscate which parts of the device contain encrypted as opposed to just random data.
  1. initialize your partition: cryptsetup --verbose --verify-passphrase luksFormat /dev/VG00/LV_home
  2. open the newly encrypted device: cryptsetup luksOpen /dev/VG00/LV_home home
  3. check it's there: ls -l /dev/mapper | grep home
  4. create a filesystem: mkfs.ext3 /dev/mapper/home
  5. mount it: mount /dev/mapper/home /home
  6. check it's visible: df -h | grep home
  7. add the following to /etc/crypttab: home /dev/VG00/LV_home none
  8. edit your /etc/fstab, removing the old entry for /home and adding /dev/mapper/home /home ext3 defaults 1 2
  9. verify your fstab entry: mount /home
  10. restore default SELinux security contexts: /sbin/restorecon -v -R /home
  11. reboot: shutdown -r now
  12. The entry into /etc/crypttab makes your computer ask your luks passphrase on boot.
  13. Log in as root and restore your backup.

What you have just accomplished.

Congratulations, you now have an encrypted partition for all of your data to safely rest while the computer is off.

Links of Interest / For More Information