(Some more layout changes, additional details about LUKS) |
|||
Line 1: | Line 1: | ||
== | == What is block device encryption? == | ||
=== | Block device encryption is a security mechanism that protects the data on your storage devices. An encrypted device must be decrypted in order to access the underlying data, which prevents unauthorized users from gaining access to the device's decrypted contents. Access can only be achieved by providing a correct key or passphrase. | ||
== Encrypting block devices using dm-crypt/LUKS == | |||
[http://luks.endorphin.org LUKS] (Linux Unified Key Setup) is a specification for block device encryption. It establishes an on-disk format for the data, as well as passphrase/key management policy. | |||
=== Overview of dm-crypt/LUKS === | |||
* LUKS encrypts entire block devices | |||
** This makes it well-suited for protecting the contents of swap devices, removable storage media, and laptop disk drives. | |||
** Also, since it encrypts the entire block device, the contents of the decrypted device are arbitrary. This is useful, for example, with certain databases that use special block devices for data storage. | |||
** LUKS is not well-suited for applications requiring file-level encryption. | |||
* LUKS uses the existing device mapper kernel subsystem | |||
** This is the same subsystem used by LVM, so it is well tested. | |||
* LUKS provides passphrase strengthening | |||
** This protects against dictionary attacks | |||
* Each LUKS device contains multiple key slots | |||
** This provides for the possibility of backup keys/passphrases. | |||
** LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device. | |||
=== | === How Will I Access the Encrypted Devices After Installation? (System Boot) === | ||
During system boot, you will be presented with a passphrase prompt. After the correct passphrase has been provided, the system will continue to boot normally. | |||
=== | === Passphrase Discussion === | ||
While dm-crypt/LUKS supports both keys and passphrases, the anaconda installer only supports the use of passphrases for creating and accessing encrypted block devices during installation. | |||
LUKS does provide passphrase strengthening, but it is still a good idea to choose a good (meaning "difficult to guess") passphrase. Note the use of the term "passphrase", as opposed to the term "password". This is intentional, and means that you should provide a phrase containing multiple words to increase the security of your data. | |||
== Creating Encrypted Block Devices in Anaconda == | |||
You can create encrypted devices during system installation. This allows you to easily configure a system with encrypted partitions, including the root partition. | |||
=== What Kinds of Block Devices Can Be Encrypted? === | |||
Block devices of most types can be encrypted using LUKS. From anaconda, you can encrypt partitions, LVM physical volumes, LVM logical volumes, and software RAID arrays. | Block devices of most types can be encrypted using LUKS. From anaconda, you can encrypt partitions, LVM physical volumes, LVM logical volumes, and software RAID arrays. | ||
=== Limitations of Anaconda's Block Device Encryption Support === | |||
==== Filling the Device with Random Data Before Encrypting ==== | |||
Filling a device with random data prior to encrypting improves the strength of the encryption. However, it can take a very long time to fill the device with random data. For this reason, anaconda does not offer this option. Users who wish to perform this step can do so manually, perhaps using a kickstart %pre script. Instructions can be found [[#Optional: Fill the device with random data|here]]. | Filling a device with random data prior to encrypting improves the strength of the encryption. However, it can take a very long time to fill the device with random data. For this reason, anaconda does not offer this option. Users who wish to perform this step can do so manually, perhaps using a kickstart %pre script. Instructions can be found [[#Optional: Fill the device with random data|here]]. | ||
==== Using a Key Comprised of Randomly Generated Data to Access Encrypted Devices ==== | |||
In addition to passphrases, LUKS devices can be accessed with a key comprised of randomly generated data. Users who wish to set up one or more keys to access the encrypted devices on their systems can do so manually on the installed system or through the use of a kickstart %post script. Instructions can be found [[#Set a randomly generated key as an additional way to access an encrypted block device|here]]. | In addition to passphrases, LUKS devices can be accessed with a key comprised of randomly generated data. Users who wish to set up one or more keys to access the encrypted devices on their systems can do so manually on the installed system or through the use of a kickstart %post script. Instructions can be found [[#Set a randomly generated key as an additional way to access an encrypted block device|here]]. | ||
== Creating Encrypted Block Devices on the Installed System After Installation == | |||
You can also create and configure encrypted block devices on the system after installation. | You can also create and configure encrypted block devices on the system after installation. | ||
=== Create the block devices === | |||
Create the block devices you wish to encrypt using parted, pvcreate, lvcreate, mdadm, &c. | Create the block devices you wish to encrypt using parted, pvcreate, lvcreate, mdadm, &c. | ||
=== Optional: Fill the device with random data === | |||
Filling the device with random data before encrypting it greatly increases the strength of the encryption. The downside is that it can take a very long time. | Filling the device with random data before encrypting it greatly increases the strength of the encryption. The downside is that it can take a very long time. | ||
Line 47: | Line 47: | ||
* Best way, which provides high quality random data but takes a long time (several minutes per gigabyte on most systems) | * Best way, which provides high quality random data but takes a long time (several minutes per gigabyte on most systems) | ||
*:<pre>dd if=/dev/urandom of=<device></pre> | *:<pre>dd if=/dev/urandom of=<device></pre> | ||
* Fastest way, which provides lower quality random data | * Fastest way, which provides lower quality random data | ||
*:<pre>badblocks -c 10240 -s -w -t random -v <device></pre> | |||
*:<pre> | |||
=== Format the device as a dm-crypt/LUKS encrypted device === | |||
{{admon/warning|Warning|The command below will destroy any existing data on the device.}} | {{admon/warning|Warning|The command below will destroy any existing data on the device.}} | ||
Line 73: | Line 69: | ||
<pre>cryptsetup luksDump <device></pre> | <pre>cryptsetup luksDump <device></pre> | ||
=== Create a mapping to allow access to the device's decrypted contents === | |||
<pre>cryptsetup luksOpen <device> <name></pre> | <pre>cryptsetup luksOpen <device> <name></pre> | ||
Line 83: | Line 79: | ||
Run <code>man dmsetup</code> for further information on the <code>dmsetup</code> command. | Run <code>man dmsetup</code> for further information on the <code>dmsetup</code> command. | ||
=== Create filesystems on the mapped device, or continue to build complex storage structures using the mapped device === | |||
Just use the mapped device node (<code>/dev/mapper/<name></code>) as you would use any other block device. To create an ext2 filesystem on the mapped device, use the following command: | Just use the mapped device node (<code>/dev/mapper/<name></code>) as you would use any other block device. To create an ext2 filesystem on the mapped device, use the following command: | ||
Line 92: | Line 88: | ||
<pre>mount /dev/mapper/<name> /mnt/test</pre> | <pre>mount /dev/mapper/<name> /mnt/test</pre> | ||
=== Add the mapping information to <code>/etc/crypttab</code> === | |||
In order for the system to set up a mapping for the device, an entry must be present in the <code>/etc/crypttab</code> file. If you are creating the file it should be owned by root (<code>root:root</code>) and should have mode <code>0744</code>. Add a line of the following form the the file: | In order for the system to set up a mapping for the device, an entry must be present in the <code>/etc/crypttab</code> file. If you are creating the file it should be owned by root (<code>root:root</code>) and should have mode <code>0744</code>. Add a line of the following form the the file: | ||
Line 101: | Line 97: | ||
'''TODO: reference section 2.3 (Accessing the device during system boot)''' | '''TODO: reference section 2.3 (Accessing the device during system boot)''' | ||
=== Add an entry to <code>/etc/fstab</code> === | |||
Add an entry to /etc/fstab, if desired, to establish a persistent association between the device and a mountpoint. Be sure to use the decrypted device, eg: <code>/dev/mapper/test</code>. | Add an entry to /etc/fstab, if desired, to establish a persistent association between the device and a mountpoint. Be sure to use the decrypted device, eg: <code>/dev/mapper/test</code>. | ||
Revision as of 23:18, 2 September 2008
What is block device encryption?
Block device encryption is a security mechanism that protects the data on your storage devices. An encrypted device must be decrypted in order to access the underlying data, which prevents unauthorized users from gaining access to the device's decrypted contents. Access can only be achieved by providing a correct key or passphrase.
Encrypting block devices using dm-crypt/LUKS
LUKS (Linux Unified Key Setup) is a specification for block device encryption. It establishes an on-disk format for the data, as well as passphrase/key management policy.
Overview of dm-crypt/LUKS
- LUKS encrypts entire block devices
- This makes it well-suited for protecting the contents of swap devices, removable storage media, and laptop disk drives.
- Also, since it encrypts the entire block device, the contents of the decrypted device are arbitrary. This is useful, for example, with certain databases that use special block devices for data storage.
- LUKS is not well-suited for applications requiring file-level encryption.
- LUKS uses the existing device mapper kernel subsystem
- This is the same subsystem used by LVM, so it is well tested.
- LUKS provides passphrase strengthening
- This protects against dictionary attacks
- Each LUKS device contains multiple key slots
- This provides for the possibility of backup keys/passphrases.
- LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device.
How Will I Access the Encrypted Devices After Installation? (System Boot)
During system boot, you will be presented with a passphrase prompt. After the correct passphrase has been provided, the system will continue to boot normally.
Passphrase Discussion
While dm-crypt/LUKS supports both keys and passphrases, the anaconda installer only supports the use of passphrases for creating and accessing encrypted block devices during installation.
LUKS does provide passphrase strengthening, but it is still a good idea to choose a good (meaning "difficult to guess") passphrase. Note the use of the term "passphrase", as opposed to the term "password". This is intentional, and means that you should provide a phrase containing multiple words to increase the security of your data.
Creating Encrypted Block Devices in Anaconda
You can create encrypted devices during system installation. This allows you to easily configure a system with encrypted partitions, including the root partition.
What Kinds of Block Devices Can Be Encrypted?
Block devices of most types can be encrypted using LUKS. From anaconda, you can encrypt partitions, LVM physical volumes, LVM logical volumes, and software RAID arrays.
Limitations of Anaconda's Block Device Encryption Support
Filling the Device with Random Data Before Encrypting
Filling a device with random data prior to encrypting improves the strength of the encryption. However, it can take a very long time to fill the device with random data. For this reason, anaconda does not offer this option. Users who wish to perform this step can do so manually, perhaps using a kickstart %pre script. Instructions can be found here.
Using a Key Comprised of Randomly Generated Data to Access Encrypted Devices
In addition to passphrases, LUKS devices can be accessed with a key comprised of randomly generated data. Users who wish to set up one or more keys to access the encrypted devices on their systems can do so manually on the installed system or through the use of a kickstart %post script. Instructions can be found here.
Creating Encrypted Block Devices on the Installed System After Installation
You can also create and configure encrypted block devices on the system after installation.
Create the block devices
Create the block devices you wish to encrypt using parted, pvcreate, lvcreate, mdadm, &c.
Optional: Fill the device with random data
Filling the device with random data before encrypting it greatly increases the strength of the encryption. The downside is that it can take a very long time.
- Best way, which provides high quality random data but takes a long time (several minutes per gigabyte on most systems)
dd if=/dev/urandom of=<device>
- Fastest way, which provides lower quality random data
badblocks -c 10240 -s -w -t random -v <device>
Format the device as a dm-crypt/LUKS encrypted device
cryptsetup luksFormat <device>
Run man cryptsetup
for further information on the cryptsetup
command.
TODO: insert something about using keys instead of passphrases.
After supplying the passphrase twice, the device should be formatted for use. To verify this, use the following command:
cryptsetup isLuks <device> && echo Success
To see a summary of the encryption information for the device, use the following command:
cryptsetup luksDump <device>
Create a mapping to allow access to the device's decrypted contents
cryptsetup luksOpen <device> <name>
There should now be a device node, /dev/mapper/<name>
, which represents the decrypted device. To see some information about the mapped device, use the following command:
dmsetup info <name>
Run man dmsetup
for further information on the dmsetup
command.
Create filesystems on the mapped device, or continue to build complex storage structures using the mapped device
Just use the mapped device node (/dev/mapper/<name>
) as you would use any other block device. To create an ext2 filesystem on the mapped device, use the following command:
mke2fs /dev/mapper/<name>
To mount this filesystem on /mnt/test
(this directory should exist prior to any attempts to mount a device on it), use the following command:
mount /dev/mapper/<name> /mnt/test
Add the mapping information to /etc/crypttab
In order for the system to set up a mapping for the device, an entry must be present in the /etc/crypttab
file. If you are creating the file it should be owned by root (root:root
) and should have mode 0744
. Add a line of the following form the the file:
<name> <device> none
For details on the format of the /etc/crypttab
file, run man crypttab
.
TODO: reference section 2.3 (Accessing the device during system boot)
Add an entry to /etc/fstab
Add an entry to /etc/fstab, if desired, to establish a persistent association between the device and a mountpoint. Be sure to use the decrypted device, eg: /dev/mapper/test
.
For details on the format of the /etc/fstab
file, run man fstab
.
Common Post-Installation Tasks
Set a randomly generated key as an additional way to access an encrypted block device
Generate a key
This will generate a 256-bit key in the file $HOME/keyfile
.
dd if=/dev/urandom of=$HOME/keyfile bs=32 count=1 chmod 600 $HOME/keyfile
Add the key to an available keyslot on the encrypted device
cryptsetup luksAddKey <device> ~/keyfile
Add a new passphrase to an existing device
cryptsetup luksAddKey <device>
After being prompted for any existing passprase for the device for authentication, you will be prompted to enter the new passphrase.
Remove a passphrase or key from a device
cryptsetup luksRemoveKey <device>
You will be prompted for the passphrase you wish to remove, and then for any remaining passphrase for authentication.