In this video Kevin Dankwardt describes Linux approaches to encrypted storage including LUKS and encrypted file systems. We set up, zero out, format, and mount a LUKS-encrypted partition.
- [Instructor] File System Encryption. So the way to go these days with Linux is use LUKS. Linux Unified Key Setup-on-disk format. This encrypts at the partition level, it's not a file system type, it's not an encrypted file system, this is better. Everything in the partition is encrypted, that means it doesn't have to be a file system and you can have your own kind of file system on top of it and you can even have your swap space encrypted which is important. You know if you do a suspended disk all of your Ram gets copied out to disk, you want that encrypted, right? So this is great for removable media or computers that move like laptops.
Also, LUKS provides multiple keys, so you can have different people with different keys if you want. You'll probably use LUKS when you do an install, you can just during you install say you want your system encrypted, and then you come up with a passphrase, like a password of what to type in to allow access, don't forget that, I've forgotten it, I have a laptop and I can't get to my own directory anymore 'cause I cannot remember my pass phrase.
So during your install, there's a little checkbox encrypt my data, so you can pick that if you want, and then it'll ask you for a passphrase, and it's got to be good enough, got to be strong enough. So if you don't do it during install, you want to do it later, that means you're going to back up your data and restore after you've turned on encryption, so you back it up, you probably want to wipe it out, zero it all out, make sure you don't have any data there, that's leftover, then you're going to use cryptsetup command to initialize and open and give your passphrase.
So now you've got encryption on the partition and then you can put a file system on it, you can format it, and if you want it mounted automatically you can add that partition to your etc fstab and it's probably a good idea to restore all the SELinux context on all those files that you just restored, and then you go, so let's look at setting this stuff up. Let's set up an encrypted partition.
Okay, so let's look at setting a partition, I'm going to use my b disk here. Make a partition. Here we go, just did the whole disk, it's a small little disk in a vm here, okay, now we do the cryptsetup. With the LUKS format.
On that partition, do we really want to do this, now we actually have to type YES in capital letters, now we make up a passphrase that we can absolutely remember there we go, so that's a small partition so stuff's going to go fast, if you get a big disk, this could take longer. Alright, so now we're going to open it and give it the crypto name, we're going to call this one mycrypt, alright, now we got to enter that passphrase again, yay, and now, there's some indirection, so we go through this device file, so it goes to the kernel and that's the encryption and decryption stuff.
We can first overwrite the data in effect on that, zero it out, so we'll just read from the device file dev zero which always gives us zeros, no matter how much we read. Okay, so you can see this is a real small partition, only 104 MB, right, we just kept writing 'till it failed, that's fine, so we zeroed it all out so there's no residual data there, and now we can format it, there we go and now we can make a directory and mount it.
There we go, it's mounted, it's got an ext4 file system on it but underneath there, everything as it's written to the disk actually will be encrypted.
- Partitioning storage
- Creating, mounting, and unmounting file systems
- Formatting file systems
- Making volumes with LVM
- Adding storage security
- Managing swap spaces
- Backing up and recovering Linux storage systems
- Working with networked file systems like NFS and SSHFS