This is a lazy guide (mostly for me to refer to) on how to encrypt a hard drive on Debian GNU/Linux. What this lazy guide does not cover is how to make your machine bootable, so if you want to encrypt your whole system (very good practice), you should probably do it via your OS installer.
Important note: The following contains examples of commands that may totally destroy data that you didn't want to destroy. Please be careful and don't stupidly copy paste and expect Jesus to show up at your door with the original 10 commandments. Also note I am a human being, so it is totally possible for me to make mistakes and/or typos.
Create a partition
Okay, so lets break things now. First, create a partition that we will encrypt, use your favourite disk partitioner, fdisk, cfdisk, gdisk or whatever you find.
Let's assume we will be working with /dev/sdb and we created the new partition /dev/sdb1. No need to format or anything, that should be done later.
Encrypt the Partition
We'll need cryptsetup to do this. If you don't already have it installed:
apt-get install cryptsetup
Now encrypt it ! (careful):
cryptsetup -y -s 256 -c aes-cbc-essiv:sha256 luksFormat /dev/sdb1
The options used mean as follows:
- -y: confirm passphrase (ask twice)
- -s 256: key size
- -c aes-cbc-essiv:sha256: LUKS cipher:hash
Decrypt the Partition
Now is when we will want to format it, or eventually use it for LVM, etc. First though, we must decrypt it as follows:
cryptsetup luksOpen /dev/sdb1 encryptedcrap
Note: You can replace encryptedcrap with whatever you want. All this means is that this disk will be available at /dev/mapper/encryptedcrap.
Once decrypted you can format it using /dev/mapper/encryptedcrap, for example:
You could create drives using LVM etc etc, just do it on /dev/mapper/encryptedcrap.
Now you can mount your partition as usual:
mount /dev/mapper/encryptedcrap /mnt/somewhere
You can re-encrypt it and make it unreadable at any time, all you need to do is un-mount it (if it's mounted) and "luksClose" it:
cryptsetup luksClose /dev/mapper/encryptedcrap
Basic Key Management
You should have so far 1 key. There are 8 key slots on this lock (from 0 to 7), so you can have up to eight passphrases (keys). You can check the status by doing:
cryptsetup luksDump /dev/sdb1
This should show you a bunch of stuff, for now you should mostly be interested with:
Key Slot 0: ENABLED
So far all other key slots should be disabled. These numbers will come in handy later.
Add a Key
When adding a new key you will be asked to provide an existing key first, of course, then you will be prompted for the new passphrase:
cryptsetup luksAddKey /dev/sdb1
Note: By default keys are added to the first available slot. If you are using keys 0, 1, 3, then the next key would be added to slot 2. However, it is possible to specify which slot to use when adding a key by using the --key-slot option. Example:
cryptsetup luksAddKey /dev/sdb1 --key-slot 6
Deleting a Key
You can delete a key either by knowing the actual passphrase you want to delete OR by using the key slot. This is why it's important to keep track of who's using which slot.
To delete a key using the passphrase, this will ask you to enter the passphrase to delete and then a remaining valid key:
cryptsetup luksRemoveKey /dev/sdb1
To delete a key by slot, in this case if we want to disable slot 1, this will simply ask for a valid key (not the one being deleted of course):
cryptsetup luksKillSlot /dev/sdb1 1
And.. .. that's it for today.