Linux and USB Full Disk Encryption
Written on 2018-02-24
With the new Notifiable Data Breaches scheme coming into effect as of the 22nd February 2018, I started looking at what options were available to have full disk encryption on the one thing that we all lose most often - USB drives.
The thought was to make them as easy to use in the normal workflow as normal, but useless if plugged into an unauthorised system.
So, this is what I came up with.
Firstly, create a place to put the keys, and then create a new key file - we’re going to go with a 4096 byte key - which is massive, but you’re going to store it in a 4Kb block on a disk anyway - so eh. We need to do all this as root, so don’t forget that part!
1
2
3
# mkdir /etc/luks-keys/
# chmod 700 /etc/luks-keys
# dd if=/dev/random of=/etc/luks-keys/new-key-file bs=1 count=4096
Now plug in your USB key and see what it comes up as… In this example, mine is /dev/sdc1. Create the luks container.
1
# cryptsetup luksFormat /dev/sdc1 /etc/luks-keys/new-key-file
Next up, we want to grab the UUID of the new luks container. I’m going to use the example UUID of fea52a1b-9e8d-4144-af33-1a7f05371ead - so remember to replace this with the one you get from the below command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# cryptsetup luksDump /dev/sdc1
LUKS header information for /dev/sdc1
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 256
MK digest: 11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE FF 00 11 22 33
MK salt: 11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE FF
11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE DD
MK iterations: 373000
UUID: fea52a1b-9e8d-4144-af33-1a7f05371ead
Key Slot 0: ENABLED
Iterations: 3827459
Salt: 00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff
ff ee dd cc bb aa 99 88 77 66 55 44 33 22 11 00
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Rename the key we create this with to match the UUID, and make sure the world can’t read it:
1
2
# mv /etc/luks-keys/new-key-file /etc/luks-keys/fea52a1b-9e8d-4144-af33-1a7f05371ead
# chmod 400 /etc/luks-keys/fea52a1b-9e8d-4144-af33-1a7f05371ead
Set up a udev rule to run a script each time we plug in a drive. If we have a drive that matches the UUID of a key file we have, we’ll run a script to auto-open it. Plonk this as /etc/udev/rules.d/auto-mount.rules:
1
ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}=="crypto", RUN+="/usr/local/bin/auto-mount.sh"
Then we set up our script that udev fires to check our device. Throw this as /usr/local/bin/auto-mount.sh:
1
2
3
4
5
6
7
8
#!/bin/bash
if [ -f "/etc/luks-keys/${ID_FS_UUID}" ]; then
logger "Key found for ${ID_FS_UUID}. Unlocking device"
/usr/sbin/cryptsetup --key-file "/etc/luks-keys/${ID_FS_UUID}" open ${DEVNAME} luks-${ID_FS_UUID}
else
logger "No key found for ${ID_FS_UUID}. Not decrypting"
fi
Unplug your drive, plug it back in again and you should see your open, encrypted drive listed under /dev/mapper/luks-fea52a1b-9e8d-4144-af33-1a7f05371ead.
Create your filesystem - in this case I used btrfs:
1
# mkfs.btrfs -L "Encrypted Filesystem" /dev/mapper/luks-fea52a1b-9e8d-4144-af33-1a7f05371ead
That should be just about it. You can mount your filesystem and away you go.
Your normal filemanager should be able to mount / unmount the filesystem - but it may not be able to close the encrypted volume off. To do this, drop to a root shell and close it off.
1
# cryptsetup close luks-fea52a1b-9e8d-4144-af33-1a7f05371ead
Happy Encrypting!
Comments powered by Disqus.