management – Derek Demuro https://www.derekdemuro.com Software Engineer Sat, 12 Dec 2020 21:54:49 +0000 en-US hourly 1 160473225 LUKS Drive Encryption https://www.derekdemuro.com/2015/10/23/luks-drive-encryption/ https://www.derekdemuro.com/2015/10/23/luks-drive-encryption/#respond Fri, 23 Oct 2015 06:30:46 +0000 https://www.derekdemuro.com/?p=3241 Luks keys… and luks encrypted drives:

Warning: Always backup the LUKS header before performing any maintenance on the hard drive!.

How to backup the luks header:
Drive: /dev/sdb [Example]

Name: /tmp/mybackup [Example]

cryptsetup luksHeaderBackup $DRIVE --header-backup-file $NAME

Add a LUKS key:

Deckey: Would be your passphrase key for decrypting your drive [first key when setting up the encrypted drive].

Slot: Luks has 8 possible slots, so you have to tell it where to store the key, ranges from 0 to 7.

Keylocation: Store the key you want to use somewhere, and pass it’s path there. Example /tmp/mykey, this is the safest way.

echo $DECKEY | cryptsetup luksAddKey --key-slot $SLOT $DRIVE $KEYLOCATION

Remove a LUKS key:

Using specific passphrase:

cryptsetup luksRemoveKey $DRIVE

Using a kill-slot, you can now use any passphrase remaining on the header to kill it:

cryptsetup luksKillSlot $DRIVE $SLOT

In both cases, you input the passphrase; there’s no further confirmation. If you want to remove it programmatically:

echo [passphrase] | cryptsetup luksKillSlot|luksRemoveKey $DRIVE

Now you can backup the header, remove the key, add the key…

Restore backup header:

PathToBackup: format /tmp/backupfile

cryptsetup luksHeaderRestore $DRIVE --header-backup-file $PATHTOBACKUP

Drive will be now restored; watch out, if the wrong backup file is used, your data may be now scrambled eggs.

]]> https://www.derekdemuro.com/2015/10/23/luks-drive-encryption/feed/ 0 3241