May 14, 2015

How to full encrypt your system with lvm on luks from cli


Security and privacy are two very important subjects, and everyone of us, in a way or another, has sensitive data stored on his computer. While you can consider pretty safe your data on a home computer, on a laptop the situation is a lot different. You carry the notebook with you (that's it's purpose after all) and you don't want to loose all your precious data in case it got stolen or lost for example. Here is where system encryption comes in. In this article i will show you how to full encrypt your system using two linux native tools: lvm (for partitioning) and luks (for the actual encryption). At this point you could ask why to use the command line to create this kind of setup when most of the distros installer could do it for us. Well that's not completely true because usually the graphical installers don't allow you to fine tune your settings (for example the type of cipher or key size you want to use), plus they don't let you encrypt your raw disk without creating a partition table on it. Even if you don't have these needs, it's anyhow interesting to know how things works under the hood.  

Why lvm on luks?

Imagine you have your hard drive divided in at least two partitions: one for the root of your system and the other used  as a swap partition. You could encrypt them separately but this will imply that 2 passwords will be asked during boot time, and this is really annoying. You could decide to avoid the use of swap partition, or to use a random generated key on boot for it, but in both cases you will lost the ability to hibernate (actually to resume from hibernation). The solution is to encrypt the whole disk with luks, then use the disk as phisical volume and make it part of a volume group which will contain as much logical volumes as we will need, each for every partition we want. The only partition that must stay unencrypted is the boot partition, so for the most secure setup, we will use an external device for it. Using the lvm partitioning we won't even need to create a partition table on the disk, we will use the raw disk instead.

Fist things first: destroy everything on your disk, filling it with random data

Filling a disk with random data can be very time consuming, especially on very large hard drives, but we can use a trick here: we will luks format the device first, and then fill it with 0s (much faster then random). Because of encryption the data will be written on the disk as random, so we're actually using the luks device as a random data generator device. Then we will override just the header with random data.


Step 1 -  create luks partition

cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sda

You will be asked to enter a password for the encryption, it doesn't matter if it's not very secure this time, because we will only use this device as random data generator. Now we must open the device:

Step 2 - Open the encrypted device:

cryptsetup luksOpen /dev/sda sda_crypt

Step 3 - Fill the resulting device with 0s, using dd and /dev/zero as source:

dd if=/dev/zero of=/dev/mapper/sda_crypt bs=1M

Step 4 - Close the luks device and destroy the luks header overriding it with random data

Usually the header takes a few Megabytes, but to avoid calculations and be rude we will cover the first 10 Mb of the disk. We will use dd with /dev/urandom as random data source this time:

cryptsetup luksClose sda_crypt
dd if=/dev/urandom of=/dev/sda bs=512 count=20480

We have now the disk full of random data. Now for the serious stuff. Just repeat steps 1 and 2 but this time use a very secure passhrase, because it will be the key to unlock your disk


Step 5 - Now we're going to use the device as phisical volume...

lvm pvcreate /dev/sda

Step 6 - ... and create a volume group to contain it

vgcreate vg00 /dev/sda

Step 7 - Create the logical volumes

I usually use 4: one for root, one for the swap partition, one for /home and the other for a data partition, but this is obviously up to you.

lvcreate -n lv00_swap -L 4G vg00
lvcreate -n lv01_root -L 30G vg00
lvcreate -n lv02_home -L 10G vg00
lvcreate -n lv03_data -l +100%FREE vg00

Notice how on the last line i've used -l instead of -L. This modifies the command to use logical extends instead of size. The +100%FREE option tells the program to use all remaining space for the logical volume.

Now we must create the boot partition on a separate device, and when installing the system we should mark that device as bootloader device, in which to install grub. I will not cover this here, cause it's a common operation. 

Now format your logical volumes with the filesystem you like, install and enjoy your full encrypted system, but remember that encryption protects your computer only when it's turned off, for example if someone steal your disk and tries to look for data inside it. Once your machine boots and the disk is decrypted, you will have no special defenses against any other sort of attack or danger.

Click Here!