Thursday, May 25, 2006

Encryption with LUKS, Gnome and HAL

I've been playing around with the various disk/file encryption methods for Linux and I'm particulcarly impressed by LUKS on the Gnome desktop as described here. LUKS is a standard for hard disk encryption using the linux kernel (2.6) crypto API and dm-crypt mapper.

What I really wanted from disk encryption was ease of use and cross platform portability. I have tried out truecrypt which fits the bill for being cross platform but I found is still a little tedious for use on the desktop (perhaps I'll do another post about my adventures with truecrypt).

Anyhow, LUKS/HAL only just made it into Fedora Core 5 (without much fanfare) and really does make linux disk encryption easy; encrypt your partition, create a file system, plug in your device! The instructions below were based of the how-to from here .

1. Identify the volume you will be encrypting with dmesg. In my case the partition is /dev/sda1 on an external usb2 hard disk which I had previously created with fdisk.

2. Make sure the device is not mounted:

# umount /dev/sda1

3. Create the LUKS partition on the usb drive:

# cryptsetup --verbose --cipher "aes-cbc-essiv:sha256" --key-size 256 -verify-passphrase luksFormat /dev/sda1

Enter and confirm the passphrase for the volume. I suggest using a long passphrase (at least 10 characters, but the more the better obviously!) with a mix of case and numbers.

4. Create a device mapping from the virtual crypto volume to the physical device:

# cryptsetup luksOpen /dev/sda1 usbdisk

This will create a block device /dev/mapper/usbdisk.

5. Make a new file system on our new device:

# mkfs.vfat -v -F 32 -n "20GB USB" /dev/mapper/usbdisk

This will create a FAT32 file system on my external usb disk (I hope to use this with windows too at some point!)

6. Now we just unplug and re-insert the usb disk and:

Up pops the password dialogue box for our disk! Enter the passphrase for the volume and the disk will be mounted in /media with a conveniant shortcut on the desktop.

No comments: