diff --git a/content/notes/ready/encryption.md b/content/notes/ready/encryption.md index 72f2f41..8a1b957 100644 --- a/content/notes/ready/encryption.md +++ b/content/notes/ready/encryption.md @@ -23,6 +23,8 @@ showToc: true ## GPG +GPG uses asymmetric encryption to sign, encrypt and decrypt files. + ### Create a Set of Keys ```Shell @@ -115,3 +117,102 @@ gpg --output private.pgp --armor --export-secret-keys email@example.com gpg --list-keys # Same as gpg -k gpg --list-secret-keys ``` + +## Cryptsetup + +Cryptsetup manages encrypted volumes using the LUKS standard. It allows you to create, open, and control encrypted partitions or file-based containers. + +### Encrypted File Container + +```Shell +dd if=/dev/zero of=encrypted.img bs=1M count=100 # Create a 100M container +# Format the file as a LUKS encrypted volume +sudo cryptsetup luksFormat encrypted.img +sudo cryptsetup luksOpen encrypted.img encryptedVolume # Open the container +# Format the volume with an ext4 filesystem +sudo mkfs.ext4 /dev/mapper/encryptedVolume +``` + +#### Mount + +```Shell +sudo mount /dev/mapper/encryptedVolume /mnt/encrypted +``` + +#### Unmount + +```Shell +sudo umount /mnt/encrypted +sudo cryptsetup luksClose encryptedVolume # Close the encrypted container +``` + +### Encrypted Storage Devices + +A Storage Device can be a USB drive, disk, SD card, etc... + +> If you have access to a desktop environment, you can use the GNOME Disks APP, for example, to create an encrypted partition. + +#### Prepare the Device + +1. If your device is mounted, unmount all mount points before continuing: + +```sh +lsblk # List the storage devices available +sudo umount +``` + +2. Populate the partition with random data to avoid pattern-based encryption attacks: (optional) + +> This process will WIPE the device and overwrite all data on it! Make sure to back up your files before proceeding. + +```sh +# Slow, but more random values +sudo dd if=/dev/urandom of=/dev/sdX bs=4K status=progress + +# Faster solution, but not as random +sudo badblocks -c 10240 -s -w -t random -v /dev/sdX +``` + +3. Prepare the partition to encrypt: + +In this example, the whole device will be erased and encrypted, but you can also create a separate partition to encrypt, instead of the entire device. + +```sh +# Clear all partitions +echo ",,;" | sudo sfdisk /dev/sdX +``` + +#### Encrypt the Partition + +First, the partition must be formatted with Linux Unified Key Setup (LUKS). LUKS stores metadata at the beginning of the partition which contain the type of encryption and a randomly generated key, encrypted with the passphrase provided to `luksFormat`. + +It's recommended to use at least 3 random words as the passphrase. + +```sh +# Format the device +sudo cryptsetup luksFormat /dev/sdX1 +# Create a virtual device to manage the encrypted device +sudo cryptsetup luksOpen /dev/sdX1 myusb +# Format the partition using the encrypted device created earlier. +sudo mkfs.ext4 /dev/mapper/myusb -L