trude/web
1
0
Fork 0
mirror of https://github.com/TrudeEH/web.git synced 2025-12-06 08:23:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add Cryptsetup guide to encryption

Browse Source
This commit is contained in:
TrudeEH
2025-03-26 15:36:03 +00:00
parent 8e4530d3d2
commit 99ec092e03
2 changed files with 102 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
content/notes/ready/encryption.md
View File

@@ -23,6 +23,8 @@ showToc: true
## GPG
GPG uses asymmetric encryption to sign, encrypt and decrypt files.
### Create a Set of Keys
```Shell
@@ -115,3 +117,102 @@ gpg --output private.pgp --armor --export-secret-keys email@example.com
gpg --list-keys # Same as gpg -k
gpg --list-secret-keys
```
## Cryptsetup
Cryptsetup manages encrypted volumes using the LUKS standard. It allows you to create, open, and control encrypted partitions or file-based containers.
### Encrypted File Container
```Shell
dd if=/dev/zero of=encrypted.img bs=1M count=100 # Create a 100M container
# Format the file as a LUKS encrypted volume
sudo cryptsetup luksFormat encrypted.img
sudo cryptsetup luksOpen encrypted.img encryptedVolume # Open the container
# Format the volume with an ext4 filesystem
sudo mkfs.ext4 /dev/mapper/encryptedVolume
```
#### Mount
```Shell
sudo mount /dev/mapper/encryptedVolume /mnt/encrypted
```
#### Unmount
```Shell
sudo umount /mnt/encrypted
sudo cryptsetup luksClose encryptedVolume # Close the encrypted container
```
### Encrypted Storage Devices
A Storage Device can be a USB drive, disk, SD card, etc...
> If you have access to a desktop environment, you can use the GNOME Disks APP, for example, to create an encrypted partition.
#### Prepare the Device
1. If your device is mounted, unmount all mount points before continuing:
```sh
lsblk # List the storage devices available
sudo umount <mount_point>
```
2. Populate the partition with random data to avoid pattern-based encryption attacks: (optional)
> This process will WIPE the device and overwrite all data on it! Make sure to back up your files before proceeding.
```sh
# Slow, but more random values
sudo dd if=/dev/urandom of=/dev/sdX bs=4K status=progress
# Faster solution, but not as random
sudo badblocks -c 10240 -s -w -t random -v /dev/sdX
```
3. Prepare the partition to encrypt:
In this example, the whole device will be erased and encrypted, but you can also create a separate partition to encrypt, instead of the entire device.
```sh
# Clear all partitions
echo ",,;" | sudo sfdisk /dev/sdX
```
#### Encrypt the Partition
First, the partition must be formatted with Linux Unified Key Setup (LUKS). LUKS stores metadata at the beginning of the partition which contain the type of encryption and a randomly generated key, encrypted with the passphrase provided to `luksFormat`.
It's recommended to use at least 3 random words as the passphrase.
```sh
# Format the device
sudo cryptsetup luksFormat /dev/sdX1
# Create a virtual device to manage the encrypted device
sudo cryptsetup luksOpen /dev/sdX1 myusb
# Format the partition using the encrypted device created earlier.
sudo mkfs.ext4 /dev/mapper/myusb -L <label>
sudo cryptsetup luksClose myusb # Close the device
```
After performing these steps, you may disconnect the drive.
#### Accessing the Device
When connected the device, your file manager should prompt you for a password. If you are not using a desktop environment, you might have to mount it yourself:
```sh
sudo cryptsetup luksOpen /dev/sdX1 myusb
sudo mkdir -p /media/myusb
sudo mount /dev/mapper/myusb /media/myusb
```
Then, to unmount:
```sh
sudo umount /media/myusb
sudo cryptsetup luksClose myusb
```