Linux LUKS Implementation
Linux LUKS Implementation
Linux Unified Key Setup (LUKS) provides standardized disk encryption for Linux systems. LUKS supports multiple key slots, allowing various authentication methods while maintaining strong encryption. Understanding LUKS configuration enables administrators to implement full disk encryption comparable to BitLocker on Linux systems.
Implement LUKS encryption on new partitions:
# Install cryptsetup
apt-get install cryptsetup # Debian/Ubuntu
yum install cryptsetup # RHEL/CentOS
# Create encrypted partition
cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 /dev/sdb1
# Open encrypted partition
cryptsetup luksOpen /dev/sdb1 encrypted_data
# Create filesystem
mkfs.ext4 /dev/mapper/encrypted_data
# Mount encrypted partition
mkdir /mnt/encrypted
mount /dev/mapper/encrypted_data /mnt/encrypted
# Configure automatic mounting
echo "encrypted_data UUID=$(blkid -s UUID -o value /dev/sdb1) none luks" >> /etc/crypttab
echo "/dev/mapper/encrypted_data /mnt/encrypted ext4 defaults 0 2" >> /etc/fstab
Configure LUKS for root partition encryption:
# During installation or conversion
# Boot from live media
# Backup existing data
dd if=/dev/sda2 of=/backup/root.img bs=4M
# Encrypt root partition
cryptsetup luksFormat --type luks2 /dev/sda2
cryptsetup luksOpen /dev/sda2 cryptroot
# Restore data
dd if=/backup/root.img of=/dev/mapper/cryptroot bs=4M
# Update initramfs
mount /dev/mapper/cryptroot /mnt
mount /dev/sda1 /mnt/boot # Boot partition
chroot /mnt
echo "cryptroot UUID=$(blkid -s UUID -o value /dev/sda2) none luks" >> /etc/crypttab
update-initramfs -u -k all
# Update bootloader
sed -i 's|root=/dev/sda2|root=/dev/mapper/cryptroot cryptdevice=/dev/sda2:cryptroot|' /etc/default/grub
update-grub
Implement key management for LUKS:
# Add additional key slots
cryptsetup luksAddKey /dev/sdb1 # Prompts for existing and new passphrases
# Use key files
dd if=/dev/urandom of=/root/keyfile bs=512 count=8
chmod 400 /root/keyfile
cryptsetup luksAddKey /dev/sdb1 /root/keyfile
# Remove compromised keys
cryptsetup luksKillSlot /dev/sdb1 3 # Remove key in slot 3
# Backup LUKS headers
cryptsetup luksHeaderBackup /dev/sdb1 --header-backup-file /backup/sdb1-header.img
# Verify encryption status
cryptsetup luksDump /dev/sdb1
dmsetup status encrypted_data