How to enable LUKS disk encryption with keyfile on Linux

We can without much of a stretch add a critical document to LUKS circle encryption on Linux when running the cryptsetup order. A key document is utilized as the passphrase to open a scrambled volume. The passphrase permits Linux clients to open encoded plates using a console or over a ssh-based meeting. There are various kinds of key documents we can add and empower LUKS circle encryption on Linux according to our necessities:

1. Passphrase keyfile – It is a key document holding a basic passphrase.
2. Arbitrary text keyfile – This is a key document including a square of irregular characters which is significantly more impervious to word reference assaults than a basic passphrase-based key record.
3. Double keyfile – We can pollute a picture, video, or some other static parallel record as key document for LUKS. It makes it harder to recognize as a key record. It would appear as though an ordinary picture document or video clasp to the aggressor rather than an arbitrary text keyfile.
Allow us to perceive how to empower LUKS plate encryption with a key document.

This post discloses how to add and empower LUKS plate encryption with a critical document on Linux and a reinforcement passphrase to open encoded circle volume.

Summing up

This page described how to use a random LUKS key file along with a backup passphrase for unlocking encrypted volumes on Linux. It is also possible to encrypt your key file using 2FA, which we will cover next time. Please note that always keep verified backup in the 3-2-1 method. See cryptsetup project home page for more info and read the following man page:
man cryptsetup

This entry is 5 of 5 in the The Linux Unified Key Setup (LUKS) is a disk encryption Tutorial series. Keep reading the rest of the series:

  1. Linux Hard Disk Encryption With LUKS
  2. Backup and restore LUKS header on Linux
  3. Change LUKS disk encryption passphrase on Linux
  4. Unlock LUKS using Dropbear SSH keys remotely in Linux
  5. Add/enable LUKS disk encryption with keyfile on Linux

How to enable LUKS disk encryption with keyfile on Linux

I unequivocally propose that you make both keyfile and a passphrase for reinforcement purposes if the characterized keyfile is lost or changed. Thusly, you will actually want to reaccess your information put away on encoded volumes.

Step 1 – Creating a key file with random characters

WARNING! The selection of LUKS key type and storage medium depends upon your threat model. I am going to use a random text key and USB pen drive for storing the key. All commands must run as the root user. Be careful with Linux device names, as wrong device names will result in data loss. The author or nixCraft is not responsible for any such actions.

We can use the standard Linux command such as dd command or openssl command to create strong LUKS key. For instance:
For USB pen mounted at /mnt/usb/:
Use the dd command:
dd bs=512 count=4 if=/dev/random of=$DEST iflag=fullblock
As I said earlier, you can use the openssl command to generate strong LUKS key file as follows:
openssl genrsa -out $DEST 4096
Make sure only root user can access our key file using the chmod command/chown command:
chmod -v 0400 $DEST
chown root:root $DEST

How to enable LUKS disk encryption with keyfile on Linux
See how to use chmod and chown commands for more info.

Step 2 – Stuff random data to the device

Let us set up device name:
Use the shred command overwrite a file ($DEVICE) to hide its contents:
shred -v --iterations=1 $DEVICE
Enable LUKS disk encryption with a key file and use shred command

Step 3 – Format device (hard drive)

The syntax is as follows to format and add a backup passphrase:
cryptsetup luksFormat $DEVICE

This will overwrite data on /dev/sdc irrevocably.

Are you sure? (Type uppercase yes): YES

Add and enable a key to LUKS disk encryption

Next, we are going add the keyfile to the LUKS header as follows:
cryptsetup luksAddKey $DEVICE $DEST
Adding both backup passphrase and key file using cryptsetup on Linux LUKS hard disk
Verify that both backup passphrase and keyfile set for /dev/sdc:
cryptsetup luksDump $DEVICE

Linux cryptsetup luksformat key file dumping

Two key slots are indicating that we have a backup passphrase and key file to unlock /dev/sdc using any one of the methods.

Step 3 – Open the device

We use the luksOpen option as follows to open our device using the keyfile:
cryptsetup luksOpen $DEVICE $DEV_NAME --key-file $DEST

For some reason, if your key file destroyed or corrupted, then we can use a backup passphrase as follows:
cryptsetup luksOpen $DEVICE $DEV_NAME

Enter passphrase for /dev/sdc:

You will see the device at /dev/mapper/$DEV_NAME using the ls command/file command:
ls -l /dev/mapper/$DEV_NAME
file -L /dev/mapper/$DEV_NAME

How to use a file as a LUKS device key

Step 4 – Format the device

Use the mkfs.ext4 command or mkfs.xfs command as follows:
mkfs.ext4 /dev/mapper/$DEV_NAME
# OR #
mkfs.xfs /dev/mapper/$DEV_NAME

Step 5 – Mount the device

Use the combination of mkdir command and mount command as follow to mount the /dev/sdc:
mkdir /backup2
mount /dev/mapper/$DEV_NAME /backup2

Verify it using the mount command:
df -HT /backup2
mount | grep ^/backup2

Add LUKS disk encryption with keyfile on Linux and format it with ext4

Step 6 – Persistent (permanent) LUKS mounting at boot time using a key file

Append the following line to /etc/crypttab file:
backup2 /dev/sdc /mykeyfile luks
Add/Edit the following line to /etc/fstab file:
/dev/mapper/backup2 /backup2 ext4 defaults 1 2

Step 7 – Closing the device

First unmount it using the umount command and then close it as follows:
umount /backup2/
cryptsetup close backup2

Step 8 – Emergency access when key enabled LUKS disk encryption damaged

Since we added a backup passphrase at slot # 0, all you have to do is type the following commands:
cryptsetup luksOpen $DEVICE $DEV_NAME
mount /dev/mapper/$DEV_NAME /backup2
df -HT /backup2

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button