Thursday, June 11, 2009

Creating and using an encrypted hard drive or partition

Considering the dropping cost of laptops and external drives, the most damaging part of having one stolen is not the cost of replacing the hardware, but the cost of the data.

You may have proprietary company information, tax returns, financial information, or worse on there. The best way to protect your data is to encrypt it and encrypt it well. Thankfully, Linux makes this really easy.

The encryption I'll show you how to setup uses a block-encryption algorithm, meaning that the encryption respects the underlying filesystem and in case of a hardware failure, such as a bad block, you'll only lose the data stored at that one location. I once had a Windows encryption package that encrypted using the entire volume. One day, an error cropped up in the middle of the encrypted volume and instantly all of my data was gone.

All of the following should be done as root.

1. The first step is to fill the drive with random data. This serves two purposes:

-If the drive previously contained any unencrypted data, you want it gone and unrecoverable.
-If the drive is not filled with random data, an attacker may be able to determine how much of your encrypted partition is in use.

I feel that the first reason is the more important one, so if your drive is new, then you can skip this step. If you are performing this step via a USB connection, it can be incredibly slow; you can expect this step to take up to a week to complete. If you need it done quick, then hook the drive up via SATA or eSATA.

The command to perform is:

dd /dev/random /dev/DEVICE

/dev/random contains high quality random data. You can replace it with /dev/urandom, which is faster, but uses lower quality random data (i.e., its not quite as random).

2. Create the encrypted partition:

cryptsetup --key-size 256 luksFormat /dev/DEVICE

You will be prompted for your passphrase. LUKS does not use your passphrase to encrypt the data, rather it uses your passphrase to secure the key that encrypts the data. As a result, you can setup multiple passphrases or even revoke passphrases. This way, if you ever feel that your passphrase may have been compromised, you can quickly swap it with another passphrase to maintain data security without having to reencrypt the entire drive.

3. Open the encrypted partition:

cryptsetup luksOpen /dev/DEVICE NAME

"NAME" is the name of the unencrypted device and can be any convenient name for this partition. For example, if you're setting up a backup drive, use "backup" to remind yourself what the drive is for.

4. Create the filesystem:

mkfs.ext3 /dev/mapper/NAME

Of course, you can replace mkfs.ext3 with whatever filesystem you want to use.

You're done! Now how to use your drive. To set it up, use:

cryptsetup luksOpen /dev/DEVICE NAME
mount /dev/mapper/NAME MOUNT_POINT

And to shut it down, use:

cryptsetup luksClose NAME

And if you're going to use this for a partition that needs to be mounted at boot, see my note about getting openSUSE to ask for the password at boot.

No comments:

Post a Comment