This post is part of my Upgraded Linux Backup series.
After obtaining (and assembling) my new backup hardware my first order of business was to get the external hard drives formatted and set up with drive encryption. Since I’m swapping out one drive to store off-site I wanted to use drive encryption just in case it somehow ended up in someone else’s posession. In Ubuntu, the easiest way to encrypt a whole drive is using LUKS. I chose LUKS because it is easily readable by most Linux computers and can even be set up on a Windows PC, if absolutely necessary. This post will walk through the (remarkably simple) process of setting up encryption and formatting.
(Note: most of these instructions are condensed adaptations of articles I found here and here. )
FYI: I set up my drives using these instructions on Ubuntu 8.10 – Intrepid Ibex. I was later able to successfully mount and access the drives using Ubuntu 8.04 – Hardy Heron on my server and 9.04 – Jaunty Jackalope on my laptop.
When setting up my drives I was using USB 2.0, therefore these directions reflect that. The process may have been faster using eSATA, but at the time I did not yet have a controller card. The directions should be applicable to eSATA as well (unless otherwise noted), but your mileage may vary. These instructions can also be easily adapted for creating a handy, encrypted USB “thumb” drive.
Necessary Software
In order to proceed you must have the cryptsetup package installed:
sudo apt-get install cryptsetup
Finding the drive
After powering on the drive and hooking it up to the computer you need to identify the device:
dmesg | tail -20 [33884.688746] usb 4-1: new high speed USB device using ehci_hcd ... [33884.764079] usb 4-1: configuration #1 chosen from 1 choice [33884.764868] scsi8 : SCSI emulation for USB Mass Storage devices [33884.765316] usb-storage: device found at 9 [33884.765321] usb-storage: waiting for device to settle before scan... [33888.042416] usb-storage: device scan complete [33888.043707] scsi 8:0:0:0: Direct-Access HDS72505 0KLA360 ... [33888.047550] sd 8:0:0:0: [sdb] 976773168 512-byte hardware sectors [33888.048292] sd 8:0:0:0: [sdb] Write Protect is off [33888.048300] sd 8:0:0:0: [sdb] Mode Sense: 00 38 00 00 [33888.048305] sd 8:0:0:0: [sdb] Assuming drive cache: write through [33888.049648] sd 8:0:0:0: [sdb] 976773168 512-byte hardware sectors [33888.050421] sd 8:0:0:0: [sdb] Write Protect is off [33888.050428] sd 8:0:0:0: [sdb] Mode Sense: 00 38 00 00 [33888.050432] sd 8:0:0:0: [sdb] Assuming drive cache: write through [33888.050438] sdb: unknown partition table [33888.066470] sd 8:0:0:0: [sdb] Attached SCSI disk [33888.066545] sd 8:0:0:0: Attached scsi generic sg2 type 0
In the example above (from this article) you can see that the drive has been recognized as /dev/sdb. Your drives may show up differently (mine appeared as /dev/sdd and /dev/sde.) I’ll continue to use /dev/sdb to refer to the drive we are working with, but you should replace it with whatever your result is.
Create the partition
Before you can actually set up encryption or format the drive, you must create a partition. This is simply a portion of the drive you intend to store data on. A single physical drive may contain multiple partitions (as is usually the case with a linux boot drive) or just one. At this point you could easily choose to set up both an encrypted and a non-encrypted partition on your drive. I didn’t have a need for this, so I’ll be continuing with a single partition.
While it can be accomplished via the command line, I chose to use the graphical GParted program, available under the “System -> Administration -> Partition Editor” menu.
Choose your device via the drop-down menu in the upper right-hand corner. Then, select the unallocated space and create a new partition that encompasses the entire available space. We do not want to format the partition, only create it, so select “unformatted” as the filesystem.
Click “Apply” and your new partition will be created. You should now have a partition named something like /dev/sdb1 (notice there’s now a number added.) Once you have created the partition successfully, close GParted.
Setting up encryption
The next section is copied verbatim from the aforementioned article:
The dm-crypt, sha256 and aes kernel modules will need to be loaded prior to encrypting the partition:
sudo modprobe dm-crypt sudo modprobe sha256 sudo modprobe aes
If the following error messages appear when loading sha256 and aes:
sudo modprobe sha256 WARNING: Error inserting padlock_sha ... No such device sudo modprobe aes WARNING: Error inserting padlock_aes ... No such device
it is an indication that the system does not have a hardware cryptographic device (source: Ubuntu Bug #206129)
The workaround is to add the following lines (using your favorite editor) to the bottom of /etc/modprobe.d/aliases and re-run the modprobe commands for the sha256 and aes kernel modules:
alias sha256 sha256_generic alias aes aes_generic
Note that this is only necessary when we are setting up the drive. Later we will access them through Gnome and won’t need these modules.
Encrypting the partition
Finally, we can run the command to encrypt the /dev/sdb1 partition.
While there are other ways of securing your encrypted drive (such as key file stored locally or on a USB flash drive) I have chosen to use a strong passphrase. Mine is 23 characters long, but any password 12 characters or longer not consisting of dictionary-findable words should suffice.
The tutorial I used recommended the following command:
sudo cryptsetup --verify-passphrase luksFormat /dev/sdb1 -c aes -s 256 -h sha256
The LUKS-formatting command above has the following options:
- –verify-passphrase – ensures the passphrase is entered twice to avoid an incorrect passphrase being used
- -c aes – specifies the use of AES encryption (c for cipher)
- -s 256 – specifies a 256-bit key size
- -h sha256 – use 256-bit SHA for password hashing
However, after reading this article I decided to go with 128-bit AES encryption instead, along with a strong passphrase, in hopes of reducing some computational overhead. Therefore, my command instead looked something like:
sudo cryptsetup --verify-passphrase luksFormat /dev/sdb1 -c aes -s 128 -h sha256
Creating the filesystem
After setting up the encrypted partition, you must open and map it in order to set up the filesystem and begin using it.
Start with:
sudo cryptsetup luksOpen /dev/sdb1 secureUSB
Which should prompt you for your passphrase and map the drive to /dev/mapper/secureUSB. Now you can format the encrypted partition with a filesystem using whatever method you prefer. I had good luck using GParted to format in ext3.
Like before, select the device you want to create the filesystem on – in this case /dev/mapper/secureUSB. You should again see a block of unallocated space, which you should select and create a new partition within. You may be presented with a big, scary message about setting a disklabel – tell it to create (since you have no data to lose on the drive at this point anyway!)
The create new partition screen will look just the same as before, only this time you will want to specify the filesystem type you want to use. Apply all the pending operations and wait for the formatting process – it can take quite a while, especially for large drives.
Mounting the encrypted drive
Having successfully set up encryption and created a filesystem, we’re almost ready to to mount the drive and begin using it! (Of course, this is still assuming you’re using USB. If you’re using eSATA then this won’t work as easily – that will come in a later post!)
Shut down the computer, disconnect the drive, and reboot. Once you’re back up and logged in, reconnect the drive and Gnome should prompt you for the passphrase and then mount automatically.
If you want the drive to unlock automatically on this computer, select “remember forever.”
After you’re unlocked and mounted, the final step is to take ownership of the drive’s root folder with a user other than your sudo/root user:
sudo chown youruser:youruser /media/disk
where youruser is the user you want to have ownership and /media/disk is where gnome auto-mounted the drive.
Finished!
Whew! I must say it has taken far longer to write this post than it did to actually perform these operations. The longest part of the entire process was creating the ext3 filesystem. If you’re using eSATA to set up the drive it will go much faster, however as I mentioned you will have a few more steps to take before you can easily hot-swap your drive. Stay tuned for the next post in this series for that how-to …
Very nice read, thank you.
Hi,
followed these instructions and I ended up with a device my computer can’t see…:
Command failed: Can not access device
this post is very informative, really love reading it. thanks for sharing and hope to hear more from you.