Create an encrypted file vault on Linux using LUKS

vault.md

Install Luks

sudo apt install cryptsetup

Create an empty file, size 512 Mb

cd ~/
dd if=/dev/urandom of=vaultfile.img bs=1M count=512

Create Luks Volume

sudo cryptsetup -v --verify-passphrase luksFormat vaultfile.img

Check if Luks device

sudo cryptsetup -v isLuks vaultfile.img

A look at LUKS header

sudo cryptsetup luksDump vaultfile.img

Test passphrase

sudo cryptsetup --verbose open --test-passphrase vaultfile.img

Add another passphrase

sudo cryptsetup -v luksAddKey vaultfile.img

Remove a passphrase

sudo cryptsetup -v luksRemoveKey vaultfile.img

Add key file for automount

sudo mkdir -p /etc/luks-keys/
sudo dd if=/dev/random of=/etc/luks-keys/myvault_key bs=32 count=1
sudo cryptsetup -v luksAddKey vaultfile.img /etc/luks-keys/myvault_key
# open volume with key-file
sudo cryptsetup -v open --type luks --key-file /etc/luks-keys/myvault_key vaultfile.img myvault

Open Volume

sudo cryptsetup -v open --type luks vaultfile.img myvault
ls /dev/mapper

Create Filesystem

sudo mkfs.ext4 -L myvault /dev/mapper/myvault

Add Permissions

mkdir ~/myvault
sudo mount /dev/mapper/myvault ~/myvault
sudo chown -R $USER:$USER ~/myvault # or sudo chown -R root:root ~/myvault
sudo chmod a+rwxt ~/myvault
find ~/myvault -type f -exec chmod 777 {} \; 
find ~/myvault -type d -exec chmod 777 {} \; 
sudo umount ~/myvault

Close

sudo cryptsetup -v close myvault

Backup and recovery of LUKS header

sudo cryptsetup luksHeaderBackup --header-backup-file /root/myvault.luks.bin vaultfile.img
# restore
sudo cryptsetup luksHeaderRestore --header-backup-file /root/myvault.luks.bin vaultfile.img

Check header dump

sudo file /root/myvault.luks.bin
sudo stat /root/myvault.luks.bin
sudo cryptsetup luksDump  /root/myvault.luks.bin

Use it like this

sudo cryptsetup -v open --type luks vaultfile.img myvault
sudo mount /dev/mapper/myvault ~/myvault

Unmount and Close

sudo umount ~/myvault
sudo cryptsetup -v close myvault

Use it with gpg encrypted keyfile

List your gpg key

gpg --list-secret-keys --keyid-format=long --with-keygrip --with-subkey-fingerprints -vvv

Import it into root keyring

gpg --export-secret-subkeys 28B03D68D333871691DC245609867128C44DF037 | sudo gpg --batch --import

Encrypt luks file key with gpg

sudo gpg --encrypt --recipient 28B03D68D333871691DC245609867128C44DF037 /etc/luks-keys/myvault_key
sudo shred -vzu -n5 /etc/luks-keys/myvault_key

Mount luks device using gpg to decrypt

sudo gpg --pinentry-mode loopback --quiet --decrypt /etc/luks-keys/myvault_key.gpg | sudo cryptsetup open --type luks --key-file=- vaultfile.img myvault
sudo mount /dev/mapper/myvault ~/myvault

whole_disk.md

Install Luks

sudo apt install cryptsetup

Create Luks Volume

sudo cryptsetup -v --verify-passphrase luksFormat /dev/sdb13

Create an empty file, size 32 bytes

sudo mkdir -p -m0700 /etc/luks-keys/
(umask 0077 && sudo dd if=/dev/random of=/etc/luks-keys/root.key bs=32 count=1 conv=excl,fsync )
sudo cryptsetup -v luksAddKey /dev/sdb13 /etc/luks-keys/root.key

Open volume with password or key-file

sudo cryptsetup luksOpen /dev/sdb13 root
sudo cryptsetup -v open --type luks --key-file /etc/luks-keys/root.key /dev/sdb13 root

Convert key slot to use the PBKDF2 algorithm

sudo cryptsetup luksConvertKey --pbkdf pbkdf2 /dev/sdb13
sudo cryptsetup luksConvertKey --pbkdf-force-iterations 10000 /dev/sdb13
sudo cryptsetup -v luksAddKey --pbkdf pbkdf2 --pbkdf-force-iterations 10000 --new-key-slot 0 /dev/sdb13
sudo cryptsetup luksConvertKey --pbkdf-force-iterations 4 --pbkdf-memory 262100 --pbkdf-parallel 2 --key-file /etc/luks-keys/root.key /dev/sdb13

Convert to LUKS version 1 and cryptokey slot no more needed for recent grub2 versions

sudo cryptsetup luksConvertKey --pbkdf pbkdf2 --key-file /etc/luks-keys/root.key /dev/sdb13
sudo cryptsetup convert --type luks1 /dev/sdb13

sudo mkfs.btrfs -L root /dev/mapper/root

sudo mkdir /mnt/luks
sudo mkdir /mnt/root
sudo mount -t btrfs -o subvolid=0 /dev/sda2 /mnt/root
sudo mkdir /mnt/root/snapshots
sudo btrfs subvolume snapshot -r /mnt/root/rootfs /mnt/root/snapshots/@root_25_08_2024

sudo mount -t btrfs -o subvolid=0,compress=zstd:1 /dev/mapper/root /mnt/luks
sudo btrfs send /mnt/root/snapshots/@root_25_08_2024 | sudo btrfs receive /mnt/luks

sudo mv /mnt/luks/@root_25_08_2024 /mnt/luks/rootfs
sudo btrfs property set -ts /mnt/luks/rootfs ro false

sudo btrfs subvolume get-default /mnt/root/
sudo btrfs subvolume list /mnt/luks/ -a -p -t
sudo btrfs subvolume set-default 262 /mnt/luks

Enable cryptomount in GRUB2

sudo mkdir /mnt/root
sudo mount -t btrfs -o subvol=rootfs,compress=zstd:1 /dev/mapper/root /mnt/disk
cd /mnt/disk
sudo mount --bind /dev dev
sudo mount -t proc proc proc
sudo mount -t sysfs sysfs sys
sudo chroot ./
echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub

luks setting: nano /etc/crypttab
root UUID=02619c5b-cc74-46bc-9fc1-733f51193c77 none luks,discard,key-slot=0
#root UUID=02619c5b-cc74-46bc-9fc1-733f51193c77 /etc/luks-keys/root.key luks,discard,key-slot=1

mount points: nano /etc/fstab
UUID=dd1ac475-1d6e-4137-8240-ec0bfd7b90c4 / btrfs subvol=rootfs,compress=zstd:1,noatime 0 0

sudo sh -c 'echo "KEYFILE_PATTERN=\"/etc/luks-keys/*.key\"" >>/etc/cryptsetup-initramfs/conf-hook'
sudo sh -c 'echo UMASK=0077 >>/etc/initramfs-tools/initramfs.conf'
sudo update-initramfs -u

https://linuxconfig.org/how-to-use-luks-with-a-detached-header

https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html#enabling-cryptomount-in-grub2