Skip to content

Instantly share code, notes, and snippets.

@benhubert

benhubert/cryptsetup.md

Last active January 19, 2021 20:35
Show Gist options
  • Save benhubert/fc84476b337526cad1e8e1083db5043b to your computer and use it in GitHub Desktop.
Save benhubert/fc84476b337526cad1e8e1083db5043b to your computer and use it in GitHub Desktop.
Download ZIP
cryptsetup cheat sheet
Raw
cryptsetup.md

cryptsetup cheat sheet

Wipe disk

cryptsetup open --type plain -d /dev/urandom /dev/sdX to-be-wiped
dd if=/dev/zero of=/dev/mapper/to-be-wiped status=progress bs=4M
cryptsetup close to-be-wiped

Encrypt disk

Partition the disk:

gdisk /dev/sdX
 > o > Y
 > n > 1 > default sector [ENTER] > size [ENTER] > 8300 [ENTER]
 > w > Y

Initialize the encryption layer:

cryptsetup -v \
  --type luks2 \
  --cipher aes-xts-plain64 \
  --key-size 256 \
  --hash sha256 \
  --iter-time 2000 \
  --use-urandom \
  --verify-passphrase \
  luksFormat /dev/sdX1

Initialize the file system:

cryptsetup open /dev/sdX1 diskname
mkfs.btrfs /dev/mapper/diskname
cryptsetup close diskname

Open encrypted disk

cryptsetup open /dev/sdX diskname
mount /dev/mapper/diskname /mnt/diskname

Add keyfile instead of passphrase

Create the keyfile and add it to the encrypted disk:

dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
chmod 0400 /root/keyfile
cryptsetup luksAddKey /dev/sdX1 /root/keyfile

Open the disk using the keyfile:

cryptsetup open --key-file /root/keyfile /dev/sdX diskname

Automated mounting with key file

Configure the mapping for automated unlocking in /etc/crypttab:

# <name>  <device>                                  <password>    <options>
sdx_crypt UUID=23451234-1234-abcd-cdef-1234abcd2345 /root/keyfile

Configure the mountpoint in /etc/fstab:

# <block device>      <mountpoint> <type> <options>
/dev/mapper/sdx_crypt /mnt/disk    btrfs  defaults  0 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment