Create Encrypted Volume

This little guide will go through how to create and encrypted volume on linux. It assumes that you already have the programs necessary. Many distributions already have them installed. If you system is using apt package management you can install the necessary tools with

apt-get install cryptsetup

In this example we assume that the volume we want to encrypt is /dev/sdc, a partition sdc1 will be create were we then create a file system on.

Scramble Data

Before we create the encrypted container on the device it is recommended to scramble the data on the device first. If you do not do this it is possible to scan the disk and find encrypted content, and possible to find exactly where files are written and this will make it easier for the person that tried to break it.

To do the scrambling you write random data over the entire disk.

There are two random methods to use. The first using urandom will generate better random values but it has the disadvantage that it is very slow. Running urandom on a large 2TB drive will take days.

dd if=/dev/urandom of=/dev/sdc

The second choice is to use the badblock program with the random parameter to write random data. It is safe but the random values are less random and it is possible to find patters so you can identefiy that data on the drive is free and what data is not. Running badblock on a 2TB disk takes around 10-12H

badblocks -s -w -t random /dev/sdc

Create Partion

Now use fdisk or whatever program you normally use to create partitions.

After you created a partition we now have a device we can use. Let's called it sdc1

Setup for encryption

Now it is time to write the encrypted container in the partition. This will ask for a password. This password should be very long and kept secret.

If you want to use a long randomized password you can go to Steve Gibson site and generate a password.

cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 /dev/sdc1

The -c parameter specifies what encryption algorithm and block mode to use. Check the man pages for more information. -s 256 is the key size to use. 128, 192 or 256 can be used here.

Open Encrypted Volume

Now we got an encrypted volume, we need to open it so it can be used.

cryptsetup luksOpen /dev/sde1 crypt1

You will be ask to enter your password and if you entered it correct a new device will be added to /dev/mapper/, in this case it will be named /dev/mapper/crypt1

Create and Mount file system

Now when you have you encrypted device you just create a file system as you normally would do.

mkfs.reiserfs -l CRYPT1 /dev/mapper/crypt1

And then mount

mount /dev/mapper/crypt1 /mnt/crypt1

Unmount and Close an encrypted volume

Before removing your encrypted volume you need to unmount it and close it. This is especially important if the encrypted volume is a USB device. Do not just removed it from the computer after you written data to it without unmounting it. You might loose the data.

First you need to unmount it. And it is done just like any other volume.

umount /mnt/crypt1

Then we need to close the crypt container.

cryptsetup lukeClose crypt1

You can now remove the device safely from the computer.

Use a file as password (Optional)

It is always hard to remember and enter a very long and randomized password. Specially if you have many disk you want to unlock and you have different password for all of them. Then using files as password are good. You can create a simple script that you run that unlocks all of your volume for you. Just remember to keep the script and files secret on an external source.

You can use a file, picture, mp3, or a file with randomized data as a password. And then keep that file safe on a usb stick that you hide in a secret place.

In this example we are going to use a .jpg file as a password. Take an existing jpg file you have and open in an image editor. Then modify the image, resize, cut out a part, and save that for usage as a password file. We do this so that the image is unique. Since this image should be the only copy you have. And not any of you images that you normally have in your gallery. That would be a security risk.
Then name the image something that does not have to do with images. In this example we use "iPodSync.dll" just to confuse if anyone finds the file. But you should keep the file in safe place, So no one finds it.

cryptsetup luksAddKey /dev/sdc1 /mnt/usb/iPodSync.dll

You will be ask to enter your password again. And if everything goes fine the hash of the iPodSync.dll is now added as a password.

To open an encrypted volume using the file as a password is simple.

cryptsetup luksOpen -d /mnt/usb/iPodSync.dll /dev/sdc1 crypt1

And you will not have to enter a password this time.