Whole Disk Encryption with One Command - Linux
cryptsetup --type=plain open /dev/sdX myCrypt
It’s that simple! What we’ve done is create a device at /dev/mapper/myCrypt that we can now add a partition. In plain mode there is no key on the device so in order to open the device, we use the same command. Let’s have a look at a more advanced plain mode example.
cryptsetup --hash=ripemd160 --cipher=aes-cbc-essiv:sha256 --offset=0 --key-size=256 open --type=plain /dev/sdX myCrypt
These are the defaults (Consider using more secure options) for more advanced whole disk encryption. The hash is used to create a key from your passphrase. The cipher consists of three parts, the cipher, the chainmode, and an IV generator. The key size is dependant on the cipher and chainmode used. Run a benchmark to determine the applicable hash and cipher values
When using plain mode, no error will be displayed if an incorrect passphrase has been used. If any data is written to the device while using an incorrect passphrase, it will corrupt any data previously written. It is recommended to always create a filesystem inside the newly created device. This will throw an error when trying to mount the encrypted device with an incorrect password.
Step by Step
# Let's clean our drive dd if=/dev/urandom of=/dev/sdX
# Now create an encrypted device cryptsetup --type=plain open /dev/sdX myCrypt # Create a filesystem on the device mkfs -t ext4 /dev/mapper/myCrypt # Mount the newly created device mount /dev/mapper/myCrypt /mnt/nothingToSeeHere # Write a file to the device echo "This file is inside a filesystem that is inside an encrypted device." > /mnt/nothingToSeeHere/helloWorld.txt # Umount the partition umount /mnt/nothingToSeeHere # Close the encrypted device cryptsetup close myCrypt # Now, let's verify everything is in working order cryptsetup --type=plain open /dev/sdX myCrypt mount /dev/mapper/myCrypt /mnt/plainPartition cat /mnt/nothingToSeeHere/helloWorld.txt
Advanced - RAID
Now let’s use multiple drives to create a RAID1 array with BTRFS.
# create two encrypted devices from our disks cryptsetup --type=plain open /dev/sdb first cryptsetup --type=plain open /dev/sdc second # create a BTRFS RAID1 setup with the two devices mkfs.btrfs -m raid1 -d raid1 /dev/mapper/first /dev/mapper/second # mount our RAID array mount /dev/mapper/first /mnt/myRAID # We're done! Now let's close it down umount /mnt/myRAID cryptsetup close first cryptsetup close second
You are able to add more devices to the array by creating more encrypted devices with cryptsetup then adding them to the array with plain btrfs commands.