Controlling LUKS

[sidd2]

I moved from Ubuntu for the sake of simplicity in order to have my disk encrypted. Later it just hit me I checked Encrypted for the drive. I had no idea how. I found out in the Fedora docs that was AES128 and SHA256. And I assume a change would mean backup the whole system, choose another, say Twofish, than restore the system. But how can I tune it for the future? Is there a GUI? Had I missed something in the installer where I could have chosen among the dm-crypt options?

And second how do I do to make a portable storage on some USB flash drive? How do I make it both fully encrypted and as easy to use as my system: just push the flash in and be just asked for a passphrase? I'm trying to move from TrueCrypt as I see it's not very liked over here. But I would like some automation, or at least a GUI.

[nonamedotc]

Quote:

Originally Posted by sidd2

I moved from Ubuntu for the sake of simplicity in order to have my disk encrypted. Later it just hit me I checked Encrypted for the drive. I had no idea how. I found out in the Fedora docs that was AES128 and SHA256. And I assume a change would mean backup the whole system, choose another, say Twofish, than restore the system. But how can I tune it for the future? Is there a GUI? Had I missed something in the installer where I could have chosen among the dm-crypt options?

As far as I know, you cannot configure what algorithm you need from the installation screen. I do not know about netinstall - but I doubt it.

Again, as far as I know, if you want to change an encryption scheme, it is necessary to make backups and then re-encrypt the device. if there is an alternative, I do not know and would be very interested in knowing.

Quote:

Originally Posted by sidd2

And second how do I do to make a portable storage on some USB flash drive? How do I make it both fully encrypted and as easy to use as my system: just push the flash in and be just asked for a passphrase? I'm trying to move from TrueCrypt as I see it's not very liked over here. But I would like some automation, or at least a GUI.

There is a utility called cryptsetup that can be used for dealing with LUKS. The man page gives more details. I personally have two external USB drives encrypted that I use as backup - all of which was done using cryptsetup.

Hope this helps. Cheers.

[Gareth Jones]

Quote:

Originally Posted by nonamedotc

As far as I know, you cannot configure what algorithm you need from the installation screen. I do not know about netinstall - but I doubt it.

The only way of explicitly controlling the encryption parameters when installing Fedora is to create the partitions and encrypt them manually prior to installation, using cryptsetup. Then use the manual partitioning option in the installer to assign the existing encrypted partitions – the installer won't re-encrypt them.

Quote:

There is a utility called cryptsetup that can be used for dealing with LUKS. The man page gives more details.

Replace the parameters in italics as appropriate:

Code:

su -
cryptsetup -c aes-xts-plain64 -s 512 -y --use-random luksFormat /dev/sdb
cryptsetup luksOpen /dev/sdb crypt
mkfs -t ext4 -L "Crypt" /dev/mapper/crypt
cryptsetup luksClose /dev/mapper/crypt

When the device is next plugged in, the encryption parameters will be discovered automatically and you'll just be asked for the password.

EDIT: Added "--use-random". I knew I was missing an argument that I'd normally use, and it's just come back to me...

[sidd2]

Thank you Gareth. It's an excellent answer as it works precisely like that. But I should gather there is no GUI for doing anything like that. Hmmm

[flyingfsck]

The other way is to use Kickstart (and edit the script to do what you want), but that is mostly used to configure multiple machines the same.

More info here:
http://www.aeronetworks.ca/howtos/luks-usb-howto.html
...including two Perl utilities that I wrote many moons ago.

[Gareth Jones]

Quote:

Originally Posted by flyingfsck

The other way is to use Kickstart (and edit the script to do what you want), but that is mostly used to configure multiple machines the same.

Kickstart gives more control over encryption key handling, but it doesn't allow you to specify the algorithm or strength for the encryption. Again, pre-created encrypted volumes can be used without reformatting though.

[Gareth Jones]

Quote:

Originally Posted by sidd2

Thank you Gareth. It's an excellent answer as it works precisely like that. But I should gather there is no GUI for doing anything like that. Hmmm

I'm not aware of a GUI, but then I've never looked.

flyingfsck's link mentions "gnome-luks-format", which seems to be part of a package called "luks-tools", but the project's ChangeLog hasn't been updated since 2005 and it isn't in the Fedora repositories.

[nonamedotc]

I actually looked for a GUI sometime back. I could not find anything in my searches ... except for the gnome-luks-format which as Gareth said has not been updated forever! So, I guess it is cryptsetup all the way!

[flyingfsck]

As far as I can remember my Perl wizards only need cryptsetup. Just download and look at the little scripts, they are very simple. There is only one 'dd' trick in there to test things before going ahead and formatting the wrong drive...

Cheers,

H.