Protecting Data with Encrypted Linux Partitions Part 2
Adding Your Own Back DoorLast week we learned how to create and use an encrypted, password-protected hard-drive partition using
cryptsetup-luks. Today we're going to learn how to mount it automatically at boot, how to encrypt a USB stick, and some slick password-management hacks.
You may add up to seven passwords to your encrypted partition. While you shouldn't go too crazy, having a second password could save you if you ever lose your first password. Or maybe you need to ensure that you always have access to your users' data. The encrypted partition must be unmounted and closed first. These examples use the partition we created in Part 1:
# umount crypted # cryptsetup luksClose sda2
Then run the
cryptsetup luksAddKey command to create a new password. Note that you must use the
/dev name of your partition and not the
/dev/mapper name. There is no
cryptsetup-luks device because it is closed; this is a common error that is responsible for a lot of hair loss. Run the password-creation command like this:
# cryptsetup luksAddKey /dev/sda2 Enter any LUKS passphrase: key slot 1 unlocked. Enter new passphrase for key slot: Verify passphrase: Command successful.
Then you can try out your new password:
# cryptsetup luksOpen /dev/sda2 sda2 Enter LUKS passphrase: key slot 1 unlocked. Command successful.
You now have two keys slots, 0 and 1.
Removing a password is done with this command:
# cryptsetup luksDelKey /dev/sda2 1 Enter any remaining LUKS passphrase: key slot 2 unlocked. Command successful.
Solid state disks (SSDs) made a splash in consumer technology, and now the technology has its eyes on the enterprise storage market. Download this eBook to see what SSDs can do for your infrastructure and review the pros and cons of this potentially game-changing storage technology.