Protecting Data with Encrypted Linux Partitions Part 2
Adding Your Own Back DoorLast week we learned how to create and use an encrypted, password-protected hard-drive partition using
cryptsetup-luks. Today we're going to learn how to mount it automatically at boot, how to encrypt a USB stick, and some slick password-management hacks.
You may add up to seven passwords to your encrypted partition. While you shouldn't go too crazy, having a second password could save you if you ever lose your first password. Or maybe you need to ensure that you always have access to your users' data. The encrypted partition must be unmounted and closed first. These examples use the partition we created in Part 1:
# umount crypted # cryptsetup luksClose sda2
cryptsetup luksAddKeycommand to create a new password. Note that you must use the
/devname of your partition and not the
/dev/mappername. There is no
cryptsetup-luksdevice because it is closed; this is a common error that is responsible for a lot of hair loss. Run the password-creation command like this:
# cryptsetup luksAddKey /dev/sda2 Enter any LUKS passphrase: key slot 1 unlocked. Enter new passphrase for key slot: Verify passphrase: Command successful.
Then you can try out your new password:
# cryptsetup luksOpen /dev/sda2 sda2 Enter LUKS passphrase: key slot 1 unlocked. Command successful.
You now have two keys slots, 0 and 1.
Removing a password is done with this command:
# cryptsetup luksDelKey /dev/sda2 1 Enter any remaining LUKS passphrase: key slot 2 unlocked. Command successful.
- 1Linux Top 3: Fedora 24, Peppermint 7 and Solus 1.2
- 2Linux Top 3: Alpine Linux 3.4, deepin 15.2 and Linux Lite 3.0
- 3Linux 4.7 Set to Boost Live Patching, Security and Power Management
- 4Linux 4.6 Charred Weasel adds USB 3.1 Support
- 5Linux Top 3: OpenIndiana 2016.04, Ubuntu 16.04 and Debian's New Leader