Protecting Data with Encrypted Linux Partitions Part 2
Adding Your Own Back DoorLast week we learned how to create and use an encrypted, password-protected hard-drive partition using
cryptsetup-luks. Today we're going to learn how to mount it automatically at boot, how to encrypt a USB stick, and some slick password-management hacks.
You may add up to seven passwords to your encrypted partition. While you shouldn't go too crazy, having a second password could save you if you ever lose your first password. Or maybe you need to ensure that you always have access to your users' data. The encrypted partition must be unmounted and closed first. These examples use the partition we created in Part 1:
# umount crypted # cryptsetup luksClose sda2
cryptsetup luksAddKeycommand to create a new password. Note that you must use the
/devname of your partition and not the
/dev/mappername. There is no
cryptsetup-luksdevice because it is closed; this is a common error that is responsible for a lot of hair loss. Run the password-creation command like this:
# cryptsetup luksAddKey /dev/sda2 Enter any LUKS passphrase: key slot 1 unlocked. Enter new passphrase for key slot: Verify passphrase: Command successful.
Then you can try out your new password:
# cryptsetup luksOpen /dev/sda2 sda2 Enter LUKS passphrase: key slot 1 unlocked. Command successful.
You now have two keys slots, 0 and 1.
Removing a password is done with this command:
# cryptsetup luksDelKey /dev/sda2 1 Enter any remaining LUKS passphrase: key slot 2 unlocked. Command successful.