Full disk encryption chaining with dm-crypt, cryptsetup and luks

In a fit of either curiosity or tinfoil induced paranoia, you decide to set up full disk encryption on your machine. But it’s really annoying because you have multiple physical disks, and you can’t be arsed entering passwords for each one separately at boot up. So what do you do? You stick a keyfile on the first encrypted disk, and decrypt the others with that instead of a password. That way they are “chained” together – the password decrypts the first disk, which unlocks the file to decrypt the secondary disks.

Here’s how you do it (works on debian wheezy):

  1. Encrypt all disks normally using luks/cryptsetup/disk utility
  2. Set them all up to be mounted at boot by fiddling with crypttab and fstab (arch wiki should have you covered)
  3. reboot and go through the tedium of entering multiple passwords
  4. generate yourself a new keyfile for the secondary drives: # dd if=/dev/urandom of=mykeyfile bs=512 count=8
  5. stick that keyfile somewhere safe on the primary encrypted disk (with admin read only access)
  6. add the keyfile to a luks keyslot on the secondary drives: # cryptsetup luksAddKey /dev/[volume] /path/to/mykeyfile
  7. fiddle with crypttab to make it use the keyfile on boot: [volume]_crypt UUID=deadbeef-dead-beef-dead-beefdeafbeef /path/to/mykeyfile luks
  8. reboot and test it

Be sure not to store the keyfile somewhere stupid where it will be unencrypted, like in /boot for instance. Bonus points for being patient and using a better source of randomness than /dev/urandom. The usual disclaimers apply, I don’t really know what I’m talking about, so don’t use this method to secure your nuclear launch codes, blame me if someone steals your data, or blame me if you can’t decrypt the drive and lose all your data.

Advertisements

2 thoughts on “Full disk encryption chaining with dm-crypt, cryptsetup and luks

  1. Just came across this, nice idea however the initial concept is flawed:
    Say I have 4 hard disks and use this method, when disk 2 dies (as they inevitably do) I have lost disk 3 and 4.

    • The concept is not flawed. LUKS uses keyslots, where you can have multiple passphrases for each encrypted volume. If you follow my method every subsequent disk will have two passphrases – a normal one which you can remember and enter with the keyboard, and the randomly generated on one sitting on the first disk. Either can be used to decrypt the volume.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s