Full disk encryption chaining with dm-crypt, cryptsetup and luks

In a fit of either curiosity or tinfoil induced paranoia, you decide to set up full disk encryption on your machine. But it’s really annoying because you have multiple physical disks, and you can’t be arsed entering passwords for each one separately at boot up. So what do you do? You stick a keyfile on the first encrypted disk, and decrypt the others with that instead of a password. That way they are “chained” together – the password decrypts the first disk, which unlocks the file to decrypt the secondary disks.

Here’s how you do it (works on debian wheezy):

  1. Encrypt all disks normally using luks/cryptsetup/disk utility
  2. Set them all up to be mounted at boot by fiddling with crypttab and fstab (arch wiki should have you covered)
  3. reboot and go through the tedium of entering multiple passwords
  4. generate yourself a new keyfile for the secondary drives: # dd if=/dev/urandom of=mykeyfile bs=512 count=8
  5. stick that keyfile somewhere safe on the primary encrypted disk (with admin read only access)
  6. add the keyfile to a luks keyslot on the secondary drives: # cryptsetup luksAddKey /dev/[volume] /path/to/mykeyfile
  7. fiddle with crypttab to make it use the keyfile on boot: [volume]_crypt UUID=deadbeef-dead-beef-dead-beefdeafbeef /path/to/mykeyfile luks
  8. reboot and test it

Be sure not to store the keyfile somewhere stupid where it will be unencrypted, like in /boot for instance. Bonus points for being patient and using a better source of randomness than /dev/urandom. The usual disclaimers apply, I don’t really know what I’m talking about, so don’t use this method to secure your nuclear launch codes, blame me if someone steals your data, or blame me if you can’t decrypt the drive and lose all your data.

Advertisements

Pretty Good Privacy, Pretty Crap Interoperabillity

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Email sucks.

Once there was a time when the personal computer did not exist. A time when there were only mainframes and terminals to access them. Some bright spark eventually decided it would be a neat idea to connect them together. After a bit of this another luminous individual thought hey, wouldn’t it be cool if we could send funny little messages between them. Thus email was born, and therein lies the problems with it. The creators of the simple mail transfer protocol had no idea the extent to which the whole of society would eventualy come to depend on their technology.

Email, like so much of the framework of the internet, is a forty year old hand me down, patched and mended so many times there isn’t a shred of original cloth left. It is a garment that no longer fits – we have outgrown it.

Continue reading