Full disk encryption chaining with dm-crypt, cryptsetup and luks

In a fit of either curiosity or tinfoil induced paranoia, you decide to set up full disk encryption on your machine. But it’s really annoying because you have multiple physical disks, and you can’t be arsed entering passwords for each one separately at boot up. So what do you do? You stick a keyfile on the first encrypted disk, and decrypt the others with that instead of a password. That way they are “chained” together – the password decrypts the first disk, which unlocks the file to decrypt the secondary disks.

Here’s how you do it (works on debian wheezy):

  1. Encrypt all disks normally using luks/cryptsetup/disk utility
  2. Set them all up to be mounted at boot by fiddling with crypttab and fstab (arch wiki should have you covered)
  3. reboot and go through the tedium of entering multiple passwords
  4. generate yourself a new keyfile for the secondary drives: # dd if=/dev/urandom of=mykeyfile bs=512 count=8
  5. stick that keyfile somewhere safe on the primary encrypted disk (with admin read only access)
  6. add the keyfile to a luks keyslot on the secondary drives: # cryptsetup luksAddKey /dev/[volume] /path/to/mykeyfile
  7. fiddle with crypttab to make it use the keyfile on boot: [volume]_crypt UUID=deadbeef-dead-beef-dead-beefdeafbeef /path/to/mykeyfile luks
  8. reboot and test it

Be sure not to store the keyfile somewhere stupid where it will be unencrypted, like in /boot for instance. Bonus points for being patient and using a better source of randomness than /dev/urandom. The usual disclaimers apply, I don’t really know what I’m talking about, so don’t use this method to secure your nuclear launch codes, blame me if someone steals your data, or blame me if you can’t decrypt the drive and lose all your data.

Advertisements

Microsoft is doomed

Things aren’t looking too good for microsoft in the long term. They just reported their first quarterly loss ever. They were late to the internet game, the mp3 player game, the smart phone game, and now the tablet game. The only innovative thing they’ve done in years is the kinect.

On the desktop, they still dominate. I grabbed the data off of statcounter and here’s what it had to say:

That’s a lot of orange, but it’s trending downward. And this is just on the desktop, on mobile, we know microsoft doesn’t have much share. Statcounter doesn’t even list them. So let’s look at mobile vs desktop traffic:

Nothing will happen overnight of course, microsoft will still dominate the risk averse slow changing world of office worker software for at least a decade or two. But unless they change something drastic, it’s all downhill. Personally I don’t think the microsoft surface tablet or windows 8 will do anything to stem the tide.