Encryption

Different techniques exist to encrypt data on Linux. See here for a comparison table. Note: at the time of this writing (november 2017) encfs is considered insecure, and should not be used.

File as virtual partition

You can set up a file to act as a virtual partition for using with LUKS or other block encryption mechanisms. LUKS can take a file as a parameter instead of a partition, other tools may need you to mount the file as a virtual loop device with losetup -f {file pat}

It is suggested to have at least 10Mb available for luks to work.

To create the file:

• head -c {file size in bytes, may have suffix K, M, G, etc} < /dev/urandom > {file path}
• Alternatively: dd if=/dev/urandom of={path to file} bs=1M count={size of file in Mb}

Dm-crypt with LUKS

Encrypt a whole partition or disk and all of its underlying filesystem. An attacker will only see an ecnrypted partition, and won't know anything about the files in it.

Dm-crypt with luks is a common Linux utility and is very often available. Beware that if you want to encrypt a root partition (which is needed for booting), there are additional steps to take, see https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration.

Warning! This will erase all data on the partition.

• apt install cryptsetup-bin
• Encrypt the partition:
  • cryptsetup luksFormat {partition}
• Create a filesystem on the newly-created partition:
  • cryptsetup open {partition} {arbitrary name}. this will set a device in /dev/mapper/{name} containing the plaintext partition.
  • Create a filesystem, for example:mkfs.ext4 -L {volume label} /dev/mapper/{name}
  • cryptsetup close {name}

Mounting the partition

You will normally have a GUI tool to mount it, but you can manually mount it with:

• cryptsetup open {partition} {arbitrary name}
• mount /dev/mapper/{name} {mountpoint}

When finished, unmount it with

• umount {mountpoint}
• cryptsetup close {name}

Automatic mounting at boot

You will need to create/edit /etc/cripttab to mount the partition. This is executed before fstab, so you can add an entry to /etc/fstab for automatically mounting /dev/mapper/{name}. It is important to read https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#crypttab before setting up such a system.

Encrypt keeping existing data

LUKS doesn't allow to do in-place encryption. The only way to encrypt existing data is to copy all data on a different device and copy it back after having set up a luks device.

Previous instructions said to use lukspic, but that program actually perform a copy of the data.

Automatically mount encrypted disks (crypttab and fstab)

If you have an encrypted device you can set it up so it will be automatically mounted at boot. This is done by editing two files: /etc/crypttab to unlock the device and /etc/fstab to mount the unlocked device.

crypttab

/etc/crypttab contains information about how to unlock encrypted devices. Adding instructions in this file allow you not to have to run cryptsetup commands at every boot to set up the encrypted volumes.

The format of the file is the following (from the man page):

{name of the mount} {device} {key file or none} {options}

# Examples for mounting an encrypted home:
home /dev/sda5 /etc/home_key luks
home UUID=2f9a8428-ac69-478a-88a2-4aa458565431 none luks

• The name of the mount can be whatever you want, the device will be unlocked under /dev/mapper/{name} (this is what you will use later in fstab).
• You can either specify a /dev/sdX device or use the UUID. Beware that if you use the option swap (see explanation below), the partition will be formatted at every usage, thus the UUID can not be used. Be very careful to specifiy the correct device: if you ever set the device to be erased at every boot (i.e encrypted with a random key or with the swap option) and you put the wrong device you could potentially erase everything.
• The key file must be on an already unencrypted partition, for example the root filesystem. The file should always be in mode 600 or 400!
  If none, the passphrase will be prompted on boot.
• Options are comma-separated. Common options:
  • luks if the device uses luks
  • swap the device will be reformatted at every boot or shutdown. This will make hibernation impossible. If you want to use an UUID for indicating the partition in combination with this option, see here
  • tmp same as swap, but the device will be set up to be mounted as /tmp

fstab

To use a device specified in crypttab with fstab for automounting, just use /dev/mapper/{name} as device specifier. crypttab is always read and used first, so every device specified in crypttab will be available when fstab is read.

See fstab man page for more information.

As an help, a line for a swap partition is as following: {device} none swap sw 0 0. A common setup of a home partition: {device} /home ext4 defaults

Full system encryption

If you just want some partitions to be encrypted, set them up using cryptsetp and see the section about crypttab and fstab. If you want the root partition to be encrypted, additional measures are required.

The best way to encrypt the root partition is to do so upon a new installation, using debian-installer.

Debian-installer sets up the encrypted partitions so that they require a password to be prompted on boot. Since it's quite annoying to enter the password for every partition, it is possible to use a keyfile stored on the root partition in conjunction with crypttab to automatically mount the other partitions. So, during the installation, only encrypt the root partition, as the others can be encrypted later, using your favourite way of doing it.

When you are on the partition screen, set up the following partitions (beware that BIOS does not support GPT partitions as UEFI does):

• /boot: ~100M when booting from BIOS (more with UEFI). This will stay unencrypted because it's needed to unencrypt the root filesystem.
• /: set to use as "physical volume for encryption"
• swap: set as "do not use" (we will later set it up in fstab), debian-installer will force you to encrypt it otherwise. See note below if hibernation is important for you.
• /home: set it up so that no files will be written in the root partition, but we will overwrite and encrypt it later.

Once the system is installed and booting, use cryptsetup, /etc/crypttab and /etc/fstab to set up the encryption. Do not forget to create a filesystem on the devices (a swap partition must be formatted with mkswap).

Note on hibernation: when using an encrypted swap partition, hibernation (suspend to disk) won't be possible: the resume hook (which resumes from hibernation) is executed before crypttab devices are set up. Thus the partition will be encrypted and unusable when resuming. Instead use a swapfile placed on the root filesystem, or set up lvm.