Encrypting an external hard drive on Debian (Squeeze)

[fsmithred]

Click here to read the howto

There is nothing further to... oh wait. There probably is.

I wanted to put "easy" in the title, but I had a hard time with the Preparation and Wiping sections. If you understand the concepts in those sections, then yeah, the rest is easy.

[mharrison]

Ok, I'm going to use my stupid question of the day here.

First, nice howto.

As for my question. Is there any benefit, aside from security, to encrypting a drive for someone like me who is just a home user without any real sensitive data residing on my computer?

I do keep some semi-sensitive data on a thumb drive but I have never considered encrypting it as I only pull it out of the fireproof safe when I need to update what is on it.

[fsmithred]

It doesn't sound like you need encryption. If you had an external drive with personal or sensitive information that you needed to carry from one place to another, or kept the drive where it could be stolen, it makes sense to encrypt it. If you have a laptop, it makes sense to encrypt the whole thing, but that's not what this howto is about.

In either case, the encryption only works when the drive is not mounted. If someone hacks into your system when it's running and the encrypted drive is mounted, they most likely have access to those files. I say "most likely" because you could make it harder by restricting access through file permissions and ownership, but if someone has hacked into your system, there's a good chance they already have root access.

That said, in my 10 years of using linux, stories of people getting their linux boxes hacked have been very rare.

[mharrison]

Cool. Even though their isn't anything I would be concerned about someone stealing, I may try this out on my external backup drive I use to backup /home. Sorry to hi-jack the discussion with a question. I'll post again after I try it out.

[MrJames]

Let's see, reasons to encrypt drives...
- Protect sensitive information
- Hide porn
- Nope, that's just about it.

Thanks for the link, man. I got an external USB backup drive I always wanted to try this on. But now I have a question: are there any Windows utilities one could use to access the drive from Windows - in case I need to use it on someone else's PC?

[fsmithred]

Nadir asked this same question, maybe yesterday. I googled, and this is from wikipedia -
dm-crypt and LUKS encrypted disks can be accessed and used under MS Windows using FreeOTFE, provided that the filesystem used is supported by Windows (e.g. FAT/FAT32/NTFS).

So I guess my statement in the howto about needing a linux partition is wrong. If you try this with fat32 or ntfs, please let me know, and I'll edit the howto to mention it. (Guess I could test cryptsetup in a vm and see how it works with one of those filesystems.)

Edit: Looks like it works with ntfs. I booted a live iso in vbox, created a 1GB ntfs partition with cfdisk (gparted kept choking on making the filesystem, said it was already mounted when it wasn't), created a filesystem with

Code: Select all

mkntfs -Q /dev/mapper/something

and then ran the cryptsetup commands as in the howto. I was able to copy files to it, it shows up as ntfs in 'fdisk -l' and then I closed it and unmounted it, all with no errors.

Note: I've got ntfs-3g and ntfsprogs installed on my live system.

Edit2: edited my edit (fixed a command)

[nadir]

I got a self-compiled kernel, and had problems:

Code: Select all

This will overwrite data on /dev/sdd1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
device-mapper: reload ioctl failed: Invalid argument
Failed to setup dm-crypt key mapping for device /dev/sdd1.
Check that kernel supports aes-cbc-essiv:sha256 cipher (check syslog for more info).

To make it short, i found this link (after trying it with try&error, which failed):
http://crux.nu/Wiki/Cryptsetup

As far i can tell during "make menuconfig" i picked:

Device Drivers -> Multiple Device Driver Support (RAID and LVM):
[M] Device manage support
[M] Crypt target support

Cryptographic API -> Hardware crypto devices:
Padlock driver for SHA1 and SHA256algorithms
(i have chosen more, but that seems to be it. It would be good if someone would ~know~ it).

[nadir]

Nadir asked this same question, maybe yesterday. I googled, and this is from wikipedia -
dm-crypt and LUKS encrypted disks can be accessed and used under MS Windows using FreeOTFE, provided that the filesystem used is supported by Windows (e.g. FAT/FAT32/NTFS).

So I guess my statement in the howto about needing a linux partition is wrong. If you try this with fat32 or ntfs, please let me know, and I'll edit the howto to mention it. (Guess I could test cryptsetup in a vm and see how it works with one of those filesystems.)

Edit: Looks like it works with ntfs. I booted a live iso in vbox, created a 1GB ntfs partition with cfdisk (gparted kept choking on making the filesystem, said it was already mounted when it wasn't), created a filesystem with

Code: Select all

mkntfs -Q /dev/sda1

and then ran the cryptsetup commands as in the howto. I was able to copy files to it, it shows up as ntfs in 'fdisk -l' and then I closed it and unmounted it, all with no errors.

Note: I've got ntfs-3g and ntfsprogs installed on my live system.

After forking around with it for some while i am quite sure that the command "mkntfs -Q /dev/sda1 " will not work.
I finally used

Code: Select all

mkntfs /dev/mapper/bu-stick

and that did it. Probably a typo (but for copy-and-paste guys like me a fatal one)

[fsmithred]

After forking around with it for some while i am quite sure that the command "mkntfs -Q /dev/sda1 " will not work.
I finally used

Code: Select all

mkntfs /dev/mapper/bu-stick

and that did it.

You're right. You have to make the filesystem after running cryptsetup, so it would be /dev/mapper/something. Sorry about that. I was so frazzled from fighting with gparted and cfdisk that I missed the typo.