From bcac96299fadf86cbe838a2b7acf0c1fd5e267ed Mon Sep 17 00:00:00 2001 From: Keith Irwin Date: Mon, 5 Jul 2021 19:17:27 -0600 Subject: [PATCH] Initial commit --- README.md | 32 +++++++++++++ luksit | 89 +++++++++++++++++++++++++++++++++++ original-tutorial.md | 108 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 229 insertions(+) create mode 100644 README.md create mode 100755 luksit create mode 100644 original-tutorial.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..8241a3a --- /dev/null +++ b/README.md @@ -0,0 +1,32 @@ +# luksit + +luks-encrypt an entire hard drive using a randomly-generated keyfile. + +## Origins + +I based on a tutorial on [a github gist](https://gist.github.com/naomik/5428370#automountable) that's now down. I found [a cached version](https://cc.bingj.com/cache.aspx?q=gist.github.com%2fnaomik%2f5428370&d=4747553971309591&mkt=en-US&setlang=en-US&w=g3oSGW8fFuVu8BTwP-yHy3zUj9TRWMZz) on bing. That original tutorial can be found in `original-tutorial.md`. + +## Installation + +### Linux & friends + +```sh +git clone https://gitea.gf4.pw/ki9/luksit.git /usr/local/src/luksit +ln -s /usr/local/src/luksit/luksit /usr/local/bin/luksit +``` + +## Usage + +> **WARNING!** This program will wipe any drive you feed it and replace it with an empty luks-encrypted filesystem. Always read command line prompts before typing 'y'. Always double-check the device filename. Always keep backups of your important data. I am not responsible for misuse of this program. + +First, find the device name of the target drive. I use the `lsblk` command. Others prefer `fdisk -l`. Check and double check. If you go by the size, ensure you have no other drives of that size. + +Assuming the target device file is `/dev/sdf`, you can create a luks-encrypted ext4 filesystem on that drive by running this command. You can change `mydrive` to something more memorable. The decryption key will be saved to `/root/luks/mydrive.key` unless you modify the `$KEYDIR` var in the script. + +```sh +luksit sdf mydrive ext4 +``` + +### Mounting on boot + +The script does not yet support adding lines to `/etc/fstab` or `/etc/crypttab`. Consult the "automountable" section in `original-tutorial.md` for help with automounting the drive. diff --git a/luksit b/luksit new file mode 100755 index 0000000..7e8371a --- /dev/null +++ b/luksit @@ -0,0 +1,89 @@ +#!/bin/bash +# luksit +# +# USAGE: luksit [filesystem] +# EXAMPLE: luksit sdf mydrive ext4 + +# Check for root +if [[ $EUID -ne 0 ]]; then + echo "This script must be run as root" + exit 1 +fi + +# Get args +if [[ $# -eq 3 ]]; then + device="$1" + name="$2" + fs="$3" +elif [[ $# -eq 2 ]]; then + device="$1" + name="$2" + fs="ext3" +else + echo "USAGE: $0 [filesystem]" + exit 2 +fi + +# Quit if given "no" at prompt +bail(){ [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1; } + + +## RUNTIME ## + +# Where keys are stored +KEYDIR="/root/luks" + +# Check if name is used +#if [ -h "/dev/mapper/$name" ]; then +# echo "/dev/mapper/$name already exists." +# exit 420 +#fi + +# Wipe disk +read -p "Wipe /dev/$device with zeroes first? [y/n]" -n 1 -r +echo; [[ $REPLY =~ ^[Yy]$ ]] && \ +( echo "Wiping disk with zeros..." ; \ +dd if=/dev/zero bs=1M | pv | dd of="/dev/$device" bs=1M ) + +# Set up partition +echo "Setting up partition..." +umount "/dev/$device" >/dev/null +parted "/dev/$device" mklabel gpt && \ +parted --script -- "/dev/$device" mkpart primary 1 -1 && \ +# Get first partition name +part="$(lsblk --list --noheadings --output name "/dev/$device" | sed -n '2 p')" + +# Generate key file +mkdir "$KEYDIR/" >/dev/null +if [ -f "$KEYDIR/$name.key" ]; then + echo "" +else + echo -n "Generating key file... " + dd if=/dev/urandom of="$KEYDIR/$name.key" bs=1024 count=4 && \ + chmod 0400 "$KEYDIR/$name.key" && echo "Done." +fi + +# Encrypt +echo "Creating luks encrypted partition..." +cryptsetup luksFormat "/dev/$part" "$KEYDIR/$name.key" && \ +cryptsetup luksAddKey "/dev/$part" "$KEYDIR/$name.key" --key-file="$KEYDIR/$name.key" && \ + +# Mount new luks partition +echo "Mounting luks partition..." +cryptsetup luksOpen "/dev/$part" "$name" --key-file="$KEYDIR/$name.key" && \ + +# Write filesystem on new luks partition +echo "Creating $fs filesystem in luks partition..." +cryptsetup resize "$name" --key-file="$KEYDIR/$name.key"&& \ +"mkfs.$fs" "/dev/mapper/$name" -L "$name" && \ + +# +echo "Mounting $fs filesystem to /mnt/$name..." +mkdir "/mnt/$name" >/dev/null +chmod 755 "/mnt/$name" +mount "/dev/mapper/$name" "/mnt/$name" && \ +df -h "/mnt/$name" && \ + +echo "DONE!" + +# TODO: Show lines for fstab and crypttab diff --git a/original-tutorial.md b/original-tutorial.md new file mode 100644 index 0000000..a081d48 --- /dev/null +++ b/original-tutorial.md @@ -0,0 +1,108 @@ +#### Source +[Original Gist](https://gist.github.com/naomik/5428370#automountable) +[Bing cache](https://cc.bingj.com/cache.aspx?q=gist.github.com%2fnaomik%2f5428370&d=4747553971309591&mkt=en-US&setlang=en-US&w=g3oSGW8fFuVu8BTwP-yHy3zUj9TRWMZz) + +# LUKS crypt + +In this guide, I'm going to setup a keyfile-encrypted LUKS partition. I will be using a single, max-size partition on a single physical device. My physical device is located at /dev/sde + +## partition the physical device + +```sh +parted /dev/sde +(parted) mklabel gpt +(parted) mkpart primary 1 -1 +(parted) quit +``` + +## create the key file + +Before we go further, let's create our 2048-bit key file first. I'm going to install it /root/secret.key + +```sh +sudo dd if=/dev/urandom of=/root/secret.key bs=1024 count=2 +sudo chmod 0400 /root/secret.key +``` + +## create LUKS partition + +In my case, /dev/sde1 was created by parted. Create the LUKS partition with our key file now. + +```sh +cryptsetup luksFormat /dev/sde1 /root/secret.key +``` + +Associating our key with the LUKS partition will allow us to automount it later and prevent us from ever seeing a password prompt. + +```sh +cryptsetup luksAddKey /dev/sde1 /root/secret.key --key-file=/root/secret.key +``` + +## initialize the LUKS partition + +Before we can start using our LUKS partition, we have to size it properly and format it first. In order to do that, we will first use luksOpen which creates an IO backing device that allows us to interact with the partition. I'll call my device secret; you can call yours whatever you want. + +```sh +cryptsetup luksOpen /dev/sde1 secret --key-file=/root/secret.key +``` + +the LUKS mapping device will now be available at /dev/mapper/secret + +## size the LUKS partition + +When using resize without any additional vars, it will use the max size of the underlying partition. + +```sh +cryptsetup resize secret --key-file=/root/secret.key +``` +## format the LUKS partition + +I'm going to use ext4; you can use whatever you want. + +```sh +mkfs.ext4 /dev/mapper/secret +``` + +## create a mount point + +I'll create a mount point at /secret + +```sh +sudo mkdir -p /secret +sudo chmod 755 /secret +``` + +## mount the LUKS mapping device + +```sh +mount /dev/mapper/secret /secret +df /secret +``` + +## automountable + +To avoid the hassle of mounting are encrypted volume manually, we can set it up such that it automounts using the specified key file. First you have to get the UUID for your partition. + +```sh +ls -l /dev/disk/by-uuid +``` + +Find the UUID that links to your disk. In my case, it is 651322a-8171-49b4-9707-a96698ec826e. + +```sh +export UUID="651322a-8171-49b4-9707-a96698ec826e" +sudo echo "secret UUID=${UUID} /root/secret.key luks" >> /etc/crypttab +``` + +Finally, specify the automount + +```sh +sudo echo "/dev/mapper/secret /secret auto" >> /etc/fstab +``` + +Mount stuff! + +```sh +sudo mount -a +``` +