How-To: encrypted partitions over LVM with LUKS — page 2 — encrypting the partitions

1 minute read

3. Encrypting the partitions

3.1. Filling the partition with random data

Now that we have our partition layout, we need to encrypt /home and /. The first thing we are going to do is to fill those partitions with random data. There is 2 ways of doing it. A fairly fast one or a really slow but efficient one.

3.1.1. using badblocks

By using badblocks you will verify that your physical disk is fine and at the ame time, fill with some random data.

# badblocks -c 10240 -s -w -t random -v /dev/lvmvolume/encryptedhome
# badblocks -c 10240 -s -w -t random -v /dev/lvmvolume/encryptedroot

3.1..2. using dd

We can use dd to read random data from /dev/urandom and write them to the “to be” encrypted partitions:

Note that this is really long and slow, but it will make it harder to find the key that lock your partition.

# dd if=/dev/urandom of=/dev/lvmvolume/encryptedroot
# dd if=/dev/urandom of=/dev/lvmvolume/encryptedhome

For an ETA, Ubuntu community encryption tutorial mentions:

Fill the partitions with random data. This may take MANY hours for the large partitions, on average 1.6M/sec of data is written to disk, so a 10GB partition might take around 2 hours, and 100GB partition might take a bit under 20 hours.

In the meantime you can wish that the tutorial is going to work :smile:

3.2. Setting up the LUKS encryption

Ok, now that our partitions are full of random bytes, we can set up our encryption mechanism wtih the help of cryptsetup.

# cryptsetup -y --cipher aes-cbc-essiv:sha256 \
    --key-size 256 luksFormat /dev/lvmvolume/encryptedroot

This will overwrite data on /dev/lvmvolume/encryptedroot irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

And the same for encryptedhome:

# cryptsetup -y --cipher aes-cbc-essiv:sha256 \
    --key-size 256 luksFormat /dev/lvmvolume/encryptedhome

3.3. Mounting the encrypted partitions:

Now, encryptedhome and encryptedroot are LUKS enabled, from there, we can use cryptsetup again to mount those encrypted partitions:

root@ubuntu:~# cryptsetup luksOpen /dev/lvmvolume/encryptedroot rootvolume
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
root@ubuntu:~# cryptsetup luksOpen /dev/lvmvolume/encryptedhome homevolume
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

3.4. Formatting the partitions

Finally, we now have all our partition pseudo devices available. we can now format them so Ubuntu installer sees the partition we want to install our system on, e.g the encrypted ones.