Help with data drive encryption...luks for dm-crypt

banshee28 · 2011-03-05 22:26:54

Having issues setting up a new internal "data" HD as encrypted. ** First I only setup one single large partition of the entire 2T drive. Will this work like that? I dont need any other partitions since its all data. The wiki mentioned / and /boot, but I dont need that for this data drive right? Wiki: https://wiki.archlinux.org/index.php/Sy … troduction

I first got the semaphore error message when running any cryptsetup command:

semid 229376: semop failed for cookie 0xd4d6631: incorrect semaphore state
Failed to set a proper state for notification semaphore identified by cookie value 223176241 (0xd4d6631) to initialize waiting for incoming notifications.

But then found hal was not running. Now I get a device in use error:

cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sdb1 

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
Cannot format device /dev/sdb1 which is still in use.

This is how cfdisk looks (looks partitioned) but not really "available" or listed as a filesystem yet?

                                                          cfdisk (util-linux 2.19)

                                                            Disk Drive: /dev/sdb
                                                    Size: 2000398934016 bytes, 2000.3 GB
                                           Heads: 255   Sectors per Track: 63   Cylinders: 243201

       Name                 Flags               Part Type         FS Type                      [Label]                   Size (MB)
 ------------------------------------------------------------------------------------------------------------------------------------------
       sdb1                 Boot                 Primary          crypto_LUKS                                           2000398.94         *

But every step of the cryptsetup now gives the device in use error, so not sure if this is setup or not. It wont mount as is:

mount: unknown filesystem type 'crypto_LUKS'

I also want to ensure it uses the 2k character key I generated and saved in a file.

MkFly · 2011-03-06 01:20:29

cfdisk is reporting crypto_LUKS, which makes it sound like it's already encrypted ... that shouldn't stop cryptsetup from doing it again, though ... unless it really is in-use, though.

You won't just be mounting sdb1 straight up, you have to unlock it first. You also need to then format the entry in /dev/mapper with a filesystem (ext3, ext4, etc.):

cryptsetup luksOpen /dev/sdb1 superSecret
mount /dev/mapper/superSecret /mnt/someMountPoint

1. luksFormat /dev/sdb1
2. luksOpen /dev/sdb1 superSecret
3. mkfs.ext4 /dev/mapper/superSecret
4. mount /dev/mapper/superSecret

One other thing you could do before making a real filesystem is to write zeros to the mapped partition (superSecret), which will write "encrypted zeros" to the physical drive, if you're paranoid.

What do you have in /dev/mapper? It may already be unlocked, which would make it "in-use." To close it (replace the superSecret name, of course):

cryptsetup luksClose superSecret

To utilize a pre-generated keyfile, add to your luksFormat (and subsequent luksOpen) command:

-d someKeyfile

Also, I'd recommend changing the hashing algorithm (which is SHA1 by default). In your luksFormat command (for SHA512):

-h sha512

Hope some of this helps ...

Last edited by MkFly (2011-03-06 01:25:17)

banshee28 · 2011-03-06 01:47:03

MkFly wrote:

What do you have in /dev/mapper? It may already be unlocked, which would make it "in-use."

This is whats in that directory:

total 0
drwxr-xr-x  2 root root      80 Mar  5 16:25 .
drwxr-xr-x 17 root root    5800 Mar  5 16:25 ..
crw-------  1 root root 10, 236 Mar  5 16:13 control
lrwxrwxrwx  1 root root       7 Mar  5 16:22 data -> ../dm-0

"data" is what I named it ... So it looks like its there I guess..
Will try some of your steps now!! Thanks...

** We are getting somewhere!! Still got the errors but I continued on and was able to get it mounted ... cfdisk shows crypto_LUKS fs but df shows ext4 as I just formated it ( I guess this is the /dev/mapper/data and not the physical drive..lol?). Looking better....

root /dev/mapper # cryptsetup luksFormat /dev/sdb1

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
semid 786433: semop failed for cookie 0xd4d31ef: incorrect semaphore state
Failed to set a proper state for notification semaphore identified by cookie value 223162863 (0xd4d31ef) to initialize waiting for incoming notifications.

root /dev/mapper # cryptsetup luksOpen /dev/sdb1 data
Enter passphrase for /dev/sdb1: 
Tsemid 851969: semop failed for cookie 0xd4d0491: incorrect semaphore state
Failed to set a proper state for notification semaphore identified by cookie value 223151249 (0xd4d0491) to initialize waiting for incoming notifications.

root /dev/mapper # mkfs.ext4 /dev/mapper/data 
mke2fs 1.41.14 (22-Dec-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
122101760 inodes, 488378126 blocks
24418906 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
14905 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks: 
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
    4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 
    102400000, 214990848

Writing inode tables: done                            
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 27 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

root /dev/mapper # mount /dev/mapper/data 
mount: can't find /dev/mapper/data in /etc/fstab or /etc/mtab

root /dev/mapper # mount /dev/mapper/data /mnt/2T

root /dev/mapper # cd /mnt/2T

root /mnt/2T # ls -la
total 24
drwxr-xr-x 3 root root  4096 Mar  5 21:00 .
drwxr-xr-x 7 root root  4096 Mar  5 17:22 ..
drwx------ 2 root root 16384 Mar  5 21:00 lost+found

root /mnt/2T # df -Th
Filesystem    Type    Size  Used Avail Use% Mounted on
udev      devtmpfs     10M  236K  9.8M   3% /dev
/dev/sda2     ext4     19G  2.8G   15G  16% /
shm          tmpfs    4.0G  688K  4.0G   1% /dev/shm
/dev/sda1     ext2     92M   16M   72M  18% /boot
/dev/sda3 reiserfs    3.8G  521M  3.3G  14% /var
/dev/sda4     ext4     52G   48G  848M  99% /home
/dev/mapper/data
              ext4    1.8T  196M  1.7T   1% /mnt/2T

Weird....Seems like when i run most of the cryptsetup commands I still get the semaphore errors, but I think the commands actually work....Anyways, the config did not survive a reboot, but here is the status now. Not sure if I can set it to the sha512 as I tried....Also how can I confirm its using the keyfile?:

root /dev/mapper # cryptsetup status data
/dev/mapper/data is active.
  type:  LUKS1
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/sdb1
  offset:  4096 sectors
  size:    3907025009 sectors
  mode:    read/write

Last edited by banshee28 (2011-03-06 03:27:23)

siriusb · 2011-03-06 10:15:20

I have a WD Caviar Green 2TB. I don't know what make you have, but you should keep in mind if it uses Advanced Format you either have to align your partition or have to use GPT instead of MBR. The second option is preferable. https://wiki.archlinux.org/index.php/Advanced_Format

I have two partitions on this HDD, one of them is LUKS encrypted and I had no problem with encrypting it, but my partitions is smaller than 2 TB.

LUKS wiki page says:

cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sdb1

it should work for you (with password).
For keyfile:

dd if=/dev/urandom of=mykeyfile bs=512 count=4
cryptsetup -c <desired cipher> -s <key size> -v luksFormat /dev/<volume to encrypt> /path/to/mykeyfile

as you can see it on https://wiki.archlinux.org/index.php/LU … ns_to_LUKS
And you should follow MkFly's steps: luksFormat, luksOpen, mkfs.ext4 on the mounted partition in /dev/mapper, then mount it to /media

banshee28 · 2011-03-06 16:08:31

I aligned it using GPT now...Starting with sector 2048.

root ~ # gdisk /dev/sdb1
GPT fdisk (gdisk) version 0.6.14

Partition table scan:
  MBR: protective
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): p
Disk /dev/sdb1: 3907027087 sectors, 1.8 TiB
Logical sector size: 512 bytes
Disk identifier (GUID): 5B728706-70E7-4FB5-999F-7CB964E2F492
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 3907027053
Partitions will be aligned on 2048-sector boundaries
Total free space is 2014 sectors (1007.0 KiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048      3907027053   1.8 TiB     0700  Linux/Windows data

Command (? for help): v
No problems found. 2014 free sectors (1007.0 KiB) available in 1
segments, the largest of which is 2014 (1007.0 KiB) in size.

root ~ # parted -l 

Model: ATA SAMSUNG HD204UI (scsi)
Disk /dev/sdb: 2000GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start   End     Size    File system  Name                Flags
 1      1049kB  2000GB  2000GB               Linux/Windows data

Do I also need to change the sector size from 512k to 4096? Cant find a way to do that, as fdisk -b 4096 no longer works, and I dont see any sector size options in parted or gdisk.

Thanks, I definitely needed to change the alignment first.
I am using a SAMSUNG Spinpoint F4 HD204UI which is nicely listed in your link to the alignment wiki page!

Edit: I got the same semaphore errors all the way through the encryption but in the end it looks like it worked:

root ~ # cryptsetup status data
/dev/mapper/data is active and is in use.
  type:  LUKS1
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/sdb1
  offset:  4096 sectors
  size:    3907022991 sectors
  mode:    read/write

Last edited by banshee28 (2011-03-06 16:19:42)

MkFly · 2011-03-07 22:59:32

banshee28 wrote:

** We are getting somewhere!! Still got the errors but I continued on and was able to get it mounted ... cfdisk shows crypto_LUKS fs but df shows ext4 as I just formated it ( I guess this is the /dev/mapper/data and not the physical drive..lol?).

Yep, you shouldn't see /dev/sdb1 in mount or df, just the mapped entry. /dev/sdb1 (your physical partition) is just (pseudo-)random data on disk, so you can't mount it directly.

Also, it doesn't look like you used your keyfile when you luksFormat'ed. Unless something has changed since the last time I looked, you can't use a passphrase and a keyfile in a single keyslot. By running as you did:

cryptsetup luksFormat /dev/sdb1

You are using all of the default options, which, as of cryptsetup 1.2.0, are:

    LUKS1: aes-cbc-essiv:sha256, Key: 256 bits, LUKS header hashing: sha1, RNG: /dev/urandom

So, if you want to use XTS, SHA512 for hashing, or a keyfile, you will need to redo it all with luksFormat:

cryptsetup luksFormat /dev/sdb1 -c aes-xts-plain -s 512 -h sha512 -d /path/to/keyfile

Then, when you luksOpen, you will have to:

cryptsetup luksOpen /dev/sdb1 data -d /path/to/keyfile

As for the semaphore error, I haven't seen that one before.

banshee28 · 2011-03-09 01:28:46

Ok, pretty much started over from scratch. Still getting those errors, but in the end it works. Is this the proper way to tell the disk is aligned starting at 2048 using GPT? Fdisk shows starting at sector 1, but I guess thats since its not capatible with gpt? Also should i be verifying with sdb or sdb1?

gdisk sdb:

Disk /dev/sdb: 3907029168 sectors, 1.8 TiB
Logical sector size: 512 bytes
Disk identifier (GUID): 659A2B72-53B7-45B6-8A1E-C6C2D6C18E96
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 3907029134
Partitions will be aligned on 2048-sector boundaries
Total free space is 2014 sectors (1007.0 KiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048      3907029134   1.8 TiB     0700  Linux/Windows data

I did get the new format working:

/dev/mapper/data is active and is in use.
  type:  LUKS1
  cipher:  aes-xts-plain
  keysize: 512 bits
  device:  /dev/sdb1
  offset:  4096 sectors
  size:    3907022991 sectors
  mode:    read/write

Last edited by banshee28 (2011-03-09 01:29:59)

MkFly · 2011-03-09 05:54:49

https://wiki.archlinux.org/index.php/Advanced_Format wrote:

Check your partitions alignement
# fdisk -lu /dev/sda
...
# Device     Boot      Start   End         Blocks      Id System
# /dev/sda1            2048    46876671    23437312    7  HPFS/NTFS
2048 (default since fdisk 2.17.2) means that your HDD is aligned correctly. Any other value divisible by 8 is good as well.

I couldn't tell you any more than that, I don't have an AF drive. Although I was looking into getting a 750GB Scorpio Black to replace my 500GB Scorpio Black, so it's good stuff for me to learn.

banshee28 · 2011-03-09 12:38:51

MkFly wrote:

https://wiki.archlinux.org/index.php/Advanced_Format wrote:
Check your partitions alignement
# fdisk -lu /dev/sda
...
# Device     Boot      Start   End         Blocks      Id System
# /dev/sda1            2048    46876671    23437312    7  HPFS/NTFS
2048 (default since fdisk 2.17.2) means that your HDD is aligned correctly. Any other value divisible by 8 is good as well.
I couldn't tell you any more than that, I don't have an AF drive. Although I was looking into getting a 750GB Scorpio Black to replace my 500GB Scorpio Black, so it's good stuff for me to learn.

Sounds good, I DO Appreciate your help!

Arch Linux

#1 2011-03-05 22:26:54

Help with data drive encryption...luks for dm-crypt

#2 2011-03-06 01:20:29

Re: Help with data drive encryption...luks for dm-crypt

#3 2011-03-06 01:47:03

Re: Help with data drive encryption...luks for dm-crypt

#4 2011-03-06 10:15:20

Re: Help with data drive encryption...luks for dm-crypt

#5 2011-03-06 16:08:31

Re: Help with data drive encryption...luks for dm-crypt

#6 2011-03-07 22:59:32

Re: Help with data drive encryption...luks for dm-crypt

#7 2011-03-09 01:28:46

Re: Help with data drive encryption...luks for dm-crypt

#8 2011-03-09 05:54:49

Re: Help with data drive encryption...luks for dm-crypt

#9 2011-03-09 12:38:51

Re: Help with data drive encryption...luks for dm-crypt

Board footer