WEBVTT

0
00:00.620 --> 00:02.700
Let's get started!

1
00:02.720 --> 00:08.590
I’m gonna encrypt an entire USB stick using dm-crypt and Luks! 

2
00:08.780 --> 00:15.980
You should follow the same steps if you want to encrypt a hard disk partition or an external usb 

3
00:15.980 --> 00:17.270
hard drive.

4
00:17.360 --> 00:25.370
The following commands will destroy all data on the disk and I recommend you to make a backup before continuing. 

5
00:25.370 --> 00:31.950
Keep in mind that this is a full disk encryption solution for Linux based operating systems.

6
00:32.090 --> 00:40.860
And if you want to access the encrypted disk on Windows or MAC you must install another software; for

7
00:40.860 --> 00:49.970
example on Windows you should install  LibreCrypt to access the encrypted drive.  LibreCrypt is the

8
00:49.970 --> 00:53.120
only way to read UKS volumes on Windows.

9
00:54.810 --> 00:58.280
The first step is to install cryptsetup,

10
00:58.350 --> 00:59.730
if it's not already there.

11
01:02.050 --> 01:10.330
Cryptsetup is a utility for setting up encrypted filesystems using a Device Mapper and dm-crypt.

12
01:11.290 --> 01:15.480
All following commands will be executed as root.

13
01:15.490 --> 01:22.410
So if you don't have cryptsetup you can install it using apt install cryptsetup.

14
01:26.540 --> 01:27.130
okay.

15
01:27.260 --> 01:36.790
Upgrading cryptsetup on some Linux distributions like Fedora or Centos the name of the package is

16
01:36.850 --> 01:43.110
cryptsetup-luks.

17
01:43.320 --> 01:51.030
The next step is optional but recommended and consists of  filling the partition you want to encrypt  

18
01:51.150 --> 01:53.100
with random data.

19
01:53.100 --> 02:01.740
This will ensure that the outside world will see this as random data and protect against disclosure

20
02:02.040 --> 02:03.360
of usage patterns.

21
02:04.380 --> 02:07.800
At this moment I'm inserting the USB drive. 

22
02:11.350 --> 02:19.270
if you are running Linux in a VM you should see the USB drive in the properties of the VM at the USB

23
02:19.270 --> 02:26.410
section. so settingss and USB here you should see the drive

24
02:29.100 --> 02:30.450
USB flash drive.

25
02:32.710 --> 02:40.950
And if you don't see it there and you run Virtual Box you should install Virtual Box Extension Pack.

26
02:41.050 --> 02:48.760
This piece of software; okay I've just inserted the USB drive.

27
02:48.760 --> 02:54.810
I'm waiting a few seconds and then I'll check the name of the newly inserted drive.

28
02:55.360 --> 03:05.960
fdisk -l
and its name is sdc;                                                      probably in your case another name could be displayed like

29
03:06.020 --> 03:12.600
sdb or sdd; If you want to encrypt only a partition, not the entire disk,

30
03:12.710 --> 03:16.790
use that partition’s name. A partition’s name 

31
03:16.790 --> 03:21.170
always ends in a digit like 1, 2 or 5 

32
03:21.170 --> 03:22.370
in this example.

33
03:23.730 --> 03:27.220
What is the most important is to use the correct name.

34
03:27.300 --> 03:31.140
Take care that if you use a wrong disk or partition name

35
03:31.250 --> 03:35.560
all data on that disk or partition will be lost forever.

36
03:38.550 --> 03:43.740
The following command will remove all data on the disk or the partition

37
03:43.770 --> 03:52.180
you are encrypting; so make sure you have first backed up your data to an external source. so 

38
03:52.530 --> 03:56.220
dd if= from imput file

39
03:56.220 --> 04:09.270
/dev/urandom  This is one way of generating random data and of=/dev/sdb

40
04:09.270 --> 04:13.380
name of the drive and  status=progress

41
04:19.170 --> 04:28.110
The operation will take a few minutes depending on the size of your disk. in this example I'm stopping

42
04:28.110 --> 04:39.370
it. I am pressing control +C. The next step will initialize the LUKS partition and set the initial

43
04:39.370 --> 04:43.930
passphrase, either via prompting or via key file.

44
04:43.990 --> 04:47.650
In this example we'll use a passphrase.

45
04:47.650 --> 04:51.890
The command will fail if the partition is already mounted,

46
04:52.000 --> 04:54.040
so please unmount it

47
04:54.040 --> 04:56.990
if it's the case so cryptsetup

48
05:00.030 --> 05:11.140
- y -v luksformat - use the camel case notation- and the name of the drive /dev/sdb.

49
05:11.420 --> 05:21.870
- y option is used to interactively ask for a passphrase or to ask for it twice and complain

50
05:21.960 --> 05:30.890
if both inputs do not mach. And -v comes from verbose.

51
05:31.130 --> 05:39.130
This will overwrite the data on sdb irrevocably. I'm typing uppercase Yes.

52
05:42.040 --> 05:44.230
And I'm entering a passphrase

53
05:52.830 --> 05:58.840
after verifying the passphrase it displays command successfully.

54
05:59.060 --> 06:05.260
The next step is to open the encrypted device and set up a mapping name.

55
06:05.270 --> 06:12.640
After the successful verification of the supplied passphrase the mapping device file will be in /dev

56
06:12.650 --> 06:25.460
/mapper so 
cryptsetup luksOpen /dev/sdc the drive and the name of the mapper 


57
06:25.480 --> 06:26.200
file.

58
06:26.200 --> 06:28.550
You can write anything you want.

59
06:28.870 --> 06:33.960
Let's say secret data and I'm entering the passphrase.

60
06:38.890 --> 06:47.050
The command has created a mapping between the disk and the spatial device file called secretdata in

61
06:47.050 --> 06:50.030
dev mapper; here.

62
06:50.710 --> 06:51.450
This is the file!

63
07:04.780 --> 07:12.630
It's in fact a sim link to dm-0; to this file.

64
07:12.640 --> 07:15.380
We notice this is a special block device.

65
07:18.750 --> 07:27.360
You can use the following command to see the status of the mapping cryptsetup status and the name of

66
07:27.360 --> 07:29.250
the mapping secretdata.

67
07:34.760 --> 07:43.740
You are seeing the symmetric encryption algorithm used, the length of the key and much more. Next, we'll

68
07:43.870 --> 07:54.460
format the filesystem! mkfs.ext4 /dev/mapper/secretdata

69
07:55.680 --> 08:02.370
ext4 is the most used file system for Linux; okay!

70
08:02.540 --> 08:08.450
And it takes a few seconds; 10 20 seconds depending on the disk size;

71
08:13.270 --> 08:14.910
and it's over!

72
08:14.920 --> 08:24.820
Finally we mounted the encrypted filesystem to the main file tree like this mount /dev/mapper/secretdata 

73
08:24.820 --> 08:34.270
and an existing directory let's say /mnt. At this point you can use the mounted disk

74
08:34.270 --> 08:38.730
normally; you copy move or erase files on the disk

75
08:38.740 --> 08:58.390
as with any other disk; the content of the disk will be in /mnt

76
08:58.400 --> 09:04.160
You can also create a new directory and mount the encrypted disk to that directory.

77
09:04.160 --> 09:13.010
Like this I am creating a directory in /route secretdata and I am mounting the encrypted disk

78
09:13.310 --> 09:14.230
to that directory.

79
09:20.700 --> 09:21.880
I can access

80
09:21.930 --> 09:31.460
/dev/mapper/secretdata so the encrypted disk both in /mnt and route secretdata; by the way

81
09:31.690 --> 09:39.980
in the Linux you can mount a storage device or a disk on more directories; the encryption is transparent

82
09:40.340 --> 09:42.780
and you won't notice anything.

83
09:42.830 --> 09:51.140
And once again data is protected at rest or when the disk is not mounted; at this moment when the disk is

84
09:51.140 --> 10:00.440
mounted, it can be accessed normally by anyone. A hacker could run on exploit and connect using  ssh on your

85
10:00.440 --> 10:02.980
machine and steal all your data.

86
10:03.230 --> 10:08.440
But once you unmount the disk the data will be unaccessible.

87
10:08.470 --> 10:16.170
Let's see how to unmont the disk umount /mnt and umount /secretdata

88
10:16.190 --> 10:21.040
After umounting the directory

89
10:21.040 --> 10:27.390
we must also close the LUKS volume cryptsetup luksClose 


90
10:27.460 --> 10:33.350
secretdata; this is the name of the mappper file,

91
10:33.430 --> 10:36.070
the file in dev/mapper.

92
10:36.220 --> 10:36.550
Okay.

93
10:36.550 --> 10:43.750
Now the disk is protected; next time when you want to access the disk you just run cryptsetup luksOpen 

94
10:43.810 --> 10:45.810
and mount like this.

95
10:51.980 --> 10:55.300
This is the mapper file and I can write anything I want.

96
10:55.550 --> 11:03.700
Like secret; I am entering the passphrase and the disk was unlocked.

97
11:08.330 --> 11:15.130
This is the mapper file and mount/ dev/ mapper in root secret data

98
11:15.140 --> 11:17.270
the directory I've just created.

99
11:19.420 --> 11:30.330
Sorry it's dev/ mapper/ secret.

100
11:30.460 --> 11:33.430
I am creating a file on the encrypted disk.

101
11:36.800 --> 11:39.410
If you are using a graphical interface

102
11:39.420 --> 11:46.760
it's also probable that the Linux operating system will recognize the disk when inserted and prompt

103
11:46.790 --> 11:50.580
you automatically for the passphrase.

104
11:50.590 --> 11:58.820
Don't forget that any storage media fails and the backup is mandatory for encrypted data as well.

105
11:58.930 --> 12:01.510
Of course if the data has any worth.