Modul 8 von 16 · 📖 4 min Lesezeit · ⏱ 30 min gesamt

FUTO 08 LUKS Verschluesselung (EN)

Inhaltsverzeichnis (5 Abschnitte)

Concepts and Background
Practical Steps
Common Pitfalls
Further Resources
Knowledge Check

FUTO 08 LUKS Encryption

In this module, you will learn the basics of hard disk encryption with LUKS (Linux Unified Key Setup). You will learn how to securely encrypt, manage, and integrate hard disks and partitions into your system. The focus is on practical application and understanding the underlying technologies.

Concepts and Background

LUKS (Linux Unified Key Setup): A standard for hard disk encryption under Linux that allows managing multiple keys per partition and is based on dm-crypt.
dm-crypt: The kernel component that performs the actual encryption at the block level. LUKS is a metadata layer that uses dm-crypt.
Keyfile: A file that contains one or more keys for LUKS encryption. Enables automatic mounting without manual password entry.
Header-Backup: A backup copy of the LUKS header, which is essential for data recovery in case of header damage.
Performance: The impact of encryption on system performance, depending on the CPU, the encryption algorithm used, and the hard disk speed.

Practical Steps

Install cryptsetup if not already done:
```
sudo apt install cryptsetup
```
Create a partition for encryption, for example with fdisk or gdisk.
Initialize the partition with LUKS:
```
sudo cryptsetup luksFormat /dev/sdXn
```

Open the encrypted partition:

sudo cryptsetup open /dev/sdXn luks_volume

Create a filesystem on the decrypted partition:
```
sudo mkfs.ext4 /dev/mapper/luks_volume
```
Mount the filesystem:
```
sudo mount /dev/mapper/luks_volume /mnt
```

Create a keyfile for automatic mounting:

dd if=/dev/urandom of=/etc/luks/keyfile bs=1024 count=4

Add the keyfile to the LUKS volume:

sudo cryptsetup luksAddKey /dev/sdXn /etc/luks/keyfile

Back up the LUKS header:

sudo dd if=/dev/sdXn of=/backup/luks_header_backup bs=512 count=2048

Configure /etc/crypttab and /etc/fstab for automatic mounting.

Common Pitfalls

Caution: Deleting the keyfile without removing it from the LUKS volume weakens security. Always use cryptsetup luksRemoveKey to properly remove a key.

Tip: For maximum performance, use modern CPU support for encryption (AES-NI) and choose the cipher mode aes-xts-plain64 with sufficient key length (at least 256 bits).

Further Resources

Knowledge Check

Four questions for self-assessment. Click on each question to see the correct answer and explanation.

What is the main difference between LUKS and dm-crypt?

A) LUKS is only for SSDs, dm-crypt for HDDs
B) LUKS is a metadata layer that uses dm-crypt
C) dm-crypt only supports simple encryption, LUKS supports multiple keys
D) LUKS is proprietary, dm-crypt is Open Source

Correct Answer: B. LUKS is a metadata layer that builds on dm-crypt and provides additional functions like key management. A is incorrect because both technologies work with all types of hard disks. C is incomplete because dm-crypt can also support multiple keys, but without the easy management of LUKS. D is incorrect because both are Open Source technologies.

Which command initializes a partition with LUKS encryption?

A) sudo cryptsetup luksFormat /dev/sdXn
B) sudo cryptsetup encrypt /dev/sdXn
C) sudo luksFormat /dev/sdXn
D) sudo cryptsetup setup /dev/sdXn

Correct Answer: A. The correct command is 'sudo cryptsetup luksFormat /dev/sdXn' to initialize a partition with LUKS. B is incorrect because there is no 'encrypt' command in the cryptsetup tool. C is incorrect because 'luksFormat' is not a standalone command but part of cryptsetup. D is incorrect because the correct command is 'luksFormat', not 'setup'.

Why is a header backup important in LUKS encryption?

A) It improves the performance of the encrypted partition
B) It enables data recovery in case of header damage
C) It contains the passwords for accessing the partition
D) It is required to add additional keys

Correct Answer: B. A header backup is important to be able to recover data in case of LUKS header damage. A is incorrect because the header has nothing to do with performance. C is incorrect because the header does not contain passwords, but metadata about the encryption. D is incorrect because adding keys is possible without a header backup.

What is the purpose of a keyfile in LUKS encryption?

A) It increases security through an additional encryption layer
B) It enables automatic mounting without manual password entry
C) It stores the metadata for the filesystem
D) It serves as a backup for the LUKS header

Correct Answer: B. A keyfile enables automatic mounting because it contains the key and can be used without manual entry. A is incorrect because a keyfile does not add an additional encryption layer. C is incorrect because the keyfile does not store filesystem metadata. D is incorrect because the keyfile is not a backup for the LUKS header.