luks_07

Disk encryption is one method you may use to enhance the physical security rating of your computer. From my experience, it is rarely used, which is a shame because it is one of the most effective safeguards against unauthorized physical access to data stored on a computer.

Disk encryption, which can be full disk, or per partition, may be configured during or after installation, but the most effective is full disk during installation. The following Linux distributions listed on this website, have support for configuring full disk encryption during installation:

When disk encryption is enabled on any of these distributions, the installer will prompt you for a passphrase which will be used to lock or encrypt the disk. The image below was taken during an installation of Fedora 13.

Passphrase
Here the installer requires you to type in the passphrase that will be used to encrypt and decrypt the disk

NOTE: The objective of this tutorial is to show you how to manage disk encryption keys or passphrases on a running system, and that involves creating a backup passphrase or encryption key, and deleting an encryption key (enabling and disabling key slots).

After installation, and during system bootup, you will be prompted for the passphrase before the computer completes bootup. Without the correct passphrase, you will not be able to boot into the system. The image below was taken during bootup of a Sabayon 5.3 installation.

Passphrase
The disk encryption passphrase is being requested.

The rest of this article assumes that you have configured disk encryption and have booted up successfully. Now, let us get to the point of this tutorial – managing passphrases and key slots.

Related Post:  How to set up a Debug Server using Nginx

Though just one passphrase was set during installation, the system actually makes allowance for up to eight (8) passphrases. Each passphrase is designed to fit into a Key Slot. The best way to describe this, in layman’s terms, is to imagine a door with eight different keys (and eight key locks). Each key (passphrase) fits into a particular lock (key slot). When the door was first made, only one key (and its corresponding key lock) was activated. If you later activate any of the other keys, that is, more than one key is active at a time, you will still need just one key to open the door. The other active key(s) serve as backup(s), in case you lose or forget the main key.

And that is how the disk encryption system works. You are allowed to set up to eight (8) passphrases, but you need just one to unlock the disk during bootup. When more than one passphrase is set, any one may be used to unlock the disk during bootup, not just the one that was specified during installation.

With more than one passphrase active, you can delete a key when you feel there is a need to – for example, when you think that a key has been compromised, or when you have forgotten it. To view the status of the key slots on your system, launch a shell terminal and type cryptsetup luksDump /dev/sdaX where “X” is the encrypted disk (partition). In the default Sabayon 5.4 installation used for this tutorial, the encrypted device is /dev/sda2. So the correct command used is cryptsetup luksDump /dev/sda2

luks_02
Output of cryptsetup luksDump

NOTE: The first key slot is Key Slot 0, the second key slot is Key Slot 1, …, and the last key slot, key slot eight is Key Slot 7).

Related Post:  How to install Cinnamon in Ubuntu 11.10

In the image above, you can see that there are eight key slots, but only the first key slot, key slot 0, is in ENABLED status. This will always be the case when you first configure disk encryption. As noted earlier, you can delete a key (that is, disable the key slot). However, if you try to do that without creating a backup key, the system will try to discourage you (see shot below).

luks_03
In the act of deleting a key

So if you think there is a need to delete the passphrase set during installation, the first thing to do is to create a backup key. And you accomplish that by typing the following command: cryptsetup luksAddKey /dev/sdaX –key-slot=1. Here, you are adding a key to key slot 1, that is, to the second key slot. (recall that we start from key slot 0, key slot 1, … key slot 7). You can add a key to any slot. It does not have to be next to the one you are going to delete.

luks_04
Creating a backup passphrase

Share:

Share on facebook
Facebook
Share on twitter
Twitter
Share on pinterest
Pinterest
Share on linkedin
LinkedIn

Hola! Did you notice that LinuxBSDos.com no longer runs network ads?  Yep, no more ads from the usual suspects that track you across the Internet.  But since  I still need to pay to keep the site running, feel free to make a small donation by PayPal.

Subscribe for updates. Trust me, no spam!

Mailchimp Signup Form

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event for 2020.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.

5 Responses

  1. Jealous or complaining? Mint provides for both methods. If you don’t like the command line, don’t use it but don’t troll it…you just demonstrate your ignorance.

    1. I am very new to linux,Mint 17.1 Mate but I learned to read the whole post, article, page before I randomly just cut/paste.
      It was a very helpful tip i read in Linux forum or one of the manyLinux question forums. Being totally new to all Unix/Linux types of operating systems and desktops , I had typical anxiety over the terminal /command line process but also excited about being able to make so many changes there; I did not even look for the existing GUI in the Menu for a few months or with the package or software Manager gui.
      I am glad I did. Still do not know how to spontaneously generate folder moves or create directories- much of anything really, but I have gotten over my fear or resistance to this terminal method and learning more every time I use one of the few computers i own which i took off windows7 and made total linux, no more dual boot on them now.

  2. I find it funny that you gave directions on how to do everything from the terminal before you gave the super easy super quick directions through the update manager. Still super helpful though. Thanks!

    1. It is funny & I have noticed that the vast majority of long term Linux users tend to think that it is somehow more clever to type stupid unecessary commands just like back in the late 1970’s early 80’s

      1. You do realize that not all Linux distributions use Cinnamon or even a graphical interface at all. So learning to do it through the command line is usable on all Debian based Linux distros.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter
Mailchimp Signup Form

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.

Categories
Archives

The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.

Anastasia Marchenkova

An invitation from Anastasia Marchenkova

Hya, after stints as a quantum researcher at Georgia Tech Quantum Optics & Quantum Telecom Lab, and the University of Maryland Joint Quantum Institute, I’m now working on superconducting qubit quantum processors at Bleximo. I’ll be speaking during Algorithm Conference in Austin, Texas, July 16 – 18, 2020. Meet me there and let’s chat about progress and hype in quantum computing.