Whole Disk Encryption

The best way to do this currently is with the cryptsetup tool, which uses a Device Mapper approach. i.e. the physical drives get mapped to logical drives with the encryption layer nicely hidden in between.  

For an array of multiple drives you get better performance by encrypting each disk individually, then assembling them into the array. In this way you get one thread per disk, rather than than one thread for the whole array.

Note: this is not about encrypting your boot disk. We'll save that for a different note.


# Install cryptsetup and format those disks. You could in theory use a partition rather than a whole disk if needed
apt-get install cryptsetup
cryptsetup luksFormat /dev/sdc
cryptsetup luksFormat /dev/sdd

# Now open them as mapped devices
cryptsetup luksOpen /dev/sdc crypt1
cryptsetup luksOpen /dev/sdd crypt2

# Create an array from the mapped devices and create a file system
mdadm --create /dev/md0 --level=0 --raid-devices=2 /dev/mapper/crypt1 /dev/mapper/crypt2
mkfs.xfs /dev/md0
mount /dev/md0 /mnt

If you want this partition to be mounted during boot, you'll need to create a keyfile and you can search for that info (I've not done it). If however, you just want to mount manually, here is a handy script to help with opening multiple disks (assuming you used the same password). We're using blkid here, since that's better for removable disks that tend to get shuffled around in their sdb, sdc, etc order.

# the the UUIDs with the blkid command
sudo blkid

/dev/sdc: UUID="21a70419-911a-4e6e-9e0a-b43d82f58532" TYPE="crypto_LUKS"
/dev/sdd: UUID="67ae3c98-0af2-4d32-bcb8-b545291aaaf9" TYPE="crypto_LUKS"

# put those in the following scripts
vim array_start

!/bin/bash

echo -n LUKS Password:
read -s PASSWORD
echo

echo $PASSWORD | sudo cryptsetup luksOpen /dev/disk/by-uuid/21a70419-911a-4e6e-9e0a-b43d82f58532 crypt1
echo $PASSWORD | sudo cryptsetup luksOpen /dev/disk/by-uuid/67ae3c98-0af2-4d32-bcb8-b545291aaaf9 crypt2


sudo mdadm --assemble --scan
sudo mount /dev/md0 /mnt



vim array_stop

#!/bin/bash

sudo umount /mnt

sudo cryptsetup luksClose crypt1
sudo cryptsetup luksClose crypt2

Tweaks

You'll notice the drives show up in the Unity Bar. You can right click and blacklist them, or adjust as in this article.

http://askubuntu.com/questions/195988/how-to-remove-launcher-drive-icons

Comments