Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:storage:disk.encryption [2019/05/13 04:42] – cat EOF fixed vgaetera | docs:guide-user:storage:disk.encryption [2023/01/10 20:01] – Updated required packages, added steps to make a key-file and updated decrypt.sh for use in latest openwrt with ash mitchmurder | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Disk Encryption ====== | ====== Disk Encryption ====== | ||
| - | |||
| You may want to encrypt your external disk to improve privacy (in case other people have physical access to your router) or so that you can securely reuse the disk later for another purpose if it's flash (see [[http:// | You may want to encrypt your external disk to improve privacy (in case other people have physical access to your router) or so that you can securely reuse the disk later for another purpose if it's flash (see [[http:// | ||
| Line 6: | Line 5: | ||
| <code bash> | <code bash> | ||
| - | opkg install kmod-crypto-ecb kmod-crypto-xts kmod-crypto-iv kmod-crypto-misc kmod-crypto-user cryptsetup | + | opkg install kmod-crypto-ecb kmod-crypto-xts kmod-crypto-seqiv kmod-crypto-misc kmod-crypto-user cryptsetup |
| </ | </ | ||
| Line 15: | Line 14: | ||
| </ | </ | ||
| - | There are different ways of handling the encryption key. In this example we generate a new random key on every mount. | + | There are different ways of handling the encryption key. |
| + | In this example we generate a new random key on every mount. | ||
| | {{: | | {{: | ||
| - | The following command will create a standard encrypted container on the device or partition '' | + | The following command will create a standard encrypted container on the device or partition '' |
| + | WARNING: This will destroy anything on '' | ||
| <code bash> | <code bash> | ||
| Line 25: | Line 26: | ||
| </ | </ | ||
| - | This step may take a long time while ''/ | + | This step may take a long time while ''/ |
| + | The security of the passphrase is based on it's strength and the number of iterations it is hashed... as the CPU on embedded systems is usually slow, it's advisable to force the use of a higher iteration count for simple passphrases: | ||
| + | Note: higher values will increase the time it takes to map the device, not access it once it's mounted). | ||
| - | To use the encrypted container, you must map a decrypted device... this must be done before the device can be formatted or mounted (eg. after each reboot). | + | To use the encrypted container, you must map a decrypted device... this must be done before the device can be formatted or mounted (eg. after each reboot). |
| + | The following command creates a mapping called '' | ||
| <code bash> | <code bash> | ||
| Line 33: | Line 37: | ||
| </ | </ | ||
| - | Format and mount the (now available) decrypted device. | + | Format and mount the (now available) decrypted device. |
| + | '' | ||
| <code bash> | <code bash> | ||
| Line 56: | Line 61: | ||
| Automated: | Automated: | ||
| - | The following script can be used to automate decrypting and mounting removable storage that is encrypted by using entries in ''/ | + | The following script can be used to automate decrypting and mounting removable storage that is encrypted by using entries in ''/ |
| + | <code bash> | ||
| + | cryptsetup luksDump [encrypted-device] | ||
| + | </ | ||
| + | |||
| + | '' | ||
| + | <code bash> | ||
| + | dd if=/ | ||
| + | </ | ||
| + | |||
| + | This will create a key-file that is filled with 4096 bytes of random data. Add this key-file to the LUKS device: | ||
| + | <code bash> | ||
| + | cryptsetup luksAddKey [encrypted-device] [path/ | ||
| + | </ | ||
| + | |||
| + | You will be prompted for the passphrase from above. | ||
| + | |||
| + | <code bash> | ||
| + | cryptsetup luksDump [encrypted-device] | ||
| + | </ | ||
| + | '' | ||
| + | '' | ||
| + | |||
| + | [UUID] and [type-of-encryption] may be obtained from the output of: | ||
| + | <code bash> | ||
| + | block info | ||
| + | </ | ||
| + | |||
| + | '' | ||
| <code bash> | <code bash> | ||
| cat << " | cat << " | ||
| - | # note: this needs bash and awk installed | + | # note: this needs ash and awk installed |
| - | bash / | + | ash / |
| EOF | EOF | ||
| cat << " | cat << " | ||
| - | #!/bin/bash | + | #!/bin/ash |
| # Perform tasks when called by BLOCK hotplug (/ | # Perform tasks when called by BLOCK hotplug (/ | ||
| # CC0: 21JUL18 by WaLLy3K, updated 09AUG18 | # CC0: 21JUL18 by WaLLy3K, updated 09AUG18 | ||
| # Further adapted for OpenWRT 18.06 by jmm on 2018-09-04 | # Further adapted for OpenWRT 18.06 by jmm on 2018-09-04 | ||
| + | # Further apapted for OpenWRT 21.02.2 by mdpc on 2022-12-30 | ||
| # Hotplug Vars: $ACTION (add/ | # Hotplug Vars: $ACTION (add/ | ||
| - | # logger -s "start decrypt luks" $DEVNAME $ACTION; | + | # logger -s "start decrypt luks" $DEVNAME $ACTION |
| - | [[ -z " | + | if [ -z " |
| - | msg() { logger -st " | + | then |
| + | | ||
| + | fi | ||
| - | if [[ ! " | + | msg() { |
| + | logger -st " | ||
| + | } | ||
| + | |||
| + | if [ " | ||
| then | then | ||
| - | | + | |
| - | exit 0; | + | exit 0 |
| fi | fi | ||
| - | if [[ " | + | if [[ " |
| then | then | ||
| - | | + | |
| - | # in / | + | # in / |
| - | block mount; | + | block mount |
| - | exit 0; | + | exit 0 |
| fi | fi | ||
| BID_RAW=" | BID_RAW=" | ||
| - | BID_UUID=" | + | BID_UUID=" |
| - | BID_TYPE=" | + | BID_TYPE=" |
| # Determine whether drive needs to be decrypted | # Determine whether drive needs to be decrypted | ||
| - | [[ ! -r "/ | + | if [[ ! -r "/ |
| + | then | ||
| + | | ||
| + | | ||
| + | fi | ||
| CT_RAW=" | CT_RAW=" | ||
| + | if [[ -z " | ||
| + | then | ||
| + | exit 0 | ||
| + | fi | ||
| - | if [[ -n " | + | CT_LABEL=" |
| - | | + | CT_KEYFILE=" |
| - | CT_KEYFILE=" | + | CT_TYPE=" |
| - | CT_TYPE=" | + | |
| - | # | + | |
| - | | + | if [[ -e "/ |
| + | then | ||
| msg "Drive already decrypted: $CT_LABEL" | msg "Drive already decrypted: $CT_LABEL" | ||
| exit 0 | exit 0 | ||
| - | | + | fi |
| - | | + | # Error Handling |
| - | if [[ ! -e " | + | if [[ ! -e " |
| + | then | ||
| msg " | msg " | ||
| exit 1 | exit 1 | ||
| - | | + | fi |
| - | if [[ ! " | + | if [[ ! " |
| + | then | ||
| msg " | msg " | ||
| exit 1 | exit 1 | ||
| - | fi | ||
| - | |||
| - | msg " | ||
| - | cryptsetup luksOpen "/ | ||
| - | CS_EXIT=" | ||
| - | case " | ||
| - | 0) if test -e "/ | ||
| - | msg "Drive decrypted: $CT_LABEL" | ||
| - | else | ||
| - | msg "Drive not found after decrypting: $CT_LABEL" | ||
| - | exit 1 | ||
| - | fi;; | ||
| - | 5) msg " | ||
| - | *) msg " | ||
| - | esac | ||
| - | |||
| fi | fi | ||
| + | |||
| + | msg " | ||
| + | cryptsetup luksOpen "/ | ||
| + | CS_EXIT=" | ||
| + | case " | ||
| + | 0) if [ -e "/ | ||
| + | then | ||
| + | msg "Drive decrypted: $CT_LABEL" | ||
| + | else | ||
| + | msg "Drive not found after decrypting: $CT_LABEL" | ||
| + | exit 1 | ||
| + | fi;; | ||
| + | 5) msg " | ||
| + | *) msg " | ||
| + | esac | ||
| EOF | EOF | ||
| </ | </ | ||
| The above script does not unmount or remove ''/ | The above script does not unmount or remove ''/ | ||
| + | |||
| ===== Example ===== | ===== Example ===== | ||
| A video demonstration on OpenWrt 14.07 Barrier Breaker using LUKS: [[https:// | A video demonstration on OpenWrt 14.07 Barrier Breaker using LUKS: [[https:// | ||
| + | |||