Disc encryption

From Igor personal wiki
Jump to: navigation, search

Check and load kernel module

lsmod | grep crypt
modprobe dm_crypt 
lsmod | grep crypt
echo "modprobe dm_crypt" >> /etc/rc.modules
chmod +x /etc/rc.modules 

Create LVM logical volume

pvcreate /dev/xvdf
vgcreate data /dev/xvdf
vgs
lvcreate -l 100%FREE -n d01 data
lvs

Create a key file

dd if=/dev/urandom of=/root/keyfile bs=1024 count=4

Setup volume for encrypted storage

cryptsetup luksFormat --key-file '/root/keyfile' /dev/data/d01

You can change cipher suite

cryptsetup luksFormat --key-file '/root/keyfile' --cipher=aes-xts-plain /dev/data/d01

Or key length

cryptsetup luksFormat --key-file '/root/keyfile' -s 128 /dev/data/d01

Verify previous operation

cryptsetup luksDump /dev/data/d01

Open encrypted device

cryptsetup luksOpen --key-file '/root/keyfile' /dev/data/d01 d01_enc

Check status

cryptsetup -v status d01_enc
/dev/mapper/d01_enc is active.
 type:  LUKS1
 cipher:  aes-cbc-essiv:sha256
 keysize: 256 bits
 device:  /dev/mapper/data-d01
 offset:  4096 sectors
 size:    838848512 sectors
 mode:    read/write
Command successful.

Create file system on it

mkfs.ext4 /dev/mapper/d01_enc

Create crypttab

cat /etc/crypttab 
d01_enc /dev/data/d01 /root/keyfile luks

add record to fstab

cat /etc/fstab 
/dev/mapper/d01_enc	/d01 ext4 defaults   1 2

remove crypto device

umount /d01
cryptsetup luksClose d01_enc


Script to do IO and Latency tests with different encryption algorithms

#!/bin/bash
# 
#test function
function enc_test() {
while read encryption;
do
cryptsetup luksFormat --key-file '/root/keyfile' $encryption -q $TDISK || continue;
cryptsetup luksOpen --key-file '/root/keyfile' $TDISK d02_enc;
mkfs.ext4 /dev/mapper/d02_enc;
mount /dev/mapper/d02_enc /d02;
mkdir /d02/iotest;
echo $encryption >> enc_test_out.txt;
bonnie++ -d /d02/iotest  -r 3078 -u root -f -b -q >> enc_test_out.txt;
umount /d02
cryptsetup luksClose d02_enc
done <<EOM
-c aes-ecb-plain -s 128
-c aes-ecb-null -s 128
-c aes-ecb-benbi -s 128
-c aes-cbc-null -s 128
-c aes-cbc-benbi -s 128
-c aes-cbc-plain -s 128
-c aes -s 128
-s 128
EOM
}
# Ecryptions on top of raw device
#
# disc + encryption + lvm
#
# disk + lvm + encryption
TDISK='/dev/test/d02'
echo "Encryption on top of LVM" >> enc_test_out.txt
enc_test
exit 0