USB device encrypted LVM on LUKS

dth

Let’s encrypt an external USB hard disk drive. Get root already and type lsblk. Then insert the USB key and check its name by typing lsblk again. In my case, it was sdb1, but yours might be different. Get yours right, or bad things can happen to your other devices.

[root@slayer dth]# lsblk
NAME                    MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
...
sdb                       8:16   0   1.8T  0 disk  
└─sdb1                    8:17   0   1.8T  0 part  
...

Optional step :: clean up your disk data (warning: this can take hours)

shred --verbose --random-source=/dev/urandom --iterations=3 /dev/sdb

Now delete the partitions in the USB device and create a new one. Then, let’s set that to the type 83 (linux). Then, write and quit.

[root@slayer dth]# fdisk /dev/sdb

Welcome to fdisk (util-linux 2.29.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help): p
Disk /dev/sdb: 1.8 TiB, 2000398933504 bytes, 3907029167 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 33553920 bytes
Disklabel type: dos
Disk identifier: 0xb654607b

Device     Boot Start        End    Sectors  Size Id Type
/dev/sdb1        2048 3907024895 3907022848  1.8T  7 HPFS/NTFS/exFAT

Command (m for help): d
Selected partition 1
Partition 1 has been deleted.

Command (m for help): n
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): 

Using default response p.
Partition number (1-4, default 1): 
First sector (2048-3907029166, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-3907029166, default 3907029166): 

Created a new partition 1 of type 'Linux' and of size 1.8 TiB.
Partition #1 contains a ntfs signature.

Do you want to remove the signature? [Y]es/[N]o: Y

The signature will be removed by a write command.

Command (m for help): t
Selected partition 1
Partition type (type L to list all types): 83
Changed type of partition 'Linux' to 'Linux'.

Command (m for help): p
Disk /dev/sdb: 1.8 TiB, 2000398933504 bytes, 3907029167 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 33553920 bytes
Disklabel type: dos
Disk identifier: 0xb654607b

Device     Boot Start        End    Sectors  Size Id Type
/dev/sdb1        2048 3907029166 3907027119  1.8T 83 Linux

Command (m for help): wq
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Then format the new partition.

[root@slayer dth]# mkfs.ext4 /dev/sdb1
mke2fs 1.43.4 (31-Jan-2017)
/dev/sdb1 contains `DOS/MBR boot sector, code offset 0x52+2, sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 2048, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 3907022847, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 09c323abb323a9a6a; contains Microsoft Windows XP/VISTA bootloader BOOTMGR' data
Proceed anyway? (y,N) y
Creating filesystem with 488378389 4k blocks and 122101760 inodes
Filesystem UUID: d261a5b2-df6e-42af-a48a-d49197c53c05
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
	4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 
	102400000, 214990848

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done

Set password and encrypt root partition

[root@slayer dth]# cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/sdb1

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
[root@slayer dth]#

Open disk1 partition

cryptsetup open --type luks /dev/sdb1 disk1

Create physical volume

pvcreate /dev/mapper/disk1

Check the physical volume

pvdisplay

Create volume group

vgcreate disk1vg /dev/mapper/disk1

Check the volume group

vgdisplay

Create logical volume using the entire free space

lvcreate -l 100%FREE -n disk1lv disk1vg

And check the logical volumes

lvdisplay

Format the encrypted root logical volume and you're done.

mkfs.ext4 /dev/mapper/disk1vg-disk1lv

Mount disk1 to /mnt

mount /dev/mapper/disk1vg-disk1lv /mnt

Leave a Reply

Your email address will not be published. Required fields are marked *

Loading Facebook Comments ...
Loading Disqus Comments ...