6/11/2023 0 Comments Wipefs to remove btrfs![]() ![]() You can add and entry to /etc/fstab to easily mount the filesystem and you’re done. $ sudo mkfs.btrfs -label archive /dev/mapper/archive_cryptĪt this point we’re actually pretty much done. After digging around and trying to find a clean solution to fixing it, wipefs is your best option - supposedly newer versions can remove all traces. ![]() We could also have used /dev/urandom but the above technique is much faster. $ openssl rand -hex 32 | openssl enc -chacha20 -in /dev/zero -pass stdin -nosalt | sudo dd if=/dev/stdin of=/dev/mapper/sda_crypt bs=4096 status=progress This and other side-channel leaks can be mitigated by simply wiping the contents of the encrypted device. While the device is now encrypted, there is a possible leakage of metadata such as used blocks as an attacker can discern used vs unused blocks by examining the physical drive. You can test everything works so far by opening and loading the LUKS device: $ sudo cryptdisks_start archive_crypt discard should be used if the underlying device is an SSD. The noauto, means not to attempt to load the device automatically upon boot. The none parameter specifies that no keyfile is used and the system should prompt for an encryption passphrase instead. It will appear as /dev/mapper/archive_crypt when the device is mapped. The archive_crypt is the name for the mapped device. Where the UUID is obtained through lsblk /dev/sda -o UUID or a similar command. Add the following line to /etc/crypttab: archive_crypt UUID=114d42e5-6aeb-4af0-8758-b4cc79dd1ba0 none luks,discard,noauto The next step is to add an appropriate entry to crypttab which will simplify starting the dm-crypt mapping later. The command will prompt you to enter a passphrase for the encryption and should take a few seconds to complete. This will overwrite data on /dev/sda irrevocably.Īre you sure? (Type 'yes' in capital letters): YES $ sudo cryptsetup luksFormat -type=luks2 /dev/sda This is done using the cryptsetup utility. The next step is to actually format the drive using LUKS. Remove the -no-act flag to actually modify the disk. Assuming that the drive we operate is /dev/sda you can use the following command to remove the signatures: $ sudo wipefs -all /dev/sda -no-act This short tutorial will guide you in encrypting a drive with cryptsetup and LUKS scheme.īefore starting, if the device had previous data on it, it’s best to delete any filesystem signatures that may be on it. ![]()
0 Comments
Leave a Reply. |