Skip to main content

Linux Unified Key Setup (LUKS)

All the examples below assume wanting to setup a btrfs pool on two disks /dev/sdX and /dev/sdY that will be used just for additional storage.

Prepare Disks

Before encrypting a drive, it is recommended to perform a secure erase of the disk by overwriting the entire drive with random data. To prevent cryptographic attacks or unwanted file recovery, this data is ideally indistinguishable from data later written by dm-crypt.

Source

There are multiple ways to prepare a disk and some other potentially better ones listed on the page linked to above. Because I wanted to wipe my disks as quickly as possible and they were both the same size I used a slightly more complicated method. This method creates the equivalent of /dev/urandom but faster by using the output of encrypting /dev/zero and writing that to the disks. I save even more time by using tee and process substitution to redirect the output to both drives at once. Just for good measure I used pv to measure the speed at which I am writing and to track my progress.

PASS=$(tr -cd '[:alnum:]' < /dev/urandom | head -c128)
openssl enc -aes-256-ctr -pass pass:"$PASS" -nosalt < /dev/zero | dd ibs=4K | pv | tee >(dd obs=64K oflag=direct of=/dev/sdX) | dd obs=64K oflag=direct of=/dev/sdY

Partition

Although LUKS can be layered on top of redundant storage (btrfs/mdadm+dm-integrity) for my usages it almost always makes sense to layer those things on top of LUKS. Also I don't use LUKS for my boot drives so I just needed the drives to have one partition.

sgdisk --clear --new=0:0:0 /dev/sdX
sgdisk --clear --new=0:0:0 /dev/sdY

Encrypt

cryptsetup open /dev/sdX1 cryptbtrpool_1
cryptsetup open /dev/sdY1 cryptbtrpool_2