linux unified key setup trip setup his
utility used to conveniently set up disk
encryption based on the DM crypt kernel
module so this is the tool most commonly
used because it's popular across all
distributions it's been around for a
long time and it's very solid it's very
trusted it's very fast and it's for
Linux full disk encryption and full disk
encryption is incredibly important if
you care about the data that is on your
system and you care that it doesn't
wander off somewhere it shouldn't and
you have someone else have access to it
now this does not protect you against
something happening to your computer as
far as when it's unlocked
so encryptions one of those tools that
it's meant to lock up your data at rest
that's an important concept to remember
it won't really protect you from a lot
of other attacks but it will protect you
from the physical access to your device
while it's off if you've properly
implemented this now important parts of
implementing this when you install your
Linux distro whether it's Debian based
Red Hat base or any of the many many
derivatives this is pretty much one of
the options of all the popular
distributions to fully encrypt not the
home drive encryption it works for that
too but you want to fully encrypt your
drive now why would you do this as I
said if someone for example has wandered
off with my laptop my laptop has a lot
of things in there which those things
include my SSH keys which allow access
to some of my servers and whatever other
information I may have put on there that
being said the best way to protect
against this is having a locks encrypted
partition so if they were to take the
drive out and someone was to try to
examine the data on there it would be
well encrypted and very difficult to
figure out now you could you brute force
it not easily it can be done obviously
if you just replace it here just
protecting all this with a password so
if your password is password 1 2 3 its
protected until someone types in those
set of characters and decrypt it so it's
important that you set a good password
what is also important is that you
remember the password you set because
I've had people contact me going hey I
lost access to my server what's the
easiest way to get around luck so I'm
like
restore from backup there's not an easy
way that being said always make sure you
have a backup because it does make some
people nervous encrypting there's drives
because there is that higher risk that
not only could you lose something from a
hardware failure now you have an extra
layer of risk because you could have a
memory failure a real memory failure of
your own memory and forget the password
now people have done that they leave a
machine off for a long time so make sure
you you know put it in a physical safe
put it somewhere keep it in your head
which every year methodology is for
doing that but that's an important
aspect to the Lux encryption is it's it
is really good and being good doesn't
just keep people you don't want out it
can keep you out as well ok so we're
gonna start with something simple this
is a 16 gig flash drive I have plugged
in it's formatted to the ext for Linux
file system not encrypted so that means
any data I put on area could easily be
read by any real Linux machine without
any encryption and this is just the disk
utility built into a bunch of based
distributions this is particularly pop
oh yes so nothing you really have to do
here to get encryption set up in terms
of command line or anything like that
it's pretty easy so this is what it
looks like unencrypted and we're just
gonna go ahead a format partition and
see our IP te D was called encrypted 16
type internal for extent for password
luxe now a couple things the lux
encryption is not well supported on
Windows there is an old project to try
to get it on there but on top of that
its formatting a txt 4 which is also not
supported on Windows those two things
are going to make a challenge if you
want this to be interoperable with
Windows this is focused only on Linux
goes outside the scope of this talk to
talk about encrypting on Windows so
we're going to hang go next and once
they have a password
now I'm gonna show the password I don't
know why it thinks 1 2 3 dollar sign is
good for password at least it does no
password 1 2 3 is weak so it won't even
give you the option to click next until
you have a decent password please use a
decent password because as strong as the
encryption is the encryptions is only
good as the password that you use to
encrypt it so an easy password defeats
easily strong encryption let's go ahead
and next format and it's going to
automatically create the filesystem and
create the encrypted partition all in
one step
alright now here's the drive now that it
has locks encryption on it this is where
it may be a little bit confusing to look
at it looks like there's two partitions
on the drive 16 gig each but in fact
there is only one now the unlock for a
year shows that it is unlocked so you
can see unlocked and then we can mount
it right here so we're going to go ahead
and stop this and we're going to lock it
and this is what the drive looks like
locked now the way locks works because
it's working at the kernel level
it essentially wraps it through the
kernel and creates a new device so when
it's not unlocked it does not create
that extra device and what I mean is
right here is dev SDC so that is the
name assigned to the thumb drive that we
put in and when we unlock it we put our
fancy password one two three and unlock
it
we get to see what's inside of that Lux
container now it creates the kernel does
a device map to works like a normal
device unlocked now this is how it gets
around having all of your applications
have to understand anything about
encryption it's treated as just another
drive it just isn't mounted at SDC
anymore the encryption is mounted at dev
SDC and it's mapped to the unlocked
right here and like I said this is what
makes Lux very interesting and very easy
to manage because you don't have to have
every application be aware because the
kernel is aware in taking care of it for
you once it's unlocked and then we can
treat this in right by default using
this utility it creates just a single
partition right here so it's just one
encrypted ext4 on here so pretty simple
pretty easy to manage anything you do
one here is going to be encrypted and
that same password if you plug this into
any other Linux distro that has Lux in
it which is like I said pretty much all
of them has been around for since 2004
in the kernel so it's easily read on
other Linux instances with the same
password so it's a great secure way to
put data on to thumb drives let's now
show you what it looks like from the
operating system level and I set up an
encrypted Debian system to kind of give
you an idea now I did this with full
disk encryption based on the install so
when you do the install I chose to
install Debian server with full
encryption right from the get-go and
we'll show you how that looks so I
created this a numbering this is XC PNG
with in case you're not familiar I have
other videos on this they login to exist
already booted we're just going to
restart it
and I'll show you what the boot process
looks like on an encrypted drive that's
in a VM now the good and bad of doing
this rate for security great if someone
ever were to try to take one of my
backups of this particular VM they would
not be able to put it without the
password because when it boots up it
loads the kernel because it needs to at
least the kernel to load so we can
stream the Lux encryption and
unencrypted it this is the same way if
you do a fold distro install it does the
same thing it's going to have a password
when it boots obviously this is easy
when it's a laptop difficult if you're
in a virtual server environment cuz you
have to get council access to do this
beyond the scope of this talk you there
are ways to have it download a key file
from a certain location to unencrypt
itself those are other methodologies
that can be done like I said that's
maybe a later video if there's enough
interest in this so now it's booted we
typed in the password it finished the
boot so let's go in SSH into it alright
we are now logged in to that particular
machine now this is how it looks on the
other side when you're logged in the
boot device was xvd a and xvd a one is
the boot partition which contains the
Linux kernel so that's the part that
starts that is unencrypted after that
it's XP d a5 and XP da 5 maps to this
right here dev map or Devon crypto VG
root and that is the rest of the
filesystem
so we can have all that encrypted so
anything saved anywhere else what the
except for boot is going to be encrypted
on this machine all the databases all
the things that I may store in here are
completely and fully encrypted alright
so let's talk about kind of how I knew
how I know what is or isn't encrypted so
give you a better idea here if we do FTL
for list X PDA it's a 30 gig partition I
set up for this demo and it tells you
right here's this the Linux this is the
extended partition and this is shows as
a linux partition but it is technically
an encrypted partition so it sees it but
the only way to mount it is via the
crypt command so let's also look at
going like this talk about the crypt set
up and how the command structure works
for it so we're gonna do crypt setup Lux
dump dev XP d5
this doesn't list all what they refer to
as the key slots that are in there
so for each Lux encrypted device you can
have multiple key slots and what those
key slots do is each one key slot is
just a password in there that password
can be changed per key now it's just
extra keys that are not necessary but
neat that you can do them because what
these extra keys do is you can have two
passwords that unlock the same Lux
encryption drive and that way if you
ever wanted to revoke a second password
but keep the primary password you could
later revoke it if there was some reason
to do so but it also means different
people can have different keys to
restart the machine kind of gives you
different revocation methods so just a
thought it is something that is built
into the air which i think is pretty
slick
now what about volatility of this I
received her some risk added when you
add Lux encryption well specifically the
risk that's added is this right here
crypt setup Lux had her backup dev X PDF
I've had her backup file id has named it
lucky had heard a pin
why did I do that well this is where the
challenge can come in with Lux Lux just
relies on a header file the rest of the
drive is noise so if there's some data
corruption at Drive you can't just run
fsck against it to fix it not if the
header is corrupted if it hits that
header if some type of corruption messes
that up you have lost the drive because
without the first piece of that header
that is stored on the drive the rest of
the drive can not be decrypted that is a
critical piece to how Lux works so one
of the recommended things for security
and it's up to you is to back up the
header dot bin I say it's up to you
because the other way that we handle is
we're less read about backing up the
header file
we backup the entirety of the data set
itself so if I ever ended up with one of
the volumes I have encrypted with Lux
I'm go check my shoulders and restore
from backups as opposed to just trying
to do the header bin the risk with the
header bin is of course now you have
some of the information that we need to
be storing outside that system to
restore that header which of course I
guess you could put it on a Lux
encrypted thumb drive as well but then
if it doesn't boot there's a process to
getting that header been restored how do
we get that header restored it's
actually pretty easy
this was Lux header back up there's Alex
how to restore command and you type in
yes and it resource the header now
another thing about the way Lux setup
works this is case sensitive so when you
see things like create and Lux format
Lux kill slot luxury zoom remove resize
status they're all case sensitive so
it's not that it just has an uppercase
letter in here for Lux open or Lux
header backup if we were try to type the
same command blocks header restore and I
just didn't capitalize the R it won't
work so please note the case sensitivity
nature of the Lux commands so what about
changing a password so I set my system
up and it had me type of password I want
to change it so I have to re-encrypt the
drive
No so re encrypting the drive is not
necessary with lux we can just you lux
set up change key now you may have
noticed that there's multiple key slots
and there's two of them in use what it
does is it wants to know the password of
the key I want to be changed so if I
type a password it matches the key I
typed one that didn't on purpose right
now
enos passphrase let's try it again
the key that does match the passphrase
and our new passphrase
verifies the passphrase
it takes a second and now this drive
once this pops back is now reheat on
boot to have a different password please
make sure you don't forget what you
typed that's obviously a really
important factor in doing this because
it's that quick to rekey a drive but if
you forget the password oops I think I
know he typed it wrong that time on
accident
be changed
change your pack now we've read this
drive there remember this is the
passphrase on boot and when you do this
you can also add new keys so there's
options to do the same thing it was
actually the command is going to be
think it is
yeah Luck's add key so now we can add
another pass for you stun lock that's
right and some like this is a good way
to do it as well from from a sanity
check of add a new key before you remove
the old Keener's a way you can delete
the key as well
so those are a couple of different
factors now another way to set up your
servers so you don't have to get council
access every single time you boot
because obviously that can be very pain
is I set up a second hard drive that you
store your data on that is encrypted
that means you would be able to boot up
your virtual machines this is frequently
the way we set them up we don't
necessarily load the whole virtual
machine encrypted but we attach a data
drive to it that is encrypted that way
the machine will boot up and I have to
actively log into the machine because
there sometimes the remote and far away
where I can't easily get to them and
then type in the password to decrypt the
drive with the actual databases where
the files are kept where the actual
critical data is this is a convenience
over security says it's hard to get
inside of a data center necessarily and
take a machine out so you're in the list
worried about that but if you have the
data and an encrypted part cool but if
you have to reboot the machine which
happens when there's a kernel update um
I know you can use kernel splicing to
avoid those but if you have to reboot of
a machine or there's an outage that
datacenter that causes the power to go
out and come back on physically logging
into machines from a council actions can
be challenging so that's why you
frequently want to load the machine if
it's a server and then encrypt the data
drive attached to it so let's cover that
part and how that works so if we do
fdisk shell we list out all the drives
so we have the
disk XP DB which is the second 15 gig
hard drive and we have the boot 1x PDA
that when working on so we're going to
start with this so let's make sure
there's no partitions on it of X V DB
nothing free blank space now normal
process you would make FS well you
create some partitions and you do a make
it fast and create partitions on it but
we want this to be a Lux encrypted drive
so we're gonna create one starts with
the set of command like they all
the locks for min-soo
you
format stove X V EB
within the precarious yes create a
password for it
and that's it we've created the lux
container so now if we go back to CF
disk it warns me that if I write this
it's a crypt select signature on there
and I'd be overwriting that header and
destroying it we certainly don't want to
do that but there's no partition we
didn't format it the UI version when we
do this in the GUI makes it easy because
it does all this in one step this is
what happens when you're doing it
manually so now we're going to go ahead
and we're gonna say crypt setup looks
open because the only thing we did was
create the container with a password but
we didn't open it or mount it so it was
dev XV because we're dealing with it as
a device now we got to get the device a
name and this is where it shows up in
the mapper part so we're gonna call this
data drive I spelled word driver actual
da ta dri will use case sensitivity here
so we're gonna setup locks open
which means unlock this partition and
then create a data drive so go here type
in the password
all right now we're going to go over
here to to have a purr
my data drive now let's look at how
behind the scenes that's working so as I
said because this works to the kernel
level it creates a new device for each
unencrypted drive that way when you have
these drives they are completely treated
like any other hard drive and the
kernels taking care of all the
abstraction layer of doing the
encryption decryption and getting the
DRI getting the data to the device in an
encrypted manner but then your programs
accessing it access it like any other
hard drive so it added it to data drive
and it's pointing at dm3 behind the
scenes in case you're wondering as why I
did it that way to show you but you can
give it you know easier easy to remember
names and you can write scripts
obviously to do this you know this can
all be scripted so now that we've done
that the only thing we haven't done is
create a file system so now because it's
done there we'd like it so we want to
create the file system inside the
encrypted container so we're gonna make
fests that ext4 such dev mapper because
that's where we that's where it stores
or unlocks and creates all the unlock
devices that could be treated like a
normal file system and once again make
FS doesn't have to be any awareness of
the encryption it's taking care of at
the kernel level so it just doesn't make
FS as if this is any other storage
device done now what if I wanted to fsck
that I can do that I once again if I
would need to fsck dev mapper data Drive
you can do your standard fsck tools and
everything else it works just like a
regular drive and if we go over here to
slash mount
data we would do Mount /dev mapper data
drive
Mount
data
shows up like any other amount to drive
so it's really simple how it works once
you kind of get the under concept of
it's streaming through the kernel and
handling it behind the scenes so
everything you create with locks open it
adds another device here you know like I
said all this can be scripted and then
you choose where you want it to mount so
it mounts and all of your data goes
inside of here but anything that goes
inside a data now I want it at Mount is
automatically encrypted under the lock
side and we can close this we can open
it every time it reboots it does require
the password you put back in like I said
there's ways you can automate some of
that but of course at the risk of
security but this is a good way to make
sure all of your data is encrypted so
you would store all of the data that's
critical to the machine so the machine
can be rebooted remotely SSH back in
remotely and then manually mount the
data drive back so whatever services are
running on it can start and this is a
good way when you have remote server set
up to lock down the data so they're
encrypted in case and anyone physically
tries to take the server because
obviously that's really a big concern so
hopefully this was helpful hopefully
gets you an idea and get started with
locks it's amazing easy to use once you
have a few concepts down and there's a
lot of documentation for it in the last
piece I'll leave you with is the Arch
Linux wiki on this is the DM crypt
device encryption it's outstanding in
detail of all the different functions
you can do talking about how to do
things with keys how to do all kinds of
functions with it so there's a lot more
to locks this is just to get you started
so if you have something really specific
or different use cases there's a lot
more expanded options but this is great
disk encryption at the minimum you
should be using it on any of your
computers whether it's a laptop desktop
you know in case anyone ever walks off
of the drives or in a case that you have
to send a drive out do you want to make
sure that it is encrypted it's arbitrary
use and with modern processors they have
AES modules for encryption decryption
there's really not a speed loss on this
it's so minimal it's not like you're
having a performance issue when you
encrypt it which is wonderful about the
way this works so like I said get
started on it here if you want to
continue the discussion I'll be posting
this in my forums I've you know if
there's some follow-up videos on how to
do some more things and there's an
interest in this let me know and maybe
I'll make a follow-up video or just
answer the questions
forums thanks thanks for watching if you
like this video give it a thumbs up if
you want to subscribe to this channel to
see more content hit that subscribe
button in the bell icon and maybe
YouTube will sense you and notice when
we post if you want to hire us for a
project that you've seen or discussed in
this video head over to Lauren systems
comm where we offer both business IT
services and consulting services and are
excited to help you with whatever
project you want to throw at us also if
you want to carry on the discussion
further ahead over to forums at Lauren
systems comm where we can keep the
conversation going and if you want to
help the channel out in other ways we
offer affiliate links below which offer
discounts for you and a small cut for us
that does help fund this channel and
once again thanks again for watching
this video and see you next time