[SOLVED] Encrypting whole device with LUKS

someone_ · 06-19-2023, 07:48 PM

I have a block device called /dev/sdb, i want to know if it is possible to encrypt it completely, including the partition table.
I did

Code:

$ cryptsetup luksFormat -y -v /dev/sdb
$ cryptsetup open /dev/sdb usb

then i created a new partition table, and partition with fdisk on /dev/mapper/usb

Code:

Disk /dev/mapper/usb: 184 MiB, 192937984 bytes, 376832 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xca187b28

Device                Boot Start    End Sectors  Size Id Type
/dev/mapper/usb-part1       2048 376831  374784  183M 83 Linux

But the device fdisk is referring to does not exist
I was able to use the created partition by doing

Code:

$ losetup /dev/loop0 /dev/sdb -o $(( 2048 * 512 ))

and then using /dev/loop0 as the partition device, i want to know if there is a better way of doing this, or to make the kernel automatically create the new partition device.

syg00 · 06-20-2023, 07:47 AM

Have you rebooted ?. What happened/changed ?.

partprobe is a tool to force the kernel to re-read partition tables if you can't reboot.

rknichols · 06-20-2023, 09:23 AM

Quote:

Originally Posted by someone_

I was able to use the created partition by doing

Code:

$ losetup /dev/loop0 /dev/sdb -o $(( 2048 * 512 ))

and then using /dev/loop0 as the partition device, i want to know if there is a better way of doing this, or to make the kernel automatically create the new partition device.

That is bypassing the encryption and directly accessing the underlying device. Anything you write to that device will be unencrypted. You don't need to run cryptsetup at all to access it.

You need to run "partprobe /dev/mapper/usb" or "kpartx -a /dev/mapper/usb" to make the kernel recognize the partitions within that encrypted device.

Once you have done that, you will find that any attempt to luksClose that device will fail with "Device usb is still in use." You must first run "kpartx -d /dev/mapper/usb" to un-map the partitions (after unmounting them, of course).

Getting the partition(s) on that encrypted device recognized automatically will require some scripting, and will depend on whether the device is present at boot time or inserted later.

someone_ · 06-20-2023, 11:31 AM

Quote:

Originally Posted by rknichols

That is bypassing the encryption and directly accessing the underlying device. Anything you write to that device will be unencrypted. You don't need to run cryptsetup at all to access it.

Yes i'm sorry i was pretty tired when i wrote this yesterday, what i actually did was "losetup /dev/loop0 /dev/mapper/usb -o $(( 2048 * 512 ))"

Quote:

Originally Posted by rknichols

You need to run "partprobe /dev/mapper/usb" or "kpartx -a /dev/mapper/usb" to make the kernel recognize the partitions within that encrypted device.

Quote:

Originally Posted by syg00

partprobe is a tool to force the kernel to re-read partition tables if you can't reboot.

Partprobe and xpartx where, indeed, the commands i was missing, thank you

If it is some device inserted later i have no way other than to create a shell script that would do all of this automatically right?

And one last question, is there any specific reason why i did not find anything about encrypting the whole device and not just a partition? is there any reason not to do it?

rknichols · 06-20-2023, 06:40 PM

Quote:

Originally Posted by someone_

And one last question, is there any specific reason why i did not find anything about encrypting the whole device and not just a partition? is there any reason not to do it?

Just the issues that you've run into. Various parts of the system tacitly assume that block devices other than floppy disks will be partitioned at the top level. If you don't partition at all, or partition in some other way, you can expect that it might not be straightforward to make it all work.