Security Initiative 2008: Updated

Journal karniv0re's Journal: Security Initiative 2008: Updated

Journal by karniv0re on Wednesday May 26, 2021 @11:30AM

I have always used my Slashdot Journal as a log for my various IT activities over the years. It allows me to look back at how I solved a particular problem at one point in time. No surprise that I routinely look back at my Security Initiative 2008 journal entry when trying to remember how to format and encrypt a drive. But it's looking a little tired at this point. Back then we were using Blowfish and ReiserFS. And we had to manually define mounts. Things have gotten easier with Ubuntu and encryption and file systems have advanced. So this is a post simplifying and updating that process.

First, let's take a look at the dmesg output:
[1513080.659665] usb 2-1: new SuperSpeed USB device number 3 using xhci_hcd [1513080.680271] usb 2-1: New USB device found, idVendor=1058, idProduct=25a3 [1513080.680274] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [1513080.680275] usb 2-1: Product: Elements 25A3 [1513080.680277] usb 2-1: Manufacturer: Western Digital [1513080.680278] usb 2-1: SerialNumber: 33574A48574B444A [1513080.681042] usb-storage 2-1:1.0: USB Mass Storage device detected [1513080.681161] scsi host8: usb-storage 2-1:1.0 [1513081.687955] scsi 8:0:0:0: Direct-Access WD Elements 25A3 1030 PQ: 0 ANSI: 6 [1513081.688180] sd 8:0:0:0: Attached scsi generic sg8 type 0 [1513081.688934] sd 8:0:0:0: [sdg] Spinning up disk... [1513082.711627] . [1513083.735608] . [1513084.759599] . [1513085.783591] . [1513086.807577] . [1513087.831568] . [1513088.855549] . [1513089.879541] . [1513090.903532] . [1513091.927481] . [1513092.951469] . [1513093.975492] . [1513094.999526] . [1513096.023435] . [1513097.047454] . [1513098.071413] . [1513099.095429] . [1513100.119418] . [1513100.119557] ready [1513100.119666] sd 8:0:0:0: [sdg] Very big device. Trying to use READ CAPACITY(16). [1513100.119777] sd 8:0:0:0: [sdg] 35156590592 512-byte logical blocks: (xx.0 TB/xy.z TiB) [1513100.119778] sd 8:0:0:0: [sdg] 4096-byte physical blocks [1513100.119976] sd 8:0:0:0: [sdg] Write Protect is off [1513100.119976] sd 8:0:0:0: [sdg] Mode Sense: 47 00 10 08 [1513100.120175] sd 8:0:0:0: [sdg] No Caching mode page found [1513100.120178] sd 8:0:0:0: [sdg] Assuming drive cache: write through [1513100.177682] sdg: sdg1 [1513100.178566] sd 8:0:0:0: [sdg] Attached SCSI disk [1513825.458347] usb 2-5: USB disconnect, device number 2

I had tried running my old steps on this one only to encounter and error and put it aside for a few weeks. So we're basically starting from the beginning here.

First, we'll do our cryptsetup step. The default seems to be plenty secure now days, with cypher AES and mode xts-plain64, and hash spec sha256.

$ sudo cryptsetup --verbose --verify-passphrase --use-random luksFormat /dev/sdg1

WARNING! ======== This will overwrite data on /dev/sdg1 irrevocably.

Are you sure? (Type uppercase yes): YES Enter passphrase for /dev/sdg1: Verify passphrase: Command successful.

Now create a mountable logical partition that we will call cryptsys
$ sudo cryptsetup luksOpen /dev/sdg1 cryptsys Enter passphrase for /dev/sdg1:

This should show as a block device in /dev/mapper
$ ls -l /dev/mapper

total 0 crw------- 1 root root 10, 236 May 8 21:53 control lrwxrwxrwx 1 root root 7 May 26 10:59 cryptsys -> ../dm-3

Now we'll put a filesystem on the logical partition. We'll use EXT4. It is expected that BtrFS will be the way going forward, but this is what we have today for a stable, reliable FS.
$ sudo mkfs.ext4 /dev/mapper/cryptsys mke2fs 1.44.1 (24-Mar-2018) Creating filesystem with 4394572800 4k blocks and 274661376 inodes Filesystem UUID: 70fd510f-d742-40eb-9177-caf6049efeff Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 102400000, 214990848, 512000000, 550731776, 644972544, 1934917632, 2560000000, 3855122432

Allocating group tables: done Writing inode tables: done Creating journal (262144 blocks): done Writing superblocks and filesystem accounting information: done

We no longer need to create mountpoints, as Ubuntu does this for us in /media/{user}/.

Though we will need to change ownership, as it will be under root.
$ cd /media/{user}/{device} $ sudo chown -R {user}:{user} .

Now it would be a good idea to unmount the volume and reopen it (always choose "Forget password immediately") to verify your password works and the drive mounts fine.

Bonus - when archiving files, to preserve timestamps and the like, use
$ rsync -ah --progress source/* destination/

Slashdot Top Deals