• Encrypt Hard Drive Disk under Linux – LUKS and cryptsetup

    You want to add a new hard drive disk (or a new partition) to your Linux system but this disk will contain some private data then you want it to be encrypted so you can restrict its access to whom will have the key.

    Be careful, there are some parameters you have to take in consideration before performing these actions:

    • The passphrases used for encryption will never been saved, you have to be really careful about this and do not lose it. If you do, it will be impossible to retrieve data on this disk.
    • The encryption will impact your system performances (due to the CPU usage for encrypt/decrypt actions). Be sure that you use this disk for passive data (avoid any executables files for example), and prefer newest CPU with latest instructions set for AES so the performances can be improved (AES-NI).

    I am going to present here the encryption of a new disk (pretty small, a 1GB disk for the example) identified as /dev/sdb on the system:

    ~$ sudo fdisk -l /dev/sdb
    Disk /dev/sdb: 1073 MB, 1073741824 bytes
    255 heads, 63 sectors/track, 130 cylinders, total 2097152 sectors
    Units = sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disk identifier: 0x00000000
    Disk /dev/sdb doesn't contain a valid partition table

    First of all, we need to install tools, like cryptsetup that we will use to encrypt/decrypt our disk (it’s a system tool allowing dm-crypt/LUKS encryption on hard drive, partition or even file):

    ~$ sudo apt-get install cryptsetup

    We can now indicate that we want to crypt our /dev/sdb disk using AES and a hash alorithm SHA-256:

    ~$ sudo cryptsetup luksFormat -c aes -h sha256 /dev/sdb

    You will get a confirmation message to which you will have to type “YES” to validate. Then, you will be asked for the passphrase you want to use (this password won’t be saved, so don’t forget it!) to encrypt your data:

    This will overwrite data on /dev/sdb irrevocably.
    Are you sure? (Type uppercase yes): YES
    Enter LUKS passphrase:
    Verify passphrase:

    If you want to add some other keys for this encryption, you can do it using this following command:

    ~$ sudo cryptsetup luksAddKey /dev/sdb

    Thanks to this command, you can add up to 8 different keys for the disk, allowing up to 8 different users to access to these data (by using each one its own passphrase):

    You can also check whenever you want the state of the slots (used or not) so you can manage the keys. For that, you can just use this command:

    ~$ sudo cryptsetup luksDump /dev/sdb
    LUKS header information for /dev/sdb
    Version:        1
    Cipher name:    aes
    Cipher mode:    cbc-plain
    Hash spec:      sha256
    Payload offset: 4096
    MK bits:        256
    MK digest:      48 1c 08 25 ff 51 ad 53 ff f1 07 5d f9 b1 c2 10 21 70 d9 9e
    MK salt:        c4 6b b3 d5 b5 18 ac ce 2d e6 84 14 0b c3 74 82
                    46 7f 8a ae 77 29 85 34 70 7a 19 21 4b e5 ac 4c
    MK iterations:  22625
    UUID:           441706d5-9c07-4b33-bff0-ccd9232a0da3
    Key Slot 0: ENABLED
            Iterations:             90691
            Salt:                   38 3a 7c eb 7f 17 b3 72 eb 6d 7b 80 c9 f0 1e 77
                                    a5 56 28 a5 eb 7c 4a 1e b4 e4 a7 b9 e1 7c 88 b4
            Key material offset:    8
            AF stripes:             4000
    Key Slot 1: DISABLED
    Key Slot 2: DISABLED
    Key Slot 3: DISABLED
    Key Slot 4: DISABLED
    Key Slot 5: DISABLED
    Key Slot 6: DISABLED
    Key Slot 7: DISABLED

    Now that the disk is encrypted, we need to create our partition and our file system so we can use it. We will decrypt our disk in a first time and create the mapping with a custom name encrypteddata:

    ~$ sudo cryptsetup luksOpen /dev/sdb encrypteddata

    Right now, we can find this new mapping under /dev/mapper:

    ~$ ls /dev/mapper/
    control  encrypteddata

    We can now work with this new mapping point. A mapping for an encrypted disk can be checked at any time by using the parameter status of cryptsetup command:

    ~$ sudo cryptsetup -v status encrypteddata
    /dev/mapper/encrypteddata is active.
      type:    LUKS1
      cipher:  aes-cbc-plain
      keysize: 256 bits
      device:  /dev/sdb
      offset:  4096 sectors
      size:    2093056 sectors
      mode:    read/write
    Command successful.

    Then, we will create our partition and our file system with ext3:

    ~$ sudo mkfs.ext3 /dev/mapper/encrypteddata
    mke2fs 1.42 (29-Nov-2011)
    Filesystem label=
    OS type: Linux
    Block size=4096 (log=2)
    Fragment size=4096 (log=2)
    Stride=0 blocks, Stripe width=0 blocks
    65408 inodes, 261632 blocks
    13081 blocks (5.00%) reserved for the super user
    First data block=0
    Maximum filesystem blocks=268435456
    8 block groups
    32768 blocks per group, 32768 fragments per group
    8176 inodes per group
    Superblock backups stored on blocks:
            32768, 98304, 163840, 229376
    Allocating group tables: done
    Writing inode tables: done
    Creating journal (4096 blocks): done
    Writing superblocks and filesystem accounting information: done

    We are now able to mount our new decrypted disk on any local point to read/write its content:

    ~$ sudo mount -t ext3 /dev/mapper/encrypteddata /mnt/

    Our disk is now available on /mnt:

    ~$ ls /mnt/

    To close an encrypted disk, you will need to unmount it and then use the luksClose method:

    ~$ sudo umount /mnt
    ~$ sudo cryptsetup luksClose /dev/mapper/encrypteddata

    The disk is now closed and encrypted again until someone will open it.

    You can also choose to mount thi sdisk automatically on system start-up. For that, you will use /etc/crypttab file to define the encrypted volume configuration and then the /etc/fstab to define its mount (as you used to do for a standard disk). Using this mechanism, the key to decrypt the disk will be asked on system start-up:

    ~$ cat /etc/crypttab
    encrypteddata   /dev/sdb        none       luks
    ~$ cat /etc/fstab
    # /etc/fstab: static file system information.
    /dev/mapper/encrypteddata       /mnt            ext3    defaults        0       1

    Warning: if there is already a line existing in /etc/fstab for this disk, you will need to comment it so you don’t get any error on start-up.

    Right now, you know how to encrypt your own disk 😉 !

  • Display local videos from PC to Chromecast

    You would like to deliver some media content from your Chrome PC to your Chromecast for local videos, you can so use Plex Media Server which is now fully compatible with Chromecast!
    For that, just follow the next steps:
    1. Download Plex Media Server (free) from: https://plex.tv/downloads (“Computer” version and not “NAS” if it’s for a PC usage).
    2. Install it.
    3. Perform the initial configuration and precise where your media files are located (files you could open on Chrome using  file://…/…/…/xxx.avi that you are using). Plex will automatically create the media catalog for you.
    4. If the “Plex/Web” page is not already opened on you browser, do a right click on Plex icon in the Windows notification bar and choose “Media Manager“. This will open the “Plex/Web” page in your browser.
    5. On the “Plex/Web” page in your browser, find the media you want to watch and start it.
    6. Click on Google Cast extension in Chrome (top right) when the video is starting and send it to your Chromecast.

    Here you are, you can now perform video streaming of your local videos to your Chromecast!