luks and btrfs

How to use luks with a btrfs filesystem on top.

Run these commands as root. Make sure your root password works incase you have to boot to emergency mode and solve mount issues.

This assumes you already have a btrfs pool to add encrypted devices to.

Start Screen

This is incase your ssh connection drops, as some commands can take a long time. Will open a new screen, or reconnect if there is a disconnected one.

screen -D -RR

Find all the hardware

lshw

or just the block devices:

lsblk

Wipe the disk

This will wipe and overwrite any contents already on the disk.

Change x to match the device.

Note: This will take a LONG time

/usr/bin/shred --force --verbose --iterations=1 /dev/sdx

Create keyfile

Creates a keyfile for adding to the device later:

Change x to match the device.

dd bs=512 count=4 if=/dev/urandom of=/root/luks-btrfs-keyfiles/luks-btrfs-keyfile-x iflag=fullblock

Create new encrypted device

Initializes a LUKS partition and sets the initial passphrase.

Change x to match the device.

cryptsetup --verify-passphrase --verbose luksFormat /dev/sdx

This will use the default encryption, if you want to change it check the man page.

To benchmark different cyphers, run:

cryptsetup benchmark

Add keyfile to device

Change x to match the device.

cryptsetup luksAddKey /dev/sdx /root/luks-btrfs-keyfiles/luks-btrfs-keyfile-x

Check results

Change x to match the device.

cryptsetup luksDump /dev/sdx

Update crypttab

Get UUID from luksDump command and add to crypttab file:

vi /etc/crypttab

It should look like this:

Change x to match the device.

# <target name>  <source device>                            <key file>                                      <options>
luksx            UUID=12345678-1234-1234-1234-123456789abc  /root/luks-btrfs-keyfiles/luks-btrfs-keyfile-x  luks,timeout=180
luksx            UUID=12345678-1234-1234-1234-123456789abc  /root/luks-btrfs-keyfiles/luks-btrfs-keyfile-x  luks,timeout=180
luksx            UUID=12345678-1234-1234-1234-123456789abc  /root/luks-btrfs-keyfiles/luks-btrfs-keyfile-x  luks,timeout=180

Open container

Change x to match the device.

cryptsetup open /dev/sdx luksx

or

Reboot to test crypttab file (make sure you have the root password incase theres an issue booting)

run lsblk to show block devices

Adding to a btrfs pool

Add the devices to a btrfs pool like any normal device, or replace a btrfs failed device.

btrfs dev add ...

or

btrfs replace start ...