LUKS (Linux Unified Key Setup) volume encryption is used for all disks connected to CAcert servers. Generic information about LUKS can be found at

Encryption at system installation time

When installing a new operating system on a disk, encryption must be setup during that installation. Debian GNU/Linux 4.0 (Etch) allows for this. The following choices should be made during the installation process:

The passphrase should not be recorded in any digital system, but only written down on paper and given out to critical system administrators only. One copy should be given to CAcert Board for escrow purposes.

Encryption of additional system disks

When adding an extra disk to a system, encryption must be setup before putting data on the disk. The following procedure can be followed:

  1. partition the disk:
    1. if the disk is never to be used for booting, create a single large data partition
    2. if the disk needs to be bootable, create one small boot partition (which will not be encrypted), and one large data partition (which will be encrypted)
  2. measure speed for randominzing 100 MB of the disk:
      # dd if=/dev/urandom of=/dev/hdc5 bs=1024k count=100
  3. initialize the large data partition (assume its name is /dev/hdc5) with random data:
      # dd if=/dev/urandom of=/dev/hdc5 bs=1024k
  4. this will take a very long time, you can calculate from the size of the disk and the timing above how long; measured on has been 1.689 MB/sec, i.e. ~53 hours for 320 GB)
  5. (you can inspect the progress by a kill -USR1 pid-of-dd-process)
  6. (NOTE: there should be a faster way to do this, since the Debian installer can do it faster; need to investigate how it does it)
  7. initialize LUKS on the large data partition:
       # cryptsetup luksFormat /dev/hdc5
    • (will prompt twice for passphrase, use the passphrase of hda5)
  8. open the large data partition through LUKS:
       # cryptsetup luksOpen /dev/hdc5 hdc5_crypt
    • (will prompt again for passphrase)
  9. add the new encrypted partition to /etc/crypttab:
       # vi /etc/crypttab
    • add a line for hdc5_crypt similar to the line for hda5_crypt, so the result becomes:
         hda5_crypt /dev/hda5 none luks
         hdc5_crypt /dev/hdc5 none luks
  10. now you can use LVM to use the encrypted partition in any way desired, e.g.
       # pvcreate /dev/mapper/hdc5_crypt
       # vgcreate newvg /dev/mapper/hdc5_crypt
       # lvs
       # lvcreate -n newvol -L 200G newvg
       # pvs; vgs; lvs
       # mke2fs -j /dev/mapper/newvg-newvol

Other notes


SystemAdministration/Procedures/DiskEncryption (last edited 2009-03-20 16:20:42 by WytzevanderRaay)