[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Encrypting an External HDD



On 04/15/2015 08:01 AM, ken wrote:
What options or features does one get by putting the LUKS container in a
partition rather than putting it on a raw drive?

I am not aware of any technical advantages or disadvantages of LUKS on a raw drive vs. LUKS on a partition. For me, it's more a matter of personal habit/ psychology in the face of several computers, many drives, and changing conditions over the years.


Prior to running encrypted drives, I used to wipe (zero) drives when I took them out of service. Since migrating to LUKS partitions, sometimes I wipe, sometimes I shred, and sometimes I just put the drive aside. So now when I grab a spare drive off the shelf, I look for a partition table:

1.  If the first megabyte has been zeroed:

	2015-04-15 08:54:44 root@t2250 ~
	# dd if=/dev/zero of=/dev/sdc bs=1M count=1
	1+0 records in
	1+0 records out
	1048576 bytes (1.0 MB) copied, 1.10429 s, 950 kB/s

	2015-04-15 08:56:11 root@t2250 ~
	# parted /dev/sdc u s p free
	Error: /dev/sdc: unrecognised disk label

2.  If the first megabyte has been filled with random numbers:

	2015-04-15 08:56:14 root@t2250 ~
	# dd if=/dev/urandom of=/dev/sdc bs=1M count=1
	1+0 records in
	1+0 records out
	1048576 bytes (1.0 MB) copied, 0.459263 s, 2.3 MB/s

	2015-04-15 08:56:41 root@t2250 ~
	# parted /dev/sdc u s p free
	Error: /dev/sdc: unrecognised disk label

3.  If the raw drive has a LUKS container:

	2015-04-15 08:56:54 root@t2250 ~
	# cryptsetup luksFormat /dev/sdc

	WARNING!
	========
	This will overwrite data on /dev/sdc irrevocably.

	Are you sure? (Type uppercase yes): YES
	Enter LUKS passphrase:
	Verify passphrase:

	2015-04-15 08:57:49 root@t2250 ~
	# parted /dev/sdc u s p free
	Error: /dev/sdc: unrecognised disk label


Note that the output of parted is the same for all three cases -- "Error: /dev/sdc: unrecognised disk label". So, if the drive had a raw LUKS container, I'd mistake it as zeroed or shredded, and proceed to destroy the data.


If the drive has a partition table and one large partition with a LUKS container:

	2015-04-15 08:57:52 root@t2250 ~
	# parted /dev/sdc mklabel gpt
	Information: You may need to update /etc/fstab.

	2015-04-15 09:00:00 root@t2250 ~
	# parted /dev/sdc mkpart primary 0% 100%
	Information: You may need to update /etc/fstab.

	2015-04-15 09:00:32 root@t2250 ~
	# cryptsetup luksFormat /dev/sdc1

	WARNING!
	========
	This will overwrite data on /dev/sdc1 irrevocably.

	Are you sure? (Type uppercase yes): YES
	Enter LUKS passphrase:
	Verify passphrase:

	2015-04-15 09:00:48 root@t2250 ~
	# parted /dev/sdc u s p free
	Model: SanDisk SanDisk Cruzer (scsi)
	Disk /dev/sdc: 7913471s
	Sector size (logical/physical): 512B/512B
	Partition Table: gpt

	Number  Start     End       Size      File system  Name     Flags
	        34s       2047s     2014s     Free Space
	 1      2048s     7911423s  7909376s               primary
	        7911424s  7913437s  2014s     Free Space


Now '/dev/sdc u s p free' shows a partition table with an entry, so I would be prompted to figure out what is in that partition. LUKS? LVM? ZFS? Something else? Better not stomp on it just yet...


David


Reply to: