User Tools

Site Tools


Disk Encryption

You may want to encrypt your external disk to improve privacy (in case other people have physical access to your router) or so that you can securely reuse the disk later for another purpose if it's flash (see SSDs prove difficult to securely erase).

Install encryption packages:

# opkg install kmod-crypto-xts kmod-crypto-iv kmod-crypto-misc kmod-crypto-user cryptsetup

Install ext4 packages:

# opkg install kmod-fs-ext4 e2fsprogs

There are different ways of handling the encryption key. In this example we generate a new random key on every mount.

Don't follow these instructions blindly! Read the CryptSetup FAQ to learn more about the cryptsetup command.

The following command will create a standard encrypted container on the device or partition [encrypted-device] (eg. /dev/sda), and requires you to enter a passphrase that will be used to access the encrypted data later. WARNING: This will destroy anything on [encrypted-device]!

# cryptsetup luksFormat [encrypted-device]

This step may take a long time while /dev/random gathers enough entropy to generate the key. The security of the passphrase is based on it's strength and the number of iterations it is hashed… as the CPU on embedded systems is usually slow, it's advisable to force the use of a higher iteration count for simple passphrases: use the option –iter-time=[milliseconds] to increase the iteration count (default is usually 2000 milliseconds. Note: higher values will increase the time it takes to map the device, not access it once it's mounted).

To use the encrypted container, you must map a decrypted device… this must be done before the device can be formatted or mounted (eg. after each reboot). The following command creates a mapping called [map-name] (you can choose the name yourself, eg. crypt) – you must supply the same passphrase you used when performing luksFormat above.

# cryptsetup open [encrypted-device] [map-name]

Format and mount the (now available) decrypted device. [mount-point] is where you want the filesystem mounted (eg. /mnt):

# mkfs.ext4 /dev/mapper/[map-name]
# mount /dev/mapper/[map-name] [mount-point]

On a fresh reboot, you just need for perform the mapping and mount (Note: the mapping will require a passphrase)

# cryptsetup open [encrypted-device] [map-name]
# mount /dev/mapper/[map-name] [mount-point]


# umount [mount-point]
# cryptsetup close [map-name]


A video demonstration on OpenWrt 14.07 Barrier Breaker using LUKS: (broken link, 07.Mar.2016)

doc/howto/disk.encryption.txt · Last modified: 2016/06/25 20:54 by Snarflo