 Linux unified key setup. Crypt setup is utility used to conveniently set up disk encryption based on the DM Crypt kernel module. So this is the tool most commonly used because it's popular across all distributions, it's been around for a long time and it's very solid, it's very trusted, it's very fast and it's for Linux full disk encryption. And full disk encryption is incredibly important if you care about the data that is on your system and you care that it doesn't wander off somewhere it shouldn't and have someone else have access to it. Now this does not protect you against something happening to your computer as far as when it's unlocked. So encryption is one of those tools that it's meant to lock up your data at rest. That's an important concept to remember that it won't really protect you from a lot of other attacks but it will protect you from the physical access to your device while it's off if you've properly implemented this. Now, important parts of implementing this. When you install your Linux distro whether it's Debian based, Red Hat based or any of the many, many derivatives this is pretty much one of the options of all the popular distributions to fully encrypt not the home drive encryption. It works for that too but you want to fully encrypt your drive. Now why would you do this? As I said, if someone for example has wandered off with my laptop my laptop has a lot of things in there which those things include my SSH keys which allow access to some of my servers and whatever other information I may have put on there. That being said, the best way to protect against this is having a Luxe encrypted partition. So if they were to take the drive out and someone was to try to examine the data on there it would be well encrypted and very difficult to figure out. Now, you could you brute force it? Not easily, it can be done. Obviously if you're just replacing you're just protecting all this with a password so if your password is password one, two, three it's protected until someone types in those set of characters and decrypts it. So it's important that you set a good password. What is also important is that you remember the password you set because I've had people contact me going hey, I lost access to my server what's the easiest way to get around Luxe? I'm like restore from backup. There's not an easy way. That being said, always make sure you have a backup because it does make some people nervous encrypting others drives because there is that higher risk that not only could you lose something from a hardware failure now you have an extra layer of risk because you could have a memory failure a real memory failure of your own memory and forget the password. People have done that. They leave a machine off for a long time. So make sure you put it in a physical safe put it somewhere, keep it in your head whichever your methodology is for doing that but that's an important aspect to the Luxe encryption is it is really good and being good doesn't just keep people you don't want out it can keep you out as well. Okay, so we're gonna start with something simple this is a 16 gig flash drive I have plugged in it's formatted to the EXT-4 Linux file system not encrypted. So that means any data I put on there could easily be read by any Linux machine without any encryption. And this is just a disk utility built into a bunch of base distributions this is particularly pop OS. So nothing you really have to do here to get encryption set up in terms of command line or anything like that. It's pretty easy. So this is what it looks like on encrypted and we're just gonna go ahead and format partition. ENCRIPTED what is called encrypted 16 type internal for extent four password Luxe. Now a couple of things the Luxe encryption is not well supported on windows there is an old project to try to get it on there but on top of that it's formatting at EXT-4 which is also not supported on windows. Those two things are gonna make a challenge if you want this to be interoperable with windows. This is focused only on Linux. Goes outside the scope of this talk to talk about encrypting on windows. So we're gonna go next and wants to have a password. Now I'm gonna show the password. I don't know why it thinks $123 sign is good for password at least it does know password 123 is weak. So it won't even give you the option to click next until you have a decent password please use a decent password because as strong as the encryption is is only good as the password that you use to encrypt it. So an easy password defeats easily strong encryption. Let's go ahead and next format and it's going to automatically create the file system and create the encrypted partition all in one step. All right now here's the drive now that it has Luxe encryption on it. This is where it may be a little bit confusing to look at it looks like there's two partitions on the drive 16 gig each but in fact there is only one. Now the unlock right here shows that it is unlocked so you can see unlocked and then we can mount it right here. So we're gonna go ahead and stop this and we're going to lock it. And this is what the drive looks like locked. Now the way Luxe works because it's working at the kernel level it essentially wraps it through the kernel and creates a new device. So when it's not unlocked it does not create that extra device and what I mean is right here is dev SDC. So that is the name assigned to the thumb drive that we put in. And when we unlock it we put our fancy password 123 and unlock it we get to see what's inside of that Luxe container. Now it creates the kernel does a device map to works like a normal device unlocked. Now this is how it gets around having all of your applications have to understand anything about encryption. It's treated as just another drive. It just isn't mounted at SDC anymore. The encryption is mounted at dev SDC and it's mapped to the unlocked right here. And like I said, this is what makes Luxe very interesting and very easy to manage because you don't have to have every application be aware because the kernel is aware and taking care of it for you once it's unlocked. And then we can treat this and right by default using this utility it creates just a single partition right here. So it's just one encrypted EXT4 on here. So pretty simple, pretty easy to manage and anything you do on here is gonna be encrypted and that same password, if you plug this into any other Linux just show that has Luxe in it, which is like I said, pretty much all of them has been around for since 2004 in the kernel. So it's easily read on other Linux instances with the same password. So it's a great secure way to put data onto thumb drives. So let's now show you what it looks like from the operating system level. And I set up an encrypted Debian system to kind of give you an idea. Now I did this with full disk encryption based on the install. So when you do the install, I chose to install a Debian server with full encryption right from the big get go. I'm gonna show you how that looks. So I created this in a virtual machine. This is XCPNG with, in case you're not familiar, I have other videos on this. I log into it because it's already booted and we're just gonna restart it. And I'll show you what the boot process looks like on an encrypted drive that's in a VM. Now the good and bad of doing this, great for security, great if someone ever were to try to take one of my backups of this particular VM, they would not be able to boot it without the password because when it boots up, it loads the kernel because it needs at least the kernel to load so it can stream the Lux encryption and unencrypted. And this is the same way if you do a full distro install, it does the same thing. It's gonna have a password when it boots. I've seen this as easy when it's a laptop. Difficult if you're in a virtual server environment because you have to get console access to do this. Beyond the scope of this talk, there are ways to have it download a key file from a certain location to unencrypted itself. Those are other methodologies that can be done. Like I said, that's maybe a later video if there's enough interest in this. So now it's booted, we typed in the password, it finished the boot. So let's go in SSH into it. All right, we are now logged into that particular machine. Now this is how it looks on the other side when you're logged in. The boot device was XVDA and XVDA1 is the boot partition which contains the Linux kernel. So that's the part that starts that is unencrypted after that. It's XVDA5 and XVDA5 maps to this right here, dev map or dev encrypted VG route and that is the rest of the file system so we can have all the encrypted. So anything saved anywhere else but except for boot is going to be encrypted on this machine. So all of the databases, all the things that I may store in here are completely and fully encrypted. All right, so let's talk about kind of how I knew, how I know what is or isn't encrypted. So to give you a better idea here, if we do Eftis L for list XVDA, it's a 30 gig partition I set up for this demo and it tells you, right here's the Linux, this is the extended partition and this shows as a Linux partition but it is technically an encrypted partition so it sees it but the only way to mount it is via the crypt command. So let's also look at going like this, talk about the crypt setup and how the command structure works for it. So we're going to do crypt setup, lux dump dev XVDA five and what this does it lists all what they refer to is the key slots that are in there. So for each lux encrypted device you can have multiple key slots and what those key slots do is each key slot is just a password in there. That password can be changed per key. Now it's just extra keys that are not necessary but neat that you can do them because what these extra keys do is you can have two passwords that unlock the same lux encryption drive and that way if you ever wanted to revoke a second password but keep the primary password you could later revoke it if there was some reason to do so but it also means different people can have different keys to restart the machine. Kind of gives you different revocation methods so just a thought it is something that is built into there which I think is pretty slick. Now, what about volatility of this? Obviously there's some risk added when you add lux encryption. Well, specifically the risk that's added is this right here. Crypt setup lux header backup dev xvda5 header backup file and I just named it lucky header.bin. Why did I do that? Well, this is where the challenge can come in with lux. Lux just relies on a header file. The rest of the drive is noise so if there's some data corruption at drive you can't just run fseq against it to fix it. Not if the header is corrupted. If it hits that header if some type of corruption messes that up you have lost the drive because without the first piece of that header that is stored on the drive the rest of the drive cannot be decrypted. That is a critical piece to how lux works. So one of the recommended things for security and it's up to you is to back up the header.bin. I say it's up to you because the other way that we handle is we're less worried about backing up the header file we back up the entirety of the data set itself. So if I ever ended up with one of the volumes I have encrypted with lux I would check my shoulders and restore from backups as opposed to just trying to do the header bin. The risk with the header bin is of course now you have some of the information that you would be storing outside that system to restore that header which of course I guess you could put it on a lux encrypted thumb drive as well but then if it doesn't boot there's a process to getting that header bin restored. How do we get that header restored? It's actually pretty easy. This was lux header backup. There's a lux header restore command. And you type in yes and it restores the header. Now another thing about the way lux setup works this is a case sensitive. So when you see things like create and lux format lux kill slot lux resume remove resize status they're all case sensitive. So it's not that it just has an uppercase letter in here for lux open or lux header backup. If we were trying to type the same command lux header restore and I just didn't capitalize the R it won't work. So please note the case sensitivity nature of the lux commands. So what about changing a password? So I set my system up and it had me type a password and I want to change it. So I have to re-encrypt the drive. No, so re-encrypting the drive is not necessary with lux we can just do lux setup change key. Now you may have noticed that there's multiple key slots and there's two of them in use. What it does is it wants to know the password of the key I want to be changed. So if I type a password that matches the key I typed one that didn't on purpose right now no key matching this pass phrase. Let's try it again. I type the key that does match the pass phrase and our new pass phrase. Verifies the pass phrase and it takes a second and now this drive once this pops back is now re-keyed on boot to have a different password. Please make sure you don't forget what you typed. That's obviously a really important factor in doing this because it's that quick to re-key a drive but if you forget the password, oops I think I know I typed it wrong that time on accident and our pass phrase be changed. Change it back. Now we've re-keyed this drive to there. And remember this is the pass phrase on boot and when you do this you can also add new key. So there's options to do the same thing it was actually the command is gonna be think it is yeah lux add key. So now we can add another pass phrase to unlock this drive. And sometimes this is a good way to do it as well from a sanity check of add a new key before you remove the old key and there's a way you can delete the key as well. So those are a couple of different factors. Now another way to set up your server so you don't have to get council access every single time you boot because obviously that can be very pain is to set up a second hard drive that you store your data on that is encrypted. That means you would be able to boot up your virtual machines. This is frequently the way we set them up. We don't necessarily load the whole virtual machine encrypted but we attach a data drive to it that is encrypted. That way the machine will boot up and I have to actively log into the machine because there's sometimes a remote and far away where I can't easily get to them and then type in the password to decrypt the drive with the actual databases where the files are kept where the actual critical data is. This is a convenience over security. So it's hard to get inside of a data center necessarily and take a machine out. So you're in the list worried about that but if you have the data in an encrypted part cool but if you have to reboot the machine which happens when there's a kernel update I know you can use kernel splicing to avoid those but if you have to reboot a machine or there's an outage at data center that causes the power to go out and come back on physically logging into machines from a console access can be challenging. So that's why you frequently want to load the machine if it's a server and then encrypt the data drive attached to it. So let's cover that part and how that works. So if we do fdisk-l we list out all the drives. So we have the disk XVDB which is the second 15 gig hard drive and we have the boot one XVDA that we're working on. So we're going to start with this. So let's make sure there's no partitions on it. Dev XVDB nothing free blank space. Now, normal process you would make FS well you create some partitions and you do a make FS and create partitions on it but we want this to be a lux encrypted drive. So we're going to create one starts with the crypt setup command like they all the lux formats do lux format dev XVDB. Yes, we want to destroy it within a precarious. Yes, create a password for it. And that's it. We've created the lux container. So now if we go back to CF disk it warns me that if I write this it's a crypt slux signature on there and I'd be overriding that header and destroying it we certainly don't want to do that but there's no partition we didn't format it. The UI version when we do this in a GUI makes it easy because it does all this in one step. This is what happens when you're doing it manually. So now we're going to go ahead and we're going to say crypt setup lux open because the only thing we did was create the container with a password but we didn't open it or mount it. So it was dev XV because we're dealing with it as a device. Now we got to get the device name and this is where it shows up in the mapper part. So we're going to call this data drive. I spelled driver actually will D-A-T-A-D-R-I. We'll use a case sensitivity here. So we're going to crypt setup lux open which means unlock this partition and then create a data drive. So go here, type in the password. All right, now we're going to go over here to dev mapper. There is my data drive. Now let's look at how behind the scenes that's working. So as I said, because this works to the kernel level it creates a new device for each unencrypted drive. That way when you have these drives they are completely treated like any other hard drive and the kernels taking care of all the abstraction layer of doing the encryption and decryption and getting the data to the device in an encrypted manner but then your programs accessing it access it like any other hard drive. So it added it to data drive and it's pointing at DM three behind the scenes in case you're wondering as why I did it that way to show you but you can give it easier, easier to remember names and you can write scripts obviously to do this, this can all be scripted. So now that we've done that the only thing we haven't done is create a file system. So now because it's done there we like I said we want to create the file system inside the encrypted containers. So we're going to make fs.ext4.dev mapper because that's where it stores or unlocks and creates all the unlocked devices that can be treated like a normal file system. And once again make fs doesn't have to be any awareness of the encryption it's taking care of at the kernel level so it just doesn't make fs as if this is any other storage device, done. Now what if I wanted to fsck that, I can do that. I once again if I would need to fsck dev mapper data drive you can do your standard fsck tools and everything else it works just like a regular drive and if we go over here to slash mount make dir data we would do mount slash dev mapper data drive mount data shows up like any other mounted drive. So it's really simple how it works once you kind of get the concept of it's streaming through the kernel and handling it behind the scenes. So everything you create with Lux Open it adds another device here and like I said all this can be scripted and then you choose where you want it to mount. So it mounts and all of your data goes inside of here but anything that goes inside of data now when it at mount is automatically encrypted under Lux side and we can close this we can open it every time it reboots it does require the password you put back in like I said there's ways you can automate some of that but of course at the risk of security but this is a good way to make sure all of your data is encrypted so you would store all of the data that's critical to the machine so the machine can be rebooted remotely SSH back in remotely and then manually mount the data drive back so whatever services are running on it can start and this is a good way when you have remote server setup to lock down the data so they're encrypted in case anyone physically tries to take the server because obviously that's really a big concern. So hopefully this was helpful hopefully it gets you an idea and get started with Lux. It's amazing easy to use once you have a few concepts down and there's a lot of documentation for it. And the last piece I'll leave you with is the Arch Linux wiki on this is the DMCrypt device encryption. It's outstanding in detail of all the different functions you can do talking about how to do things with keys how to do all kinds of functions with it so there's a lot more to Lux this is just to get you started so if you have something really specific or different use cases there's a lot more expanded options but this is great disk encryption at the minimum you should be using it on any of your computers whether it's a laptop desktop in case anyone ever walks off of the drives or in the case that you have to send a drive out do you want to make sure that data is encrypted? It's arbitrary easy to use and with modern processors they have AES modules for encryption decryption there's really not a speed loss on this it's so minimal it's not like you're having a performance issue when you encrypt it which is wonderful about the way this works. So like I said get started on it here if you want to continue the discussion I'll be posting this in my forums if there's some follow up videos on how to do some more things and there's an interest in this let me know and maybe I'll make a follow up video or just answer the questions in the forums. Thanks. Thanks for watching. If you liked this video give it a thumbs up if you want to subscribe to this channel to see more content hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post. If you want to hire us for a project that you've seen or discussed in this video head over to launchsystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us. Also if you want to carry on the discussion further head over to forums.lorencsystems.com where we can keep the conversation going and if you want to help the channel out in other ways we offer affiliate links below which offer discounts for you and a small cut for us that does help fund this channel and once again thanks again for watching this video and see you next time.