Hard Disk Encryption With LUKS

HowTo: Linux Hard Disk Encryption With LUKS.

first step:

/share/hide-foder – mount folder

groupadd samba-group – create new group

chown root:samba-group /share/hide-folder – set correct permissons

chmod 770 /share/hide-folder – set correct permissons (rwx-rwx-)

useradd user -M -G samba-group -s /sbin/nologin – create new Linux user and him in group

passwd user – set password for new user

pdbedit -a -u user – add user in Sambsa (use some password like a for Linux user)

usermod -a -G samba-group user-2 – add new user if you want

setup new crypt folder on new disk:

1) cryptsetup luksFormat /dev/vdc1 /// type YES // for crypt fodler use /dev/loop // save passphrase!!!
2) cryptsetup luksOpen /dev/vdc1 name_share – open crypt device, name_share – crypt device name
3) mkfs.ext4 /dev/mapper/name_share – format new crypt device
4) cryptsetup -v status name_share – check status new crypt device

umount:

# umount /share/hide-folder
# cryptsetup luksClose name_share

mount:

# cryptsetup luksOpen /dev/sda1 name_share
# mount /dev/mapper/name_share /share/hide-folder
# df -H

simple bash script for mount crypt device:

#!/usr/bin/env bash

SHARENAME='name_share'
CRYPTDEVICE='/dev/sda1'
SHAREMAPPER="/dev/mapper/${SHARENAME}"
MOUNTPTH='/share/hide-folder'

if [[ -z ${1} ]]; then
echo "Use ${0} 'start', 'stop', 'restart'"
exit 0
else
if [[ $(id -u ${USER} ) -ne 0 ]]; then
echo 'Your must be root!'
exit 1
fi
fi

function stop_luks() {
umount ${1}
cryptsetup luksClose ${2}
}

function start_luks() {
cryptsetup luksOpen ${1} ${2}
mount ${3} ${4} ext4 defaults 0 2
}

case "${1}" in

"start" )
start_luks ${CRYPTDEVICE} ${SHARENAME} ${SHAREMAPPER} ${MOUNTPTH}
;;

"stop" )
stop_luks ${MOUNTPTH} ${SHARENAME}
;;

"restart" )
stop_luks ${SHAREMAPPER} ${SHARENAME}
start_luks ${CRYPTDEVICE} ${SHARENAME} ${SHAREMAPPER} ${MOUNTPTH}
;;

"*" )
echo "Use ${0} 'start', 'stop', 'restart'"
exit1
;;

esac

add new secret passphrase:

### max -8 i.e. max 8 passwords can be setup for each device ####
# cryptsetup luksDump /dev/xvdc
# cryptsetup luksAddKey /dev/xvdc

Remove or delete the old password:

cryptsetup luksRemoveKey /dev/xvdc

smb.cnf

[samba-group]
hide files = /lost+found/
hide unreadable = yes
path=/share/hide-folder
valid users = @samba-group,admin
guest ok = no
read only = no
force create mode = 0770
force directory mode = 0770
force group = samba-group

service smbd status restart – restart samba daemon

smb://your-server-host/samba-group/ – access link in file manager