Home Community User Groups Special Interest Groups NI Linux Real-Time NI Linux Real-Time Documents Document

NI Linux Real-Time Documents

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LUKS Disk Encryption on NI Linux Real-Time

by on
‎05-08-2017 04:08 PM
- edited on ‎05-09-2017 12:47 PM by: scotia673

Beginning in LabVIEW Real-Time 2017, the NI Linux Real-Time kernel includes LUKS encryption capabilities. It is possible to create encrypted containers and to encrypt USB drives. It is not currently possible to encrypt a real-time target’s native onboard flash partitions (which store the OS).

 

Using LUKS encryption can maintain confidentiality of sensitive data, and may satisfy certain regulatory requirements. Users can configure the specific cypher that is used, but LUKS uses AES in XTS mode with a 256-bit key size by default.

 

Accessing this encryption capability will require some familiarity with the Linux shell. From the shell, users can encrypt USB drives or create encrypted file containers. Encrypted file containers can reside either on the onboard flash drive or external media. Partitions can be encrypted using either passwords or key files.[1] LUKS also supports registering multiple passwords or key files for the same encrypted disk (up to a limit of 10). A specific use case for this might be to register a backup recovery password.

 

The commands below can be used as a reference for basic usage of LUKS encryption on NI Linux Real-Time. All commands should be run as admin. For more advanced usage, please refer to the additional resources section at the bottom of this page.

 

Key Creation:

 

dd if=/dev/urandom of=disk.key bs=1024 count=4

 

Encrypting USB Drive:

 

  1. Unmount USB drive (note that sdb1 is being used to illustrate usage – your drive may be loaded as something else):
    1. umount /dev/sdb1
  2. Format USB drive as an encrypted disk after ensuring USB drive is unmounted:
    1. cryptsetup luksFormat /dev/sdb1 disk.key [2]
    2. cryptsetup –key-file disk.key luksOpen /dev/sdb1 cryptdisk
    3. mkfs.ext4 /dev/mapper/cryptdisk
  3. Mount the encrypted disk (if your desired mount point doesn’t exist, create it before attempting to mount the encrypted disk):
    1. mount /dev/mapper/cryptdisk /mnt/cryptdisk
  4. Unmount the encrypted disk
    1. umount /mnt/cryptdisk
  5. Close the encrypted disk
    1. cryptsetup luksClose /dev/mapper/cryptdisk

 

Creating an Encrypted Container:

 

  1. Create container file and format as encrypted disk (size: 100MB)
    1. dd if=/dev/zero bs=1M count=100 of=cryptdisk.img
    2. cryptsetup luksFormat cryptdisk.img disk.key
    3. cryptsetup --key-file disk.key luksOpen cryptdisk.img cryptdisk
    4. mkfs.ext4 /dev/mapper/cryptdisk
  2. Mount the encrypted disk
    1. mount /dev/mapper/cryptdisk /mnt/cryptdisk
  3. Unmount the encrypted disk
    1. umount /mnt/cryptdisk
  4. Close the encrypted disk
    1. cryptsetup luksClose /dev/mapper/cryptdisk

 

Additional Resources:

 

 

[1] The user is responsible for protecting the secrecy of the key file used. National Instruments strongly recommends storing the key file in a separate location from the encrypted disk.

[2] To create an encrypted volume that uses a password for authentication, omit disk.key from the luksFormat command, noting further that it will no longer be necessary to reference a key file when calling luksOpen.

Contributors