On Mon, Aug 13, 2018 at 00:33:37 CEST, rajpal reddy wrote: > Hello, > > I’m new to Luks Encryption please bear with me . I’m trying to test on > was ec2 i3.large machine. I’m trying to encrypt the entire > /dev/nvem0n1 volume. [...] > I have following questions: You have some misunderstandings here, letz see whether I can celar them up. Also refer to the FAQ at https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions > 1) from above steps i’m i doing it correct Looks like it. What are you doing on reboot? > 2) since /data_e volume is encrypted means all my directories and > files under /data_e are encrypted as well? Yes. LUKS is full-disk encryption (FDE). > 3) if i try to scp those files to my laptop wouldn’t it look for key (i > tired it didn’t ask for it) No. The OS transparently decrypts everything when the LUKS container is mapped. Only the raw data on disk is encrypted and it is only protected when the container is not mapped. > 4)I also tried to copy those files to different server where i don’t > have encryption and tried restore. it worked fine. my expectations was > it should ask the password it didn’t ask for it. The passphrase is only asked on container mapping (ctyptesup luksOpen). > 5) not sure what exactly its encrypting if it lets copy my files and > restore in different server without asking the key. The raw sectors on disk. FDE only protects against your disks/server/laptop being stolen when the machine is off or the LUKS container not mapped. It does not and cannot protect against your machine getting hacked while the LUKS container is mapped (open). For that, you want to encrypt individual files using GnuPG or the like. > 6) for Any reason in the future if want to rollback encryption what is > the best practice for it. Make backup of data. Recreate volume in plain. Restore backup. > 7)if i lost my kms key. volume is unusable or any way to retrieve back? > Thanks See FAQ Section 6. Regards, Arno > References > > 1. s3://mybuckets/LuksInternalStorageKey > 2. fileb://LuksInternalStorageKey/ > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > https://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
