Encrypt Linux Partition using LUKS cryptsetup

encrypt linux volume using luks cryptsetup
LUKS (Linux Unified Key Setup) is encryption standard designed for Linux to encrypt Linux volumes or partitions. The implementation of LUKS is based on cryptsetup script as a basic disk encryption backend tool.

In this tutorial we will create Linux partition on KVM based CentOS 7, encrypt partition using LUKS cryptsetup and mount it permanently in particular mount point.

Steps:

1. Install LUKS cryptsetup script

[root@tuxfixer ~]# yum install cryptsetup

2. Prepare Linux partition

Setup / install new volume (for example: /dev/vdb) and create new Linux partition on the volume using fdisk:

[root@tuxfixer ~]# fdisk /dev/vdb
Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x9e3ed8b3.

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-16777215, default 2048): 2048
Last sector, +sectors or +size{K,M,G} (2048-16777215, default 16777215): 16777215
Partition 1 of type Linux and of size 8 GiB is set

Command (m for help): p

Disk /dev/vdb: 8589 MB, 8589934592 bytes, 16777216 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x9e3ed8b3

   Device Boot      Start         End      Blocks   Id  System
/dev/vdb1            2048    16777215     8387584   83  Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

3. Encrypt Linux partition with cryptsetup

Encrypt partition and set decryption password (when prompted):

[root@tuxfixer ~]# cryptsetup luksFormat /dev/vdb1

WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: ***********
Verify passphrase: ***********

4. Unlock the encrypted Linux partition

Enter decryption password we set in point 3 (when prompted):

[root@tuxfixer ~]# cryptsetup luksOpen /dev/vdb1 encrypted-volume
Enter passphrase for /dev/vdb1: *********** 

Verify, if unlocked volume was properly mapped by device mapper:

[root@tuxfixer ~]# ls -l /dev/mapper | grep encrypted-volume
lrwxrwxrwx. 1 root root       7 Apr 21 23:02 encrypted-volume -> ../dm-2
[root@tuxfixer ~]# blkid | grep crypt
/dev/vdb1: UUID="dc57e3a0-5d47-4dec-857e-89db2fad2f70" TYPE="crypto_LUKS"

5. Format encrypted partition

Create xfs file system on encrypted partition:

[root@tuxfixer ~]# mkfs -t xfs /dev/mapper/encrypted-volume
meta-data=/dev/mapper/encrypted-volume isize=256    agcount=4, agsize=524096 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=0        finobt=0
data     =                       bsize=4096   blocks=2096384, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
log      =internal log           bsize=4096   blocks=2560, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0

Verify newly created file system on encrypted partition:

[root@tuxfixer ~]# blkid | grep crypt
/dev/vdb1: UUID="dc57e3a0-5d47-4dec-857e-89db2fad2f70" TYPE="crypto_LUKS" 
/dev/mapper/encrypted-volume: UUID="a363d94a-206f-4932-a6e6-7b3b98ad817e" TYPE="xfs"

6. Mount encrypted Linux partition

Create mount point:

[root@tuxfixer ~]# mkdir /mnt/safe_volume

Edit /etc/crypttab file and add the following entry:

encrypted-volume   /dev/vdb1

Edit /etc/fstab file and add the following entry:

/dev/mapper/encrypted-volume   /mnt/safe_volume   xfs   defaults   0   0 

Note: pay attention that in /etc/crypttab we enter standard device name (/dev/vdb1), but in /etc/fstab we enter device mapper name (/dev/mapper/encrypted-volume)

Reboot the server to verify, if the system mounts encrypted partiton properly, enter decryption password when prompted:

Please enter passphrase for disk encrypted-volume on /mnt/safe_volume!: ***********

After system boot, verify if the encrypted volume has been mounted and unlocked properly:

[root@tuxfixer ~]# df -hT | grep safe_volume
/dev/mapper/encrypted-volume xfs       8.0G   33M  8.0G   1% /mnt/safe_volume
[root@tuxfixer ~]# cryptsetup status encrypted-volume
/dev/mapper/encrypted-volume is active and is in use.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  device:  /dev/vdb1
  offset:  4096 sectors
  size:    16771072 sectors
  mode:    read/write

7. (Optional) Create key file including decryption password

If you don’t want to be prompted for decryption password upon each reboot, you can create password file:

[root@tuxfixer ~]# touch /root/safe_volume_key
[root@tuxfixer ~]# cryptsetup luksAddKey /dev/vdb1 /root/safe_volume_key
Enter any passphrase: ***********
[root@tuxfixer ~]# chmod 600 /root/safe_volume_key 

Edit and modify /etc/crypttab file to include safe_volume_key:

encrypted-volume   /dev/vdb1   /root/safe_volume_key

Reboot the server, you shouldn’t be prompted for decryption password now.

8. (Optional) Remove key file including decryption password

Type the following command to remove key file and roll back to standard passphrase prompt upon each reboot:

[root@tuxfixer ~]# cryptsetup luksRemoveKey /dev/vdb1 /root/safe_volume_key

Remove safe_volume_key entry from /etc/crypttab file:

encrypted-volume   /dev/vdb1

Reboot the server, you should be now prompted for decryption passphrase again:

Please enter passphrase for disk encrypted-volume on /mnt/safe_volume!: ***********
Liked it? Take a second to support tuxfixer.com on Patreon!

Share on: Share on FacebookShare on Google+Tweet about this on TwitterShare on StumbleUponShare on LinkedInPin on PinterestBuffer this pageShare on TumblrDigg thisFlattr the authorShare on RedditShare on VKShare on Yummly

Leave a Reply

Name *
Email *
Website