LUKS (Linux Unified Key Setup) is encryption standard designed for Linux to encrypt Linux volumes or partitions. The implementation of LUKS is based on cryptsetup script as a basic disk encryption backend tool.
In this tutorial we will create Linux partition on KVM based CentOS 7, encrypt partition using LUKS cryptsetup and mount it permanently in particular mount point.
Steps:
1. Install LUKS cryptsetup script
[root@tuxfixer ~]# yum install cryptsetup2. Prepare Linux partition
Setup / install new volume (for example: /dev/vdb) and create new Linux partition on the volume using fdisk:
[root@tuxfixer ~]# fdisk /dev/vdb
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x9e3ed8b3.
Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-16777215, default 2048): 2048
Last sector, +sectors or +size{K,M,G} (2048-16777215, default 16777215): 16777215
Partition 1 of type Linux and of size 8 GiB is set
Command (m for help): p
Disk /dev/vdb: 8589 MB, 8589934592 bytes, 16777216 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x9e3ed8b3
Device Boot Start End Blocks Id System
/dev/vdb1 2048 16777215 8387584 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.3. Encrypt Linux partition with cryptsetup
Encrypt partition and set decryption password (when prompted):
[root@tuxfixer ~]# cryptsetup luksFormat /dev/vdb1
WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase: ***********
Verify passphrase: ***********4. Unlock the encrypted Linux partition
Enter decryption password we set in point 3 (when prompted):
[root@tuxfixer ~]# cryptsetup luksOpen /dev/vdb1 encrypted-volume
Enter passphrase for /dev/vdb1: *********** Verify, if unlocked volume was properly mapped by device mapper:
[root@tuxfixer ~]# ls -l /dev/mapper | grep encrypted-volume
lrwxrwxrwx. 1 root root 7 Apr 21 23:02 encrypted-volume -> ../dm-2
[root@tuxfixer ~]# blkid | grep crypt
/dev/vdb1: UUID="dc57e3a0-5d47-4dec-857e-89db2fad2f70" TYPE="crypto_LUKS"5. Format encrypted partition
Create xfs file system on encrypted partition:
[root@tuxfixer ~]# mkfs -t xfs /dev/mapper/encrypted-volume
meta-data=/dev/mapper/encrypted-volume isize=256 agcount=4, agsize=524096 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0 finobt=0
data = bsize=4096 blocks=2096384, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal log bsize=4096 blocks=2560, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0Verify newly created file system on encrypted partition:
[root@tuxfixer ~]# blkid | grep crypt
/dev/vdb1: UUID="dc57e3a0-5d47-4dec-857e-89db2fad2f70" TYPE="crypto_LUKS"
/dev/mapper/encrypted-volume: UUID="a363d94a-206f-4932-a6e6-7b3b98ad817e" TYPE="xfs"6. Mount encrypted Linux partition
Create mount point:
[root@tuxfixer ~]# mkdir /mnt/safe_volumeEdit /etc/crypttab file and add the following entry:
encrypted-volume /dev/vdb1Edit /etc/fstab file and add the following entry:
/dev/mapper/encrypted-volume /mnt/safe_volume xfs defaults 0 0 Note: pay attention that in /etc/crypttab we enter standard device name (/dev/vdb1), but in /etc/fstab we enter device mapper name (/dev/mapper/encrypted-volume)
Reboot the server to verify, if the system mounts encrypted partiton properly, enter decryption password when prompted:
Please enter passphrase for disk encrypted-volume on /mnt/safe_volume!: ***********After system boot, verify if the encrypted volume has been mounted and unlocked properly:
[root@tuxfixer ~]# df -hT | grep safe_volume
/dev/mapper/encrypted-volume xfs 8.0G 33M 8.0G 1% /mnt/safe_volume
[root@tuxfixer ~]# cryptsetup status encrypted-volume
/dev/mapper/encrypted-volume is active and is in use.
type: LUKS1
cipher: aes-xts-plain64
keysize: 256 bits
device: /dev/vdb1
offset: 4096 sectors
size: 16771072 sectors
mode: read/write7. (Optional) Create key file including decryption password
If you don’t want to be prompted for decryption password upon each reboot, you can create password file:
[root@tuxfixer ~]# touch /root/safe_volume_key
[root@tuxfixer ~]# echo 'secretpassphrase' > /root/safe_volume_key
[root@tuxfixer ~]# cryptsetup luksAddKey /dev/vdb1 /root/safe_volume_key
Enter any passphrase: ***********
[root@tuxfixer ~]# chmod 600 /root/safe_volume_key Edit and modify /etc/crypttab file to include safe_volume_key:
encrypted-volume /dev/vdb1 /root/safe_volume_keyReboot the server, you shouldn’t be prompted for decryption password now.
8. (Optional) Remove key file including decryption password
Type the following command to remove key file and roll back to standard passphrase prompt upon each reboot:
[root@tuxfixer ~]# cryptsetup luksRemoveKey /dev/vdb1 /root/safe_volume_keyRemove safe_volume_key entry from /etc/crypttab file:
encrypted-volume /dev/vdb1Reboot the server, you should be now prompted for decryption passphrase again:
Please enter passphrase for disk encrypted-volume on /mnt/safe_volume!: ***********
Works just fine. thanks for documenting this as you have.