LUKS is a way to encrypt devices on a system. Keep in mind that LUKS works on a block level and it applies to block devices files such as partitions and Logical Volumes(LVs) associated with storage. So, it encrypts your partitions and your data is secure in case that you lost your computer because the LUKS-protected partition requires either passphrase or a key file.
During installation of Linux, you have an opportunity to encrypt your partitions or volumes which could be the easiest way to encrypt the partitions; however, the following description is related to encryption of a partition or volume after installation of RedHat, CentOS, Fedora, or SELinux and also how to create, configure, mount, and unmount LUKS-encrypted filesystems.
Prepare Encryption
To install cryptsetup-luks RPM package, run the following command:
yum install cryptsetup-luks
In order to work with LUKS and encryption, you need to load dm_crypt module if it's not loaded already. Try the following command first:
lsmod | grep dm_crypt
and it should return something like this:
Figure 1
If you don't see any output, you can load the module with following command:
modprobe dm_crypt
Now, if you run "lsmod | grep dm_crypt" command again, you will see the output.
Before creating an encrypted filesystem, we need a partition. Now, I am going to create a partition on /dev/sdb with fdisk command (that's a regular partition from existing empty space on my second hard drive):
Figure 2
Prepare the New Filesystem
If you want to create a more secure filesystem, fill it with random data. You can use the badblocks command to do this:
badblocks -c 20480 -s -w -t random -v /dev/sdb2
which -c is the number of blocks at a time, in this case 20480, -s shows the progress of the command, -w writes data, -t writes data in a random pattern, and -v is verbose mode.
Figure 3
Also, you can use an alternative way to do this by using Linux random number generator device:
dd if=/dev/urandom of=/dev/sdb2
This command starts by filling random data, block by block, on the /dev/sdb2 device.
Create the New Filesystem
cryptsetup is the command that creates a LUKS-based filesystem.
cryptsetup luksFormat /dev/sdb2
Figure 4
Note:
- Don't forget uppercase F in luksFormat switch
- When it asks you to overwrite data, you must type uppercase YES, otherwise it doesn't ask you for passphrase and the volume will be encrypted
- You can include space in your passphrase
Figure 5
In order to do a map to a different device, we need UUID of encrypted device. The following command creates a UUID for /dev/sdb2:
cryptsetup luksUUID /dev/sdb2
Figure 6
Next, type the following command (I pasted the UUID that I got from pervious command here):
cryptsetup luksOpen /dev/sdb2 e8c60fe0-2a9d-4e4d-a4af-c80a8fe70726
Figure 7
An alternative way is using a name instead of UUID number of an encrypted device. For example, you can use the following command as well which has exactly the same result and even easier and more human readable:
cryptsetup luksOpen /dev/sdb2 test
Figure 8
After running the above command,the mapped device is added to the /dev/mapper directory. Let's take a look:
Figure 9
Or if you are using a name instead of UUID, you should see something like this:
Figure 10
Then, we are ready to format the device with the following command:
mkfs.ext4 /dev/mapper/test
Figure 11
We can mount the new created LUKS device to a directory now and it's ready to use:
Figure 12
Finally, you should setup /etc/fstab file to make sure that encrypted filesystem is mounted by next time that system is booted. But you need some works to do on this part:
1. Setting up encrypted volumes during system boot
To access the data on this encrypted partition, you must recreate that /dev/mapper/test device with cryptsetup each time you boot. You can automated this process by setting up encrypted volumes during the boot process. This can be done easily by editing /etc/crypttab and add the following line to this file:MappingName DeviceName Password_File_Path
The third column is optional and you can store the password of encrypted volume in somewhere like /mnt/mypassword.txt, but it has security issue and you don't want to store a password file in plain text. So, it's better to remove that column and it will ask you for a password when you reboot or boot your system. So, in my system, it looks like this:
Figure 13
and when you boot or reboot your system, it will ask you for password:
Figure 14
2. Setting up /etc/fstab
Here is the tricky part if you want to use UUID in fstab. The UUID that we got from previous commands above corresponds to the original partition and is not associated with the encrypted filesystem. To get UUID of encrypted filesystem, run the following command:dumpe2fs /dev/mapper/test | grep UUID
dumpe2fs prints the super blocks information for the filesystem present on device. That UUID number that we get from dumpe2fs command can then be used to represent the encrypted volume in /etc/fstab. For example, in my case, it would be:
Figure 15
Note:
If you use the UUID of original partition, you will get the following error or something like that after reboot:
Figure 16
If you see such an error, run the following commands:
mount / -o remount,rw
vi /etc/fstab
and then remove that UUID from fstab and save it. And reboot system.
Alternatively, you can use the mapper name in fstab. For example,in my case, adding the following line in /etc/fstab works exactly in the same way as above in Figure 15 (I mean the same result).
/dev/mapper/test /test-luks ext4 defaults 1 2
So, the followings are two ways such a volume could be configured in the /etc/fstab file:
UUID=8cd80c73-8140-4006-9d22-ba4da3e29e83 /test-luks ext4 defaults 1 2
OR
/dev/mapper/test /test-luks ext4 defaults 1 2
Now, if you reboot you system, you encrypted partition will mount automatically.
And that's all. Hope you enjoyed.
Khosro Taraghi