November 27, 2013

Encrypting Disks with LUKS in RHEL 6

Introduction

LUKS (Linux Unified Key Setup) is a standard for hard disk encryption. LUKS can encrypt both partition and LVM volumes. Here I will encrypt a partition.

Prerequisite

Creata a new partition with fdisk.

Enrypt a Partition

First we need to encrypt the partition.

Next step is to unlock the partition via luksOpen <blockDeviceFile> <luksname>. The cryptsetup will after create a new mapped blocked device file under /dev/mapper/<luksname>.

Finally we format now the unencrypted partition we a file system and mount it.

Persistently Mount Encrypted Partition

To make the mounting persisted we normally add the block device file in /etc/fstab, but with encrypted storage we also need to add the encrypted partition to the list of devices to be unlocked during system startup. That is done by adding the luksname and block device file to the /etc/crypttab.

After that extra step, normally edit /etc/fstab.

Automatically Mount Encrypted Partition

To automatically unlock a encrypted partition we need to store the password on disk, has obvious security problems, but if wanted to the following.

Now edit /etc/crypttab and add password file.

Reboot and verify, that no password is needed and that encrypted partition is mounted.

Remove Encrypted Partition

  1. Remove mapped block device file from /etc/fstab.
  2. Remove luksName from /etc/crypttab.
  3. unmount the mapped block device: umount /dev/mapper/luksname.
  4. Lock encrypted partition: cryptsetup luksClose luksname.

Reference

  • cryptsetup(8): cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension)
  • crypttab(5): /etc/crypttab - encrypted block device table
  • fstab(5): /etc/fstab - static information about the filesystems

No comments: