November 27, 2013

Encrypting Disks with LUKS in RHEL 6

Introduction

LUKS (Linux Unified Key Setup) is a standard for hard disk encryption. LUKS can encrypt both partition and LVM volumes. Here I will encrypt a partition.

Prerequisite

Creata a new partition with fdisk.

$ fdisk -cu /dev/sda

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 3
First sector (205826048-488397167, default 205826048): 
Using default value 205826048
Last sector, +sectors or +size{K,M,G} (205826048-488397167, default 488397167): +1G

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.

$ reboot 

Enrypt a Partition

First we need to encrypt the partition.

$ cryptsetup luksFormat /dev/sda3 

WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 

Next step is to unlock the partition via luksOpen <blockDeviceFile> <luksname>. The cryptsetup will after create a new mapped blocked device file under /dev/mapper/<luksname>.

$ cryptsetup luksOpen /dev/sda3 luksname
Enter passphrase for /dev/sda3:  

Finally we format now the unencrypted partition we a file system and mount it.

$ mkfs -t ext4 /dev/mapper/luksname
$ mkdir /mnt/secret
$ mount /dev/mapper/luksname /mnt/secret

Persistently Mount Encrypted Partition

To make the mounting persisted we normally add the block device file in /etc/fstab, but with encrypted storage we also need to add the encrypted partition to the list of devices to be unlocked during system startup. That is done by adding the luksname and block device file to the /etc/crypttab.

$ vi /etc/crypttab

luksname    /dev/sda3

After that extra step, normally edit /etc/fstab.

$ vi /etc/fstab

/dev/mapper/luksname      /mnt/secret             ext4    defaults        1 2

Automatically Mount Encrypted Partition

To automatically unlock a encrypted partition we need to store the password on disk, has obvious security problems, but if wanted to the following.

$ echo -n "redhat" > /root/lukspassword
$ chown root:root /root/lukspassword
$ chmod 600 /root/lukspassword
$ ll /root/
...
-rw-------. 1 root root     6 Nov 27 12:12 lukspassword

$ cryptsetup luksAddKey /dev/sda3 /root/lukspassword

Now edit /etc/crypttab and add password file.

$ vi /etc/crypttab

luksName    /dev/sda3   /root/lukspassword

Reboot and verify, that no password is needed and that encrypted partition is mounted.

Remove Encrypted Partition

  1. Remove mapped block device file from /etc/fstab.
  2. Remove luksName from /etc/crypttab.
  3. unmount the mapped block device: umount /dev/mapper/luksname.
  4. Lock encrypted partition: cryptsetup luksClose luksname.

Reference

  • cryptsetup(8): cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension)
  • crypttab(5): /etc/crypttab - encrypted block device table
  • fstab(5): /etc/fstab - static information about the filesystems

No comments: