Introduction
LUKS (Linux Unified Key Setup) is a standard for hard disk encryption. LUKS can encrypt both partition and LVM volumes. Here I will encrypt a partition.
Prerequisite
Creata a new partition with fdisk.
$ fdisk -cu /dev/sda
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 3
First sector (205826048-488397167, default 205826048):
Using default value 205826048
Last sector, +sectors or +size{K,M,G} (205826048-488397167, default 488397167): +1G
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
$ reboot
Enrypt a Partition
First we need to encrypt the partition.
$ cryptsetup luksFormat /dev/sda3
WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Next step is to unlock the partition via luksOpen <blockDeviceFile> <luksname>. The cryptsetup will after create a new mapped blocked device file under /dev/mapper/<luksname>.
$ cryptsetup luksOpen /dev/sda3 luksname
Enter passphrase for /dev/sda3:
Finally we format now the unencrypted partition we a file system and mount it.
$ mkfs -t ext4 /dev/mapper/luksname
$ mkdir /mnt/secret
$ mount /dev/mapper/luksname /mnt/secret
Persistently Mount Encrypted Partition
To make the mounting persisted we normally add the block device file in /etc/fstab, but with encrypted storage we also need to add the encrypted partition to the list of devices to be unlocked during system startup. That is done by adding the luksname and block device file to the /etc/crypttab.
$ vi /etc/crypttab
luksname /dev/sda3
After that extra step, normally edit /etc/fstab.
$ vi /etc/fstab
/dev/mapper/luksname /mnt/secret ext4 defaults 1 2
Automatically Mount Encrypted Partition
To automatically unlock a encrypted partition we need to store the password on disk, has obvious security problems, but if wanted to the following.
$ echo -n "redhat" > /root/lukspassword
$ chown root:root /root/lukspassword
$ chmod 600 /root/lukspassword
$ ll /root/
...
-rw-------. 1 root root 6 Nov 27 12:12 lukspassword
$ cryptsetup luksAddKey /dev/sda3 /root/lukspassword
Now edit /etc/crypttab and add password file.
$ vi /etc/crypttab
luksName /dev/sda3 /root/lukspassword
Reboot and verify, that no password is needed and that encrypted partition is mounted.
Remove Encrypted Partition
- Remove mapped block device file from /etc/fstab.
- Remove luksName from /etc/crypttab.
- unmount the mapped block device: umount /dev/mapper/luksname.
- Lock encrypted partition: cryptsetup luksClose luksname.
Reference
- cryptsetup(8): cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension)
- crypttab(5): /etc/crypttab - encrypted block device table
- fstab(5): /etc/fstab - static information about the filesystems
No comments:
Post a Comment