Home » Categories » Linux

How to encrypt a partition using LUKS?

Article Number: 293 | Rating: Unrated | Last Updated: Fri, Jul 13, 2018 10:30 AM

How to encrypt a partition using LUKS?

 

Red Hat Enterprise linux provides you an interface to encrypt the partitions during the installation time, which is quite easy. In this tutorial we will be seeing how can we create a new partition and encrypt it using LUKS. 

 

I will be using CentOS 5.8 for this example tutorial. You can easily do the same in Red Hat enterprise Linux and also in Centos(and many other distributions.)

 

For this tutorial i will be creating a Logical Volume of 5gb and will encrypt that volume, with the help of LUKS.

 

 

 

[root@myvm ~]# lvcreate -L 5G -n myvolume VolGroup00
  Logical volume "myvolume" created

 

So my device which i just created is /dev/mapper/VolGroup00-myvolume. We will be encrypting this volume.

 

I have created a logical volume just for this example, you can use any of the newly created partition, you want. Like /dev/sda1, /dev/sda3 etc.

 

 

 

The next step that we need to do is to format the device with cryptsetup utility and make the device LUKS encrypted.

 

 

 

[root@myvm /]# cryptsetup luksFormat /dev/mapper/VolGroup00-myvolume
 
WARNING!
========
This will overwrite data on /dev/mapper/VolGroup00-myvolume irrevocably.
 
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

 

You can replace "/dev/mapper/VolGroup00-myvolume" with whatever the partition you are going to encrypt with LUKS.

 

The above cryptsetup command will ask for a confirmation, because this will destroy any data you have on the partition. Then you are prompted for a passphrase.

 

Now lets see some detailed information about the encryption on our device /dev/mapper/VolGroup00-myvolume .

 

 

 

[root@myvm ~]# cryptsetup luksDump /dev/mapper/VolGroup00-myvolume
LUKS header information for /dev/mapper/VolGroup00-myvolume
 
Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha1
Payload offset: 1032
MK bits:        128
MK digest:      4f 4a 2e 9e 7e 04 44 e5 29 3e 6d d7 9e 56 17 2f 9f 5c bf 42
MK salt:        a1 e5 ba 61 ce e9 48 7b 60 7e f2 e3 c5 61 53 22
                f6 0b b2 8f ff 02 5f 56 62 0b 3d 3a 0f 7c c3 04
MK iterations:  10
UUID:           a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3
 
Key Slot 0: ENABLED
        Iterations:             311917
        Salt:                   d4 3e f3 37 5d 89 62 be d5 ab ee 27 de 17 b7 f8
                                cf 88 47 bf ab eb 2e 62 69 86 77 72 bc 26 a8 ed
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

 

 

 

 

You can clearly see from the above output that we are using aes encryption with sha256.

 

Now lets see how are we going to access this newly encrypted device. Or in otherwords how will the kernel's device mapper recognize this encrypted partition of ours.

 

You can get the UUID of the newly encrypted device as shown below.

 

[root@myvm ~]# cryptsetup luksUUID /dev/mapper/VolGroup00-myvolume
a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3

 

Now We will assign a device mapping name to this device as shown below.

 

 

 

[root@myvm ~]# cryptsetup luksOpen /dev/mapper/VolGroup00-myvolume luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3
Enter LUKS passphrase for /dev/mapper/VolGroup00-myvolume:
key slot 0 unlocked.
Command successful.

 

Now You will have a device named "luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3" in /dev/mapper. Also the above command luksOpen will depcrypt the filesystem so that it can be accessed

 

 

 

[root@myvm mapper]# cd /dev/mapper/ ; ls
control                                    VolGroup00-LogVol01
luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3  VolGroup00-myvolume
VolGroup00-LogVol00

 

 

 

Please do remember that the device is open and accessible as of now because we ran "cryptsetup luksopen" command at the time of giving it a device mapping name.

 

Now lets format our device in the same way we format our normal partitions.

 

 

 

[root@myvm mapper]# mke2fs -j /dev/mapper/luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
655360 inodes, 1310591 blocks
65529 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1342177280
40 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736
 
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
 
This filesystem will be automatically checked every 32 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

 

Now Lets mount this device, as normal.

 

 

 

[root@myvm ~]# mount /dev/mapper/luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3 /mypartition/

 

 

 

Now lets check and confirm whether our LUKS formatted and encrypted device is mounted properly with df -h command.

 

 

 

[root@myvm ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
                       31G  2.7G   27G  10% /
/dev/sda1              99M   13M   82M  13% /boot
tmpfs                 252M     0  252M   0% /dev/shm
/dev/mapper/luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3
                      5.0G  139M  4.6G   3% /mypartition

 


We can clearly see from the last line of the above output that our newly mapped encrypted device is mounted under /mypartition

 

 

 

How to umount and Lock back the LUKS encrypted partition

 

First lest umount the partition as normal..and then lock back the filesystem through cryptsetup.

 

 

 

[root@myvm ~]# umount /dev/mapper/luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3
[root@myvm ~]# cryptsetup luksClose /dev/mapper/luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3

 

The first command above unmounts and the second command locks back the filesystem.

 

How to Unlock and mount LUKS encrypted Partition

 

Now you can again unlock and mount as shown below,whenever required. But will ask for the passphrase.

 

[root@myvm ~]# cryptsetup luksOpen /dev/mapper/VolGroup00-myvolume luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3
Enter LUKS passphrase for /dev/mapper/VolGroup00-myvolume:
key slot 0 unlocked.
Command successful.
[root@myvm ~]# mount /dev/mapper/luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3

 

 

 
Posted - Fri, Jul 13, 2018 10:30 AM. This article has been viewed 1571 times.
Filed Under: Linux
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
How to sort IP addresses in Linux
Viewed 3254 times since Sun, May 20, 2018
socat: Linux / UNIX TCP Port Forwarder
Viewed 8878 times since Tue, Aug 6, 2019
RHEL: Bonding network interfaces
Viewed 3362 times since Sat, Jun 2, 2018
Modifying the inode count for an ext2/ext3/ext4 file system
Viewed 14197 times since Fri, Sep 18, 2020
RHCS6: ’fencing’ basics
Viewed 1996 times since Sun, Jun 3, 2018
RHCS6: Luci - the cluster management console
Viewed 2911 times since Sun, Jun 3, 2018
Using IOzone for Linux disk performance analysis
Viewed 7189 times since Wed, Jul 25, 2018
RHEL: Create a local RPM repository
Viewed 10842 times since Sun, May 27, 2018
ZPOOL: Grow a zpool by adding new device(s)
Viewed 5798 times since Sun, Jun 3, 2018
Install OpenVPN On CentOS / RHEL 7
Viewed 2730 times since Fri, May 15, 2020