Home » Categories » Linux

RHEL7: Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot.

Article Number: 351 | Rating: Unrated | Last Updated: Mon, Aug 6, 2018 9:59 AM

Install the LUKS package (if it’s not already installed):

# yum install -y cryptsetup

Activate LUKS module:

# modprobe dm_crypt

Check the module is running:

# lsmod | grep dm_crypt
dm_crypt 12894 0
dm_mod 82839 9 dm_crypt,dm_mirror,dm_log

Create a logical volume (here called lv_vol with a size of 100MB in the vg volume group):

# lvcreate --size 100M --name lv_vol vg

Convert the new logical volume to the LUKS format:

# cryptsetup luksFormat /dev/vg/lv_vol
WARNING!
========
This will overwrite data on /dev/vg/lv_vol irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: MyPassphrase
Verify passphrase: MyPassphrase

Open and give a name to the LUKS logical volume (here vol):

# cryptsetup luksOpen /dev/vg/lv_vol vol
Enter passphrase for /dev/vg/lv_vol: MyPassphrase

Create an EXT4 file system on the LUKS logical volume:

# mkfs.ext4 /dev/mapper/vol
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
25168 inodes, 100352 blocks
5017 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=33685504
13 block groups
8192 blocks per group, 8192 fragments per group
1936 inodes per group
Superblock backups stored on blocks:
        8193, 24577, 40961, 57345, 73729

Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

Create the /etc/crypttab file and add the following line:

vol /dev/vg/lv_vol /root/luks.key

Note: if you put ‘none‘ instead of ‘/root/luks.key‘, you will be asked for the passphrase at each boot at the console. Since RHEL 7.5, there is now another solution called Network-Bound Disk Encryption (see here and here for details).

Create the /root/luks.key file for example to store the passphrase:

MyPassphrase

Add the passphrase to the LUKS logical volume:

# cryptsetup luksAddKey /dev/vg/lv_vol /root/luks.key
Enter any passphrase: MyPassphrase

Edit the /etc/fstab file and add the following line (be careful when editing the /etc/fstab file or configure a virtual console):

/dev/mapper/vol /vol ext4 defaults 1 2

Note: A best practice is to execute the mount -a command, each time you change something in the /etc/fstab file to detect any boot problem before it occurs.

Create the mount point:

# mkdir /vol

Mount the LUKS logical volume:

# mount /vol

Note: To remove a LUKS file system, go to the page dealing with LUKS usage.
Posted - Mon, Aug 6, 2018 9:59 AM. This article has been viewed 12977 times.
Filed Under: Linux
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Linux - How to monitor memory usage
Viewed 3208 times since Fri, Jun 8, 2018
An easier way to manage disk decryption at boot with Red Hat Enterprise Linux 7.5 using NBDE
Viewed 7760 times since Mon, Aug 6, 2018
Nagrywanie sesji SSH do pliku
Viewed 3071 times since Thu, May 24, 2018
How to Migrate from RHEL 8 to CentOS 8
Viewed 3224 times since Fri, May 15, 2020
Monitoring bezpieczeństwa Linux: integracja auditd + OSSEC cz. I
Viewed 2592 times since Fri, Apr 5, 2019
How to remove CTRL-M (^M) characters from a file in Linux
Viewed 2760 times since Thu, Feb 7, 2019
ZFS: Grow/Shrink an existing zfs filesystem
Viewed 6487 times since Sun, Jun 3, 2018
LVM: Rename root VG/LV
Viewed 7796 times since Sat, Jun 2, 2018
Improve security with polyinstantiation
Viewed 13478 times since Fri, May 15, 2020
rabbitmq Troubleshooting TLS-enabled Connections
Viewed 2633 times since Sun, Dec 6, 2020