RHEL7: Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot.
Install the LUKS package (if it’s not already installed):
# yum install -y cryptsetup
Activate LUKS module:
# modprobe dm_crypt
Check the module is running:
# lsmod | grep dm_crypt dm_crypt 12894 0 dm_mod 82839 9 dm_crypt,dm_mirror,dm_log
Create a logical volume (here called lv_vol with a size of 100MB in the vg volume group):
# lvcreate --size 100M --name lv_vol vg
Convert the new logical volume to the LUKS format:
# cryptsetup luksFormat /dev/vg/lv_vol WARNING! ======== This will overwrite data on /dev/vg/lv_vol irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase:
MyPassphraseVerify passphrase: MyPassphrase
Open and give a name to the LUKS logical volume (here vol):
# cryptsetup luksOpen /dev/vg/lv_vol vol Enter passphrase for /dev/vg/lv_vol:
Create an EXT4 file system on the LUKS logical volume:
# mkfs.ext4 /dev/mapper/vol mke2fs 1.42.9 (28-Dec-2013) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) Stride=0 blocks, Stripe width=0 blocks 25168 inodes, 100352 blocks 5017 blocks (5.00%) reserved for the super user First data block=1 Maximum filesystem blocks=33685504 13 block groups 8192 blocks per group, 8192 fragments per group 1936 inodes per group Superblock backups stored on blocks: 8193, 24577, 40961, 57345, 73729 Allocating group tables: done Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: done
Create the /etc/crypttab file and add the following line:
vol /dev/vg/lv_vol /root/luks.key
Note: if you put ‘none‘ instead of ‘/root/luks.key‘, you will be asked for the passphrase at each boot at the console. Since RHEL 7.5, there is now another solution called Network-Bound Disk Encryption (see here and here for details).
Create the /root/luks.key file for example to store the passphrase:
Add the passphrase to the LUKS logical volume:
# cryptsetup luksAddKey /dev/vg/lv_vol /root/luks.key Enter any passphrase:
Edit the /etc/fstab file and add the following line (be careful when editing the /etc/fstab file or configure a virtual console):
/dev/mapper/vol /vol ext4 defaults 1 2
Note: A best practice is to execute the mount -a command, each time you change something in the /etc/fstab file to detect any boot problem before it occurs.
Create the mount point:
# mkdir /vol
Mount the LUKS logical volume:
# mount /vol
Note: To remove a LUKS file system, go to the page dealing with LUKS usage.