Scribd
Upload
69 views4 pages

Lecture 55 LUKS Encryption in Linux

The document discusses setting up an encrypted filesystem using LUKS (Linux Unified Key Setup) on Red Hat Enterprise Linux. It provides step-by-step instructions for encrypting a disk with LUKS, opening it to create an encrypted filesystem, mounting the filesystem, and making it persist across reboots. It also describes how to add and remove encryption keys, close and unmount the encrypted filesystem, and fully remove the LUKS encryption from a disk.

Uploaded by

Mohammed Babar Ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
69 views4 pages

Lecture 55 LUKS Encryption in Linux

The document discusses setting up an encrypted filesystem using LUKS (Linux Unified Key Setup) on Red Hat Enterprise Linux. It provides step-by-step instructions for encrypting a disk with LUKS, opening it to create an encrypted filesystem, mounting the filesystem, and making it persist across reboots. It also describes how to add and remove encryption keys, close and unmount the encrypted filesystem, and fully remove the LUKS encryption from a disk.

Uploaded by

Mohammed Babar Ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

LUKS is used for encryption purpose, we can encrpyt any drive or partition with

LUKS.
---------------------

In this guide, we are about to see how to create an encrypted file system in Red
Hat Enterprise Linux, CentOS or any other RHEL based Linux variants.

We will use the Linux Unified Key Setup (LUKS) to encrypt the filesystem to prepare
our encrypted filesystem.
Once all the setups are done, make sure to backup your key and passphrase. FYI, if
we forgot the key or passphrase for LUKS1 devices
it’s possible to recover the key/Passphrase, however, it’s not possible to recover
if you are using a LUKS2 device. Because the key stored directly in the kernel.

Let’s quickly start with the setup.

Installing Cryptsetup
In a minimal installed RHEL or CentOS by default it won’t get installed, to start
with the encryption setup first we need to install the required packages.

# dnf install cryptsetup -y

# dnf list installed | grep cryptsetup

Encrypting the Disk


Hence I’m testing this before implementing in Production we are about to use a
physical disk /dev/sdb with 20 GB in size. This will differ in your setup, make
sure to choose the right disk to avoid any accidental encryption on any data disks.

# fdisk -l /dev/sdb

[root@rhel7 ~]# fdisk -l /dev/sdb


Disk /dev/sdb: 21.5 GB, 21474836480 bytes, 41943040 sectors Units = sectors of 1 *
512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size
(minimum/optimal): 512 bytes / 512 bytes
To start with the encryption we need to run with below luksFormat command.
# cryptsetup luksFormat /dev/sdb

[root@rhel7 ~]# cryptsetup luksFormat /dev/sdb


WARNING!
========
This will overwrite data on /dev/sdb irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
[root@rhel7 ~]#
Enter the passphrase, make sure to remember this.

Open to create the filesystem


Once the disk encrypted using luksFormat we need to open the filesystem to use it.
In my setup myfiles is just a name, you can choose your own.

# cryptsetup luksOpen /dev/sdb myfiles


Even this not under a logical volume management it will be treated as a mapper
device.

Verify the status of the same with below command:


# cryptsetup status myfiles
# ls -lthr /dev/mapper/myfiles
[root@rhel7 ~]#
[root@rhel7 ~]# cryptsetup luksOpen /dev/sdb myfiles
Enter passphrase for /dev/sdb:
[root@rhel7 ~]#
[root@rhel7 ~]# ls -lthr /dev/mapper/myfiles
lrwxrwxrwx. 1 root root 7 Jan 1 11:56 /dev/mapper/myfiles -> ../dm-9
[root@rhel7 ~]#
Creating filesystem
After opening the encrypted disk, we are good with creating the filesystem on the
encrypted disk.

# mkfs -t ext4 /dev/mapper/myfiles


[root@rhel7 ~]# mkfs -t ext4 /dev/mapper/myfiles
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
1310720 inodes, 5242368 blocks
262118 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2153775104
160 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000

Allocating group tables: done


Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

[root@rhel7 ~]#
Mounting the Filesystem
Create a mount point to mount the created file system.

# mkdir /myfiles
# mount /dev/mapper/myfiles /myfiles
# df -h /myfiles
[root@rhel7 ~]# mkdir /myfiles
[root@rhel7 ~]#
[root@rhel7 ~]# mount /dev/mapper/myfiles /myfiles
[root@rhel7 ~]#
[root@rhel7 ~]# df -h /myfiles
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/myfiles 20G 45M 19G 1% /myfiles
[root@rhel7 ~]#
Persistent mount
The above steps are non-persistent during reboot. To make the encrypted filesystem
persistent during reboot we need to follow with below three steps.

Create a file with random data to make it as key for the encrypted mount point.
Make sure to change the ownership and permission for the created key as 600.
Moreover never put this file inside the encrypted filesystem which you have
created.

# dd if=/dev/urandom of=/tmp/crypt_file bs=4096 count=1


# chmod 600 /tmp/crypt_file
# mv /tmp/crypt_file /etc/
[root@rhel7 ~]# dd if=/dev/urandom of=/tmp/crypt_file bs=4096 count=1
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.000410369 s, 10.0 MB/s
[root@rhel7 ~]# chmod 600 /tmp/crypt_file
[root@rhel7 ~]# ls -lthr /tmp/crypt_file
-rw-------. 1 root root 4.0K Jan 1 11:59 /tmp/crypt_file
[root@rhel7 ~]# mv /tmp/crypt_file /etc/
[root@rhel7 ~]#
Add the luks Key by pointing to the random data file.

# cryptsetup luksAddKey /dev/sdb /etc/crypt_file


[root@rhel7 ~]# cryptsetup luksAddKey /dev/sdb /etc/crypt_file
Enter any existing passphrase:
[root@rhel7 ~]#
Create an entry in crypttab and fstab.

# vi /etc/crypttab
myfiles /dev/sdb /etc/crypt_file

# vi /etc/fstab
/dev/mapper/myfiles /myfiles ext4 defaults 0 0
Let’s take a reboot to confirm the functionality.

# reboot
Before reboot, cross check the fstab and crypttab for any misconfigurations.

#umount /myfiles

# mount -a

Verifying Encrypted Filesystem


Filesystem successfully mounted after the reboot.

[root@rhel7 ~]# uptime


12:17:08 up 0 min, 2 users, load average: 1.10, 0.28, 0.10
[root@rhel7 ~]#
[root@rhel7 ~]# df -h /myfiles/
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/myfiles 20G 45M 19G 1% /myfiles
[root@rhel7 ~]#

Create data in encrypted stroage:


# chmod 777 /myfiles

# cd /myfiles

# cal > cal.txt ; mkdir aa bb cc ; touch {1..10}.txt

Verify data is accessible for all on open filesystem.


# su - vikasnehra
# cd /myfiles

# cat cal.txt

# exit

Now close the filesystem and recheck again.

# umount /myfiles

# cryptsetup luksClose myfiles

# mount /myfiles

To change the encryption key:


# cryptsetup luksChangeKey /dev/sdb
----------------------
Close the LUKS:

1. Unmount the partition.


# umount /myfiles

2. Close the LUKS.


# cryptsetup luksClose myfiles

-----------------------
Delete the Existing LUKS Key on the device.
# cryptsetup luksRemoveKey /dev/sdb

-----------------------
Remove or Delete the LUKS:
# cryptsetup remove /dev/sdb

================
Thanks for watching the video. Please like our videos, share with your friends and
feel free to ask anything, post your queries in comments section. We will be glad
to answer your queries. Don't forget to subscribe the channel & turn on the bell
notifications.
===============

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy