Encryption a Disk Using LUKS in RHEL7/CENTOS7/FEDORA22

Linux Unified key Setup (LUKS)

LUKS is a standard format for device encryption. It ensures the data protection inside the partition, especially against the data breach. It encrypt the partition and volume, Which will decrypt only by provide correct password.

In this tutorial we will seen how to encrypt and decrypt the Disk partition and How to remove the encryption.

Before starting I will discuss Important command used in LUKS Encryption.

Important Commands used in LUKS Encryption:

cryptsetup luksFormat: It is used to format the partition with encryption, and assigning the password.
cryptsetup luksOpen: It is used to decrypt the Partition and assign a some name to it.
cryptsetup luksClose: To encrypt back the partition after use.
cryptsetup luksAddKey: Used to add the password to the configuration to automatically decrypting the partition.

Encrypt and Decrypt the Partition

There are some few steps to be perform.

1.) Ensure dm_crypt module is loaded.

Use #lsmod | grep dm_crypt command to load the module.

[root@server1 ~]# lsmod | grep dm_crypt
[root@server1 ~]# modprobe dm_crypt
[root@server1 ~]# lsmod | grep dm_crypt
dm_crypt               27403  0 
dm_mod                113292  14 dm_log,dm_mirror,dm_crypt
[root@server1 ~]#

Note: load the module.Use command #modprobe dm_crypt.

2.) Install the package.

Use the yum command to install the package.

#yum install  cryptsetup

[root@server1 ~]# yum  install cryptsetup
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package cryptsetup.x86_64 0:1.6.7-1.el7 will be installed
--> Finished Dependency Resolution

Transaction Summary
Install  1 Package

Total download size: 119 k
Installed size: 260 k
Is this ok [y/d/N]: y

3.) Create partition using ‘fdisk’ or ‘parted’.

Create the Partition using fdisk, In our case the partition(/dev/sde7) size is 1GB.

Device Boot      Start         End      Blocks   Id  System
/dev/sde1            2048    16777215     8387584    5  Extended
/dev/sde5            4096     4198399     2097152   8e  Linux LVM
/dev/sde6         4200448     8394751     2097152   8e  Linux LVM
/dev/sde7         8396800    10493951     1048576   83  Linux

Note: Refer the article, how to create partition using fdisk.(Managing Partitions and File Systems Using fdisk)

4.) Format the partition using luks and assign the passphrase.

#cryptsetup luksFormat <Partition Name>

It will prompt us to continue, type “YES” to continue, then it will prompt the passphrase. Enter the passphrase it will be used later to decrypt the partition.

[root@server1 ~]# cryptsetup luksFormat /dev/sde7

This will overwrite data on /dev/sde7 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
[root@server1 ~]#

Note: The password is longer than 8 characters.

5.) Decrypt the partition.

Use Following Command to decrypt the partition for further use.

#cryptsetup luksOpen <Partition Disk> <Name given to partition>

It is mandatory to give a name to the partition (In our care using “itcare” name) and you can assign any name.  After executing above command it will ask for the passphrase, Enter the passphrase to decrypt it.(It should be the same as assigned in step 4).

[root@server1 ~]# cryptsetup luksOpen /dev/sde7 itcare
Enter passphrase for /dev/sde7: 
[root@server1 ~]#

Note: The disk will be represented as “/dev/mapper/itcare”

6.) Create a filesystem.

#mkfs.xfs <Partition Disk>

[root@server1 ~]# mkfs.xfs /dev/mapper/itcare 
meta-data=/dev/mapper/itcare     isize=256    agcount=4, agsize=65408 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=0        finobt=0
data     =                       bsize=4096   blocks=261632, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
log      =internal log           bsize=4096   blocks=853, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
[root@server1 ~]#

7.) Create mount point and Mount the device.

Use mkdir command to create mount point.

[root@server1 ~]# mkdir /luksdir
[root@server1 ~]#

#mount <Partition Disk> <Mount Point>, Mount the device.

[root@server1 ~]# mount /dev/mapper/itcare /luksdir/
[root@server1 ~]# df -h /luksdir/
Filesystem          Size  Used Avail Use% Mounted on
/dev/mapper/itcare 1019M   33M  987M   4% /luksdir
[root@server1 ~]#

Add Entry in ‘/etc/fstab’ file for permanent mounting.

#vim /etc/fstab

/dev/mapper/itcare      /luksdir/       xfs     defaults        0  0


8.) Automatically mount at boot time.

Make a file and store the passphrase in it.

#vim LUKSpasswd


Change the permission of the LUKSpasswd file, and add the path of the file in /etc/crypttab.

[root@server1 ~]# chmod 600 LUKSpasswd 
[root@server1 ~]# ll LUKSpasswd 
-rw-------. 1 root root 10 Sep 28 04:52 LUKSpasswd
[root@server1 ~]#echo "itcare /dev/sde7  /root/LUKSpasswd" > /etc/crypttab 
[root@server1 ~]# cat /etc/crypttab 
itcare /dev/sde7  /root/LUKSpasswd
[root@server1 ~]#

Add the key in LUKS configuration.

#cryptsetup luksAddKey <Partition Disk> <Location of LUKSPasswd file> And enter the passphrase of the partition.

[root@server1 ~]# cryptsetup luksAddKey /dev/sde7 /root/LUKSpasswd 
Enter any passphrase: 
[root@server1 ~]#

Making the above changes, restart the system and check whether it is halting to ask you passphrase or booting continuously. It will not ask any passphrase for sure.

Removing the Encryption

1.) Unmount the partition, and Close the partition.

#umount  and #cryptsetup luksClose /dev/mapper/itcare

[root@server1 ~]# umount /luksdir/
[root@server1 ~]# cryptsetup luksClose /dev/mapper/itcare

2.) Format the partition normally.

# mkfs.xfs /dev/sde7

[root@server1 ~]# mkfs.xfs -f /dev/sde7

Encryption will be removed.

Note: All data in the partition will be lost, so make sure you have a backup of it before formatting.!!!

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Notify of