LUKS (Linux Unified Key Setup) is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly. (source: http://code.google.com/p/cryptsetup/)
To configure LUKS on CentOS you need cryptsetup package which is installed by default in CentOS 7 minimal install. You can use cryptsetup to encrypt specific disk or partition and secure all of the data stored on it. Your data is protected by one or more secure passphrases – disk encryption. You can choose to decrypt your partition manually on boot (automount – needs additional configuration and a keyfile) or you can manually enter your passphrase when at your system boot time. In this case, if an unwanted person get a hold of your disk he will not be able to read/get data from it without knowing the secure passphrase. I will explain how to encrypt and configure automatic mount of your encrypted disk/partition.
If you do not want to automount your encrypted disk/partition leave out steps 4, 5, 9 and manually open and mount your disk/partition.
1. Add disk
Add an additional free disk or a free partition to your system that you want to encrypt.
2. LUKS Format disk
Format your disk/partition with cryptsetup and enter secure passphrase (this is the passphrase you will have to enter to unlock the disk/partition therefore making it available to mount!)
|
1 2 3 4 5 6 7 |
[root@foo ~]# cryptsetup luksFormat /dev/sdb WARNING! ======== This will overwrite data on /dev/sdb irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: |
3. LUKS Open disk
Open your disk/partition with cryptsetup and enter the device and device-mapper mapping name (this is the /dev/mapper/ name you want your disk/partition to have) and enter the passphrase you used in step 1.
|
1 2 |
[root@foo ~]# cryptsetup luksOpen /dev/sdb CryptedPart1 Enter passphrase for /dev/sdb: |
4. AUTOMOUNT STEP
Create keyfile for automount. Keyfile should be located in /root directory and have 0400 permissions – only root user can read this file. You can add any content you wish to this file, even passhprase but i chose to fill it with random data – dd command.
|
1 2 3 4 5 6 7 |
[root@foo ~]# dd if=/dev/urandom of=/root/keyfile1 bs=1024 count=4 4+0 records in 4+0 records out 4096 bytes (4.1 kB) copied, 0.00143526 s, 2.9 MB/s [root@foo ~]# chmod 0400 /root/keyfile1 [root@foo ~]# ll /root/keyfile1 -r--------. 1 root root 4096 Jun 11 21:24 /root/keyfile1 |
5. AUTOMOUNT STEP
Add a new key file/passphrase with cryptsetup supplying device and keyfile location arguments and enter the passphrase you used in step 1.
|
1 2 |
[root@foo ~]# cryptsetup luksAddKey /dev/sdb /root/keyfile1 Enter any passphrase: |
6. Create filesystem
Create the desired filesystem on your new device-mapper mapping.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
[root@foo ~]# mkfs.xfs /dev/mapper/CryptedPart1 mke2fs 1.41.12 (17-May-2010) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 65408 inodes, 261632 blocks 13081 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=268435456 8 block groups 32768 blocks per group, 32768 fragments per group 8176 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376 Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 22 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. |
7. Create mount directory
Create the new directory used for encrypted filesystem mount point.
|
1 |
[root@foo ~]# mkdir /encryptedfs |
8. Add /etc/fstab entry
Add new entry to /etc/fstab to mount your encrypted disk/partition on boot.
|
1 |
[root@foo ~]# echo "/dev/mapper/CryptedPart1 /encryptedfs ext4 defaults 1 2" >> /etc/fstab |
9. AUTOMOUNT STEP
Add new entry to /etc/crypttab – information to successfully decrypt your encrypted disk/partition supplying device-mapper mapping name, device and keyfile location.
|
1 |
[root@foo ~]# echo "CryptedPart1 /dev/sdb /root/keyfile1 luks" >> /etc/crypttab |
10. Mount disk
Mount your encrypted disk/partition.
|
1 |
[root@foo ~]# mount -a |
Now your encrypted disk/partition will automount at system boot. You can now reboot your system and test it.
Good luck!
