Disk Encryption on CentOS using LUKS Cryptsetup

luks-linux-disk-encryptionLUKS (Linux Unified Key Setup) is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly. (source: http://code.google.com/p/cryptsetup/)

To configure LUKS on CentOS you need cryptsetup package which is installed by default in CentOS 7 minimal install. You can use cryptsetup to encrypt specific disk or partition and secure all of the data stored on it. Your data is protected by one or more secure passphrases – disk encryption. You can choose to decrypt your partition manually on boot (automount – needs additional configuration and a keyfile) or you can manually enter your passphrase when at your system boot time. In this case, if an unwanted person get a hold of your disk he will not be able to read/get data from it without knowing the secure passphrase. I will explain how to encrypt and configure automatic mount of your encrypted disk/partition.

If you do not want to automount your encrypted disk/partition leave out steps 4, 5, 9 and manually open and mount your disk/partition.

1. Add disk

Add an additional free disk or a free partition to your system that you want to encrypt.

2. LUKS Format disk

Format your disk/partition with cryptsetup and enter secure passphrase (this is the passphrase you will have to enter to unlock the disk/partition therefore making it available to mount!)

3. LUKS Open disk

Open your disk/partition with cryptsetup and enter the device and device-mapper mapping name (this is the /dev/mapper/ name you want your disk/partition to have) and enter the passphrase you used in step 1.

4. AUTOMOUNT STEP

Create keyfile for automount. Keyfile should be located in /root directory and have 0400 permissions – only root user can read this file. You can add any content you wish to this file, even passhprase but i chose to fill it with random data – dd command.

5. AUTOMOUNT STEP

Add a new key file/passphrase with cryptsetup supplying device and keyfile location arguments and enter the passphrase you used in step 1.

6. Create filesystem

Create the desired filesystem on your new device-mapper mapping.

7. Create mount directory

Create the new directory used for encrypted filesystem mount point.

8. Add /etc/fstab entry

Add new entry to /etc/fstab to mount your encrypted disk/partition on boot.

9. AUTOMOUNT STEP

Add new entry to /etc/crypttab – information to successfully decrypt your encrypted disk/partition supplying device-mapper mapping name, device and keyfile location.

10. Mount disk

Mount your encrypted disk/partition.

Now your encrypted disk/partition will automount at system boot. You can now reboot your system and test it.
Good luck!