encrypting a linux partition using luks

8/12/2019 Encrypting a Linux Partition Using LUKS

1/6

Red Hat started to implement encryption of the entire file system, from Red Hat

Enterprise Linux 6 onwards. This encryption of the entire file system's is a much better

way to secure the data on the disk. This is an added advantage for people who are

prone to using mobile devices for their day to day work. The main advantage is that,

even if the entire disk is lost, your data cannot be easily accessed as it is encrypted and

requires a pass phrase key to access the data inside.

Red hat implements this through LUKS.

What is LUKS?LUKS stands for Linux Unified Key Setup. LUKS enables the facility to encrypt a whole

partition in Linux for security purposes. LUKS was initially created by Clemens

Fruhwirth. The main added advantage of using LUKS for encryption over other

encryption technologies is that it is platform independent. In short you can call LUKS as

a standard for implementing encryption of file system's in Linux.

What does LUKS do?Block devices can be encrypted using LUKS. And LUKS does not bother about the data

inside the block device, because of which you can encrypt any kind of partition(even

swap) using LUKS. In order to access the contents of an encrypted file system using

LUKS the user is required to provide a pass phrase for the key which intern will be used

to unlock the file system.

LUKS takes the help of dm-crypt module to access Linux Kernel Device Mapper.

In order to create an encrypted partition or access the encrypted partition, cryptsetuputility is used by the users.


2/6

What are the Limitations of LUKS? Encryption upto the level of files cannot be done using LUKS

It has got a limit regarding the no of users, that can have different passwords in

order to access the same block device.

How to encrypt a partition using LUKS?Red Hat Enterprise linux provides you an interface to encrypt the partitions during the

installation time, which is quite easy. In this tutorial we will be seeing how can we create

a new partition and encrypt it using LUKS.

I will be using CentOS 5.8 for this example tutorial. You can easily do the same in Red

Hat enterprise Linux and also in Centos(and many other distributions.)

For this tutorial i will be creating a Logical Volume of 5gb and will encrypt that volume,

with the help of LUKS.

[root@myvm ~]# lvcreate -L 5G -n myvolume VolGroup00

Logical volume "myvolume" created

So my device which i just created is /dev/mapper/VolGroup00-myvolume. We will be

encrypting this volume.

I have created a logical volume just for this example, you can use any of the newly

created partition, you want. Like /dev/sda1, /dev/sda3 etc.

The next step that we need to do is to format the device with cryptsetup utility and make

the device LUKS encrypted.

[root@myvm /]# cryptsetup luksFormat /dev/mapper/VolGroup00-

myvolume

WARNING!

========

This will overwrite data on /dev/mapper/VolGroup00-myvolume irrevocably.


3/6

Are you sure? (Type uppercase yes): YES

Enter LUKS passphrase:

Verify passphrase:

Command successful.You can replace "/dev/mapper/VolGroup00-myvolume" with whatever the partition you

are going to encrypt with LUKS.

The above cryptsetup command will ask for a confirmation, because this will destroy

any data you have on the partition. Then you are prompted for a passphrase.

Now lets see some detailed information about the encryption on our device

/dev/mapper/VolGroup00-myvolume .

[root@myvm ~]# cryptsetup luksDump /dev/mapper/VolGroup00-

myvolume

LUKS header information for /dev/mapper/VolGroup00-myvolume

Version: 1

Cipher name: aes

Cipher mode: cbc-essiv:sha256

Hash spec: sha1

Payload offset: 1032

MK bits: 128

MK digest: 4f 4a 2e 9e 7e 04 44 e5 29 3e 6d d7 9e 56 17 2f 9f 5c bf 42

MK salt: a1 e5 ba 61 ce e9 48 7b 60 7e f2 e3 c5 61 53 22f6 0b b2 8f ff 02 5f 56 62 0b 3d 3a 0f 7c c3 04

MK iterations: 10

UUID: a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3

Key Slot 0: ENABLED

Iterations: 311917

Salt: d4 3e f3 37 5d 89 62 be d5 ab ee 27 de 17 b7 f8

cf 88 47 bf ab eb 2e 62 69 86 77 72 bc 26 a8 ed

Key material offset: 8AF stripes: 4000

Key Slot 1: DISABLED






4/6



You can clearly see from the above output that we are using aes encryption with

sha256.

Now lets see how are we going to access this newly encrypted device. Or in otherwords

how will the kernel's device mapper recognize this encrypted partition of ours.

You can get the UUID of the newly encrypted device as shown below.

[root@myvm ~]# cryptsetup luksUUID /dev/mapper/VolGroup00-myvolume

a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3

Now We will assign a device mapping name to this device as shown below.

[root@myvm ~]# cryptsetup luksOpen /dev/mapper/VolGroup00-myvolume

luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3

Enter LUKS passphrase for /dev/mapper/VolGroup00-myvolume:

key slot 0 unlocked.Command successful.

Now You will have a device named "luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3" in

/dev/mapper.Also the above command luksOpen will depcrypt the filesystem so that it

can be accessed

[root@myvm mapper]# cd /dev/mapper/ ; ls

control VolGroup00-LogVol01

luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3 VolGroup00-myvolume

VolGroup00-LogVol00

Please do remember that the device is open and accessible as of now because we ran

"cryptsetup luksopen" command at the time of giving it a device mapping name.

Now lets format our device in the same way we format our normal partitions.

[root@myvm mapper]# mke2fs -j /dev/mapper/luks-a8ac8a06-baf8-4dbc-

9c2b-52d3080e9fe3

mke2fs 1.39 (29-May-2006)

Filesystem label=

OS type: LinuxBlock size=4096 (log=2)

Fragment size=4096 (log=2)

655360 inodes, 1310591 blocks

65529 blocks (5.00%) reserved for the super user

First data block=0


5/6

Maximum filesystem blocks=1342177280

40 block groups

32768 blocks per group, 32768 fragments per group

16384 inodes per group

Superblock backups stored on blocks:32768, 98304, 163840, 229376, 294912, 819200, 884736

Writing inode tables: done

Creating journal (32768 blocks): done

Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 32 mounts or

180 days, whichever comes first. Use tune2fs -c or -i to override.

Now Lets mount this device, as normal.

[root@myvm ~]# mount /dev/mapper/luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3

/mypartition/

Now lets check and confirm whether our LUKS formatted and encrypted device is

mounted properly with df -h command.

[root@myvm ~]# df -h

Filesystem Size Used Avail Use% Mounted on

/dev/mapper/VolGroup00-LogVol0031G 2.7G 27G 10% /

/dev/sda1 99M 13M 82M 13% /boot

tmpfs 252M 0 252M 0% /dev/shm

/dev/mapper/luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3

5.0G 139M 4.6G 3% /mypartition

We can clearly see from the last line of the above output that our newly mapped

encrypted device is mounted under /mypartition

How to umount and Lock back the LUKS encrypted

partitionFirst lest umount the partition as normal..and then lock back the filesystem through

cryptsetup.


6/6

[root@myvm ~]# umount /dev/mapper/luks-a8ac8a06-baf8-4dbc-9c2b-

52d3080e9fe3

[root@myvm ~]# cryptsetup luksClose /dev/mapper/luks-a8ac8a06-baf8-

4dbc-9c2b-52d3080e9fe3

The first command above unmounts and the second command locks back the

filesystem.

How to Unlock and mount LUKS encrypted PartitionNow you can again unlock and mount as shown below,whenever required. But will ask

for the passphrase.

[root@myvm ~]# cryptsetup luksOpen /dev/mapper/VolGroup00-myvolume

luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3

Enter LUKS passphrase for /dev/mapper/VolGroup00-myvolume:

key slot 0 unlocked.

Command successful.

[root@myvm ~]# mount /dev/mapper/luks-a8ac8a06-baf8-4dbc-9c2b-

52d3080e9fe3

Note:luks-a8ac8a06-baf8-4dbc-9c2b-52d3080e9fe3 is just a convention that we follow

for identifying the device with the UUID. You can use anything instead of that...But you

will need to give that name whenever you mount.

encrypting a linux partition using luks

Documents