LUKS Encryption
Linux Unified Key Setup (LUKS) is the standard for Linux hard disk encryption. In order to create and mount an encrypted disk on RedHat or CentOS 7 the following steps can be taken. This will detail the steps needed to create a Logical Volume, encrypt the disk and how to mount persistently.
Firstly, ensure the cryptsetup package is installed.
yum install cryptsetup
Create a partition on the available disk, this should be recognisable either from the output of lsblk or dmesg.
fdisk /dev/vdb (ensure to set to Linux LVM type – 8e)
Create a physical volume.
pvcreate /dev/vdb1
Create a volume group.
vgcreate vg_luks /dev/vdb1
Create a logical volume.
lvcreate -l 2559 -n lv_luks vg_luks
Format the logical volume with cryptsetup to configure the passphrase on the disk.
cryptsetup --verbose --verify-passphrase luksFormat /dev/vg_luks/lv_luks
Open the encrypted volume – the name (encrypted) specified here will be located within /dev/mapper, when requested enter the passphrase set in the previous command.
cryptsetup luksOpen /dev/vg_luks/lv_luks encrypted
Write a filesystem to the open disk.
mkfs.xfs /dev/mapper/encrypted
Add the filesystem to /etc/crypttab to ensure it is decrypted on boot. This will prompt for the password on startup. If the passphrase is not entered the boot process will halt waiting for user input. This could obviously prove to be an issue if there is no access to the console. However, this can be remediated by configuring a tang server on your local network. Another alternative, although less secure, way to resolve this is to use a key file which can be used to automatically decrypt the disk.
vi /etc/crypttab
encrypted /dev/vg_luks/lv_luks none
Finally add the open disk to fstab and create the mount directory to ensure it is mounted within Linux.
mkdir /opt/encrypted
vi /etc/fstab
UUID=”e3bd0c8c-1d6d-4f9f-ac24-ebf7cea4838b” /opt/encrypted xfs defaults 0 0