LUKS Encryption

LUKS Encryption

Linux Unified Key Setup (LUKS) is the standard for Linux hard disk encryption. In order to create and mount an encrypted disk on RedHat or CentOS 7 the following steps can be taken. This will detail the steps needed to create a Logical Volume, encrypt the disk and how to mount persistently.

Firstly, ensure the cryptsetup package is installed.

yum install cryptsetup

Create a partition on the available disk, this should be recognisable either from the output of lsblk or dmesg.

fdisk /dev/vdb (ensure to set to Linux LVM type – 8e)

Create a physical volume.

pvcreate /dev/vdb1

Create a volume group.

vgcreate vg_luks /dev/vdb1

Create a logical volume.

lvcreate -l 2559 -n lv_luks vg_luks

Format the logical volume with cryptsetup to configure the passphrase on the disk.

cryptsetup --verbose --verify-passphrase luksFormat /dev/vg_luks/lv_luks

Open the encrypted volume – the name (encrypted) specified here will be located within /dev/mapper, when requested enter the passphrase set in the previous command.

cryptsetup luksOpen /dev/vg_luks/lv_luks encrypted

Write a filesystem to the open disk.

mkfs.xfs /dev/mapper/encrypted

Add the filesystem to /etc/crypttab to ensure it is decrypted on boot. This will prompt for the password on startup. If the passphrase is not entered the boot process will halt waiting for user input. This could obviously prove to be an issue if there is no access to the console. However, this can be remediated by configuring a tang server on your local network. Another alternative, although less secure, way to resolve this is to use a key file which can be used to automatically decrypt the disk. 

vi /etc/crypttab
encrypted     /dev/vg_luks/lv_luks     none

Finally add the open disk to fstab and create the mount directory to ensure it is mounted within Linux.

mkdir /opt/encrypted

vi /etc/fstab
UUID=”e3bd0c8c-1d6d-4f9f-ac24-ebf7cea4838b”     /opt/encrypted     xfs     defaults     0 0