🌐 🇵🇱 Polski · 🇬🇧 EN
LUKS (Linux Unified Key Setup) is a disk encryption standard for the Linux environment. It is particularly important when a drive is removed from the system, for example, in the event of theft. During the RHEL6 installation, a screen appears where you can choose whether a partition should be encrypted. If you decide to use encryption, you will need to set a passphrase, which will be requested every time the system boots to decrypt the partition. If you decide to use encryption, make sure to remember the password! Simply applying LUKS encryption does not guarantee the security of a partition while it is mounted; this protection serves to secure the partition before it is unlocked. What can be done to protect data while the partition is active? Tools such as GnuPG will be discussed later.
CREATING AN ENCRYPTED PARTITION
Even after installing the RedHat system, you can still create encrypted partitions. By default, RHEL6 uses the 128-bit AES algorithm with 256SHA (hashing). There are also other encryption options:
- AES
- Twofish
- Serpent
- Cast5
- Cast6
This section demonstrates how to encrypt partitions if the system is already installed and running. For this exercise, let's create an additional virtual disk with a size of 4GB (on the RHEL02 machine) /dev/hdb1.
NOTE
Creating an encrypted partition deletes all data contained on it. Before you start using this type of partition, you should back up any data that is intended to be stored there.
Step 1 - We must boot the system into runlevel 1 to create the encrypted partition.
# telinit 1
Step 2 - After the system starts, ensure that the partition is not mounted.
# umount /dev/hdb1
Step 3 - Let's verify that the partition is indeed unmounted.
# mount | grep /dev/hdb1
Step 4 - Fill the partition with random data. This may take a while.
# dd if=/dev/urandom of=/dev/hdb1
Step 5 - Once filling with random data is complete, initialize the partition.
# cryptsetup - verbose -verify-passphrase luksFormat /dev/hdb1
WARNING!
========
This will overwrite data on /dev/hdb1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
Step 6 - Open the new encrypted partition and give it a label.
# cryptsetup luksOpen /dev/hdb1 opt_data
Enter passphrase for /dev/hdb1:
Step 7 - Let's check if the encrypted partition exists.
# ls –l /dev/mapper | grep opt_data
lrwxrwxrwx. 1 root root 7 Jan 27 18:36 opt_data -> ../dm-2
Step 8 - Create a new file system.
# mkfs.ext4 /dev/mapper/opt_data
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
524288 inodes, 2095962 blocks
104798 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2147483648
64 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736,
1605632
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 25 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
Step 9 - After creating the file system, it can be mounted again.
# mkdir /opt/opt_data
# mount /dev/mapper/opt_data /opt/opt_data
Step 10 - You must also add the encrypted partition to the /etc/crypttab file.
# vi /etc/crypttab
opt_data /dev/hdb1 none
Step 11 - Update /etc/fstab to commit the changes.
# vi /etc/fstab
/dev/mapper/opt_data /opt_data ext4 defaults 1 2
Step 12 - At this point, you should restore the default SELinux security context.
# /sbin/restorecon –v –R /opt_data
Step 13 - Everything is finished, restart the system.
# shutdown –r now
You have to execute quite a few commands to create and configure an encrypted partition. I hope you don't feel overwhelmed by the number of them; after creating 2 or 3 partitions, everything will go much faster. Make sure everything has been done correctly before performing a restart, because from the moment you add the entry to /etc/crypttab, you will be required to provide the password for the encrypted partition during system boot.
You can also check if a given partition is encrypted:
# cryptsetup isLuks /dev/hdb1 && echo Success
# cryptsetup luksDump /dev/hdb1
If you want to use the UUID to mount the file system in /etc/fstab, you can find the UUID for the encrypted partition this way:
# cryptsetup luksUUID /dev/hdb1
As we already know, /etc/fstab is responsible for which partitions are mounted during system startup. While working with an encrypted partition, you won't see any difference. Only after adding an entry to the /etc/crypttab file in the form:
<mount point> <partition> none
During system startup, you will be prompted for the password to decrypt the partition for system boot.
Comments