LUKS (Linux Unified Key Setup) is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly. (source: http://code.google.com/p/cryptsetup/)

To configure LUKS on CentOS you need cryptsetup package which is installed by default in CentOS 6.X minimal install. You can use cryptsetup to encrypt specific disk or partition and secure all of the data stored on it. Your data is protected by one or more secure passphrases – disk encryption. You can choose to decrypt your partition manually on boot (automount – needs additional configuration and a keyfile) or you can manually enter your passphrase when at your system boot time. In this case, if an unwanted person get a hold of your disk he will not be able to read/get data from it without knowing the secure passphrase.We will explain how to encrypt and configure automatic mount of your encrypted disk/partition.

Let’s start our Disk Encryption on CentOS setup guide!

If you do not want to automount your encrypted disk/partition leave out steps 4, 5, 9 and manually open and mount your disk/partition.

1. Add disk

Add an additional free disk or a free partition to your system that you want to enrcypt.

2. LUKS Format disk

Format your disk/partition with cryptsetup and enter secure passphrase (this is the passphrase you will have to enter to unlock the disk/partition therefore making it available to mount!)

[root@foo ~]# cryptsetup luksFormat /dev/sdb
WARNING!
========
This will overwrite data on /dev/sdb irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:

3. LUKS Open disk

Open your disk/partition with cryptsetup and enter the device and device-mapper mapping name (this is the /dev/mapper/ name you want your disk/partition to have) and enter the passphrase you used in step 1.

[root@foo ~]# cryptsetup luksOpen /dev/sdb CryptedPart1
Enter passphrase for /dev/sdb:

4. AUTOMOUNT STEP

Create keyfile for automount. Keyfile should be located in /root directory and have 0400 permissions – only root user can read this file. You can add any content you wish to this file, even passhprase but i chose to fill it with random data – dd command.

[root@foo ~]# dd if=/dev/urandom of=/root/keyfile1 bs=1024 count=4
4+0 records in
4+0 records out
4096 bytes (4.1 kB) copied, 0.00143526 s, 2.9 MB/s
[root@foo ~]# chmod 0400 /root/keyfile1
[root@foo ~]# ll /root/keyfile1
-r--------. 1 root root 4096 Jun 11 21:24 /root/keyfile1

5. AUTOMOUNT STEP

Add a new key file/passphrase with cryptsetup supplying device and keyfile location arguments and enter the passphrase you used in step 1.

[root@foo ~]# cryptsetup luksAddKey /dev/sdb /root/keyfile1
Enter any passphrase:

6. Make filesystem

Create the desired filesystem on your new device-mapper mapping.

[root@foo ~]# mkfs.ext4 /dev/mapper/CryptedPart1
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
65408 inodes, 261632 blocks
13081 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=268435456
8 block groups
32768 blocks per group, 32768 fragments per group
8176 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 22 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

7. Create mount directory

Create the new directory used for encrypted filesystem mount point.

[root@foo ~]# mkdir /encryptedfs

8. Add /etc/fstab entry

Add new entry to /etc/fstab to mount your enrcypted disk/partition on boot.

[root@foo ~]# echo "/dev/mapper/CryptedPart1 /encryptedfs ext4 defaults 1 2" >> /etc/fstab

9. AUTOMOUNT STEP

Add new entry to /etc/crypttab – information to successfully decrypt your encrypted disk/partition supplying device-mapper mapping name, device and keyfile location.

[root@foo ~]# echo "CryptedPart1 /dev/sdb /root/keyfile1 luks" >> /etc/crypttab

10. Mount disk

Mount your encrypted disk/partition.

[root@foo ~]# mount -a

Voila! Your encrypted disk/partition will automount at system boot. You just need to reboot your system to test it out! Stay on the safe side! 🙂

As always i have also written a bash script to save you the time and automatically configure Disk Encryption on CentOS 6.X!

Disk Encryption on CentOS Linux – LUKS Cryptsetup

Let’s start our Disk Encryption on CentOS setup guide!

1. Add disk

2. LUKS Format disk

3. LUKS Open disk

4. AUTOMOUNT STEP

5. AUTOMOUNT STEP

6. Make filesystem

7. Create mount directory

8. Add /etc/fstab entry

9. AUTOMOUNT STEP

10. Mount disk

Configure Password Policy on CentOS 6

Secure Your Linux Server With IPTables

Configure Password Policy on CentOS 6

Secure Your Linux Server With IPTables

Configure IPTables on CentOS 6

Securing SSH Server – sshd_config

Install Nagios Core 4 on Ubuntu 12.04 LTS

Resize Partition and Filesystem with fdisk & resize2fs

CHECK_NRPE: Error – Could not complete SSL handshake

Linux on Android – Can You?