Share, , Google Plus, Pinterest,

Print

Posted in:

Disk Encryption on CentOS Linux – LUKS Cryptsetup

LUKS (Linux Unified Key Setup) is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly. (source: http://code.google.com/p/cryptsetup/)

To configure LUKS on CentOS you need cryptsetup package which is installed by default in CentOS 6.X minimal install. You can use cryptsetup to encrypt specific disk or partition and secure all of the data stored on it. Your data is protected by one or more secure passphrases – disk encryption. You can choose to decrypt your partition manually on boot (automount – needs additional configuration and a keyfile) or you can manually enter your passphrase when at your system boot time. In this case, if an unwanted person get a hold of your disk he will not be able to read/get data from it without knowing the secure passphrase.We will explain how to encrypt and configure automatic mount of your encrypted disk/partition.

Disk Encryption
Disk Encryption

Let’s start our Disk Encryption on CentOS setup guide!

If you do not want to automount your encrypted disk/partition leave out steps 4, 5, 9 and manually open and mount your disk/partition.

1. Add disk

Add an additional free disk or a free partition to your system that you want to enrcypt.

2. LUKS Format disk

Format your disk/partition with cryptsetup and enter secure passphrase (this is the passphrase you will have to enter to unlock the disk/partition therefore making it available to mount!)

[root@foo ~]# cryptsetup luksFormat /dev/sdb
WARNING!
========
This will overwrite data on /dev/sdb irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:

3. LUKS Open disk

Open your disk/partition with cryptsetup and enter the device and device-mapper mapping name (this is the /dev/mapper/ name you want your disk/partition to have) and enter the passphrase you used in step 1.

[root@foo ~]# cryptsetup luksOpen /dev/sdb CryptedPart1
Enter passphrase for /dev/sdb:

4. AUTOMOUNT STEP

Create keyfile for automount. Keyfile should be located in /root directory and have 0400 permissions – only root user can read this file. You can add any content you wish to this file, even passhprase but i chose to fill it with random data – dd command.

[root@foo ~]# dd if=/dev/urandom of=/root/keyfile1 bs=1024 count=4
4+0 records in
4+0 records out
4096 bytes (4.1 kB) copied, 0.00143526 s, 2.9 MB/s
[root@foo ~]# chmod 0400 /root/keyfile1
[root@foo ~]# ll /root/keyfile1
-r--------. 1 root root 4096 Jun 11 21:24 /root/keyfile1

5. AUTOMOUNT STEP

Add a new key file/passphrase with cryptsetup supplying device and keyfile location arguments and enter the passphrase you used in step 1.

[root@foo ~]# cryptsetup luksAddKey /dev/sdb /root/keyfile1
Enter any passphrase:

6. Make filesystem

Create the desired filesystem on your new device-mapper mapping.

[root@foo ~]# mkfs.ext4 /dev/mapper/CryptedPart1
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
65408 inodes, 261632 blocks
13081 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=268435456
8 block groups
32768 blocks per group, 32768 fragments per group
8176 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 22 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

7. Create mount directory

Create the new directory used for encrypted filesystem mount point.

[root@foo ~]# mkdir /encryptedfs

8. Add /etc/fstab entry

Add new entry to /etc/fstab to mount your enrcypted disk/partition on boot.

[root@foo ~]# echo "/dev/mapper/CryptedPart1 /encryptedfs ext4 defaults 1 2" >> /etc/fstab

9. AUTOMOUNT STEP

Add new entry to /etc/crypttab – information to successfully decrypt your encrypted disk/partition supplying device-mapper mapping name, device and keyfile location.

[root@foo ~]# echo "CryptedPart1 /dev/sdb /root/keyfile1 luks" >> /etc/crypttab

10. Mount disk

Mount your encrypted disk/partition.

[root@foo ~]# mount -a

Voila! Your encrypted disk/partition will automount at system boot. You just need to reboot your system to test it out! Stay on the safe side! 🙂

As always i have also written a bash script to save you the time and automatically configure Disk Encryption on CentOS 6.X!

  • aprogrammer

    Cool post but I was using russian ecryption instruction http://sysadmin.te.ua/tag/luks

    • Mitch

      Hello aprogrammer! Good to know there are also russian encryption instructions out there!

      Thanks and Regards,
      Mitch

  • Mitch – thanks for the simple instructions. However I notice on reboot that my system gets stuck on password.If I remove the /etc/fstab entry then everything works fine and the crypted volume is available (just not mounted). Is there any other extra step that needs to be done?

    • Mitch

      Hi Dharshan!
      If your system is stuck on boot and removing /etc/fstab entry for encrypted filesystem helps than you have a problem unlocking the encrypted filesystem. Please check /etc/crypttab file again for errors. Are you pointing to the right Filesystem Key file? Is the password correct? And all of the other information in it: CryptedPart1 /dev/sdb /root/keyfile1 luks.

      Regards,
      Mitch

    • Adding rd_NO_LUKS to the /etc/grub.conf did the trick. Now automount is working.

      • Mitch

        Hi again Dharshan and thanks for the info. Could you please tell me which Linux distribution you are using and which version?

        Regards,
        Mitch

  • ben

    Brings up a good idea to test incrementally to make sure all the parts are working before changing anything that might cause a reboot to not be successful (since a lot of us only do remote management). In this case, after doing the /etc/crypttab entry, I would not put an entry in /etc/fstab. Do a reboot. Make sure /dev/mapper/CryptedPart1 exists. If it does, then put the /etc/fstab entry in. Guessing that without your kernel boot change upon reboot you wouldn’t have seen the device opened.
    Great article – good clear instructions 🙂 Just adding a step in there (I learned it the hard way too, fortunately on a VM I was testing before I did it on the real thing!)

  • ben

    btw, a lot of the encryption things coming down the pipe that I see have to do with passing FIPS (Federal Information Processing Standard) encryption standards.
    http://en.wikipedia.org/wiki/FIPS_140-2
    FIPS is not enabled by default on Linux. Here are instructions (Centos/Redhat)
    http://geekswing.com/geek/how-to-encrypt-a-filesystem-on-redhat-6-4centos-6-4-linux-fips-or-no-fips/

  • Jose

    Hi, what is the security risk with automount that if somebody stole my server, the information can be accessed?

    Regards,
    Jose

    • Mitch

      Hi Jose. The information can not be accessed if you used automount and somebody stole your laptop or server – except if he knows the password to decrypt the partition. Regards, Mitch

  • Sergio Schmid

    Hi mitch, how i can test this? If i crated another user, basic user, i can view the files on the disk.
    I need to test this encrypted disk.
    Sorry bout my bad english.