Setting up a encrypted Volume/Partition with cryptsetup and LUKS.

Cryptsetup With LUKs  Encryption

So you are one of those overly concerned individuals (thesaurus.com suggest you are unbalanced) and would like to add security to your disk.  That’s Great! We can help you do that.
Cryptsetup with luks format will attach a encryption to your partition.  
Note: We are assuming you are doing this on a new Partition. If it is not see below.

(!!!!WARNING!!!! This wipes a partition! If you want to add to existing partition backup data first to copy later!!!!)  Copy  *ALL* info to a safe location first!  Do Not do this on your root / filesystem.  You can encyrpt your drive on installation of your OS(see your OS documentation for details).

Installing Cryptsetup-luks:

We need to check to see if the needed packages are installed and if not install them.
yum info cryptsetup-luks
Redhat flavors: yum list installed |grep cryptsetup-luks
debian/ubuntu: dpkg -s cryptsetup-luks

Assuming it’s not installed follow this for your distibution:
Redhat flavors: yum intall cryptsetup-luks
Debain/ubuntu: apt-get install cryptsetup-luks
Once installed we shouldn’t need to worry about the OS difference from here. 

Check to see if both dm_crypt and dm_mod are installed:
lsmod |grep -e dm_crypt -e dm_crypt

Enable Data Privacy With Partition Encryption:

Create a New Encrypted Volume :

We will create a Volume, encrypt it. After the encryption we need a way to access it, so we open/unlock the Volume. Then temporarily map it to /dev/mapper. Pretty straight forward.

Optional: When Labeling your volume you create a  uuid in which to label the volume with the command cryptsetup luksUUID. This is much more secure.

1. Create a new partition with fdisk.

2. Encrypt the new Volume and set the passphrase (with pass phrase use a small sentence or two or more words with a space in between):
cryptsetup luksFormat /dev/xvdb1 (input whatever device you are using)

3. Unlock the encrypted volume to create a mapped devicename (i.e /dev/example-name):
cryptsetup luksOpen /dev/xvdb1 example-name

4. Check /dev/mapper for your device name.
ls -l /dev/mapper/example-name

Create, Mount, Lock the Volume, Then Make Volume Mount Persistent on boot.

Create Filesystem and Lock Volume:

 We first have to format the Volume, mount it to a directory. Remove the temporary /dev/mapper device name since we don’t want to leave a backdoor. Most importantly we want to lock up the Volume.  And finally setup peristent boot with a passphrase key file.

1.  Create/Format a filesystem on this encrypted device:
mkfs.ext4 /dev/mapper/example-name

2. Create a directory mount point and mount Encrypted file system in location of your choice:
mkdir /example ; mount /dev/mapper/example-name /example

3. Umount mapped device name:
umount /dev/mapper/example-name

4. Lock the encrypted Volume.:
cryptsetup luksClose example-name

 Create passphrase file that contains the luks passphrase.

1.  Create that includes the LUKS passphrase. (Note: include the double quotes):
echo -n “your-passphrase” > /etc/passphrase

2. chown /etc/passphrase to root, and change permission to root read/write only.
chown root /etc/passphrase ; chmod 600 /etc/passphrase 

3. Use cryptsetup to add /etc/passphrase to the LUKS Volume Encryption.
cryptsetup luksAddKey /dev/xvdb1 /etc/passphrase

5. Edit the /etc/crypttab to create entry to the list of devices to be unlocked at boot:
vi /etc/crypttab (add to the following 3 fields)
name                     device     password-file
example-name    /dev/xvdb1       /etc/passphrase

6.  Create entry in /etc/fstab for persistent boot. 
/dev/mapper/example-name      /example  ext4    defaults    1 2

7. (optional you can reboot to make changes happen now)
reboot

And that is all. I know it is a long process, but it’s secure.

jim has written 83 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>