Setting up a encrypted Volume/Partition with cryptsetup and LUKS.

Cryptsetup With LUKs  Encryption

So you are one of those overly concerned individuals ( suggest you are unbalanced) and would like to add security to your disk.  That’s Great! We can help you do that.
Cryptsetup with luks format will attach a encryption to your partition.  
Note: We are assuming you are doing this on a new Partition. If it is not see below.

(!!!!WARNING!!!! This wipes a partition! If you want to add to existing partition backup data first to copy later!!!!)  Copy  *ALL* info to a safe location first!  Do Not do this on your root / filesystem.  You can encyrpt your drive on installation of your OS(see your OS documentation for details).

Installing Cryptsetup-luks:

We need to check to see if the needed packages are installed and if not install them.
yum info cryptsetup-luks
Redhat flavors: yum list installed |grep cryptsetup-luks
debian/ubuntu: dpkg -s cryptsetup-luks

Assuming it’s not installed follow this for your distibution:
Redhat flavors: yum intall cryptsetup-luks
Debain/ubuntu: apt-get install cryptsetup-luks
Once installed we shouldn’t need to worry about the OS difference from here. 

Check to see if both dm_crypt and dm_mod are installed:
lsmod |grep -e dm_crypt -e dm_crypt

Enable Data Privacy With Partition Encryption:

Create a New Encrypted Volume :

We will create a Volume, encrypt it. After the encryption we need a way to access it, so we open/unlock the Volume. Then temporarily map it to /dev/mapper. Pretty straight forward.

Optional: When Labeling your volume you create a  uuid in which to label the volume with the command cryptsetup luksUUID. This is much more secure.

1. Create a new partition with fdisk.

2. Encrypt the new Volume and set the passphrase (with pass phrase use a small sentence or two or more words with a space in between):
cryptsetup luksFormat /dev/xvdb1 (input whatever device you are using)

3. Unlock the encrypted volume to create a mapped devicename (i.e /dev/example-name):
cryptsetup luksOpen /dev/xvdb1 example-name

4. Check /dev/mapper for your device name.
ls -l /dev/mapper/example-name

Create, Mount, Lock the Volume, Then Make Volume Mount Persistent on boot.

Create Filesystem and Lock Volume:

 We first have to format the Volume, mount it to a directory. Remove the temporary /dev/mapper device name since we don’t want to leave a backdoor. Most importantly we want to lock up the Volume.  And finally setup peristent boot with a passphrase key file.

1.  Create/Format a filesystem on this encrypted device:
mkfs.ext4 /dev/mapper/example-name

2. Create a directory mount point and mount Encrypted file system in location of your choice:
mkdir /example ; mount /dev/mapper/example-name /example

3. Umount mapped device name:
umount /dev/mapper/example-name

4. Lock the encrypted Volume.:
cryptsetup luksClose example-name

 Create passphrase file that contains the luks passphrase.

1.  Create that includes the LUKS passphrase. (Note: include the double quotes):
echo -n “your-passphrase” > /etc/passphrase

2. chown /etc/passphrase to root, and change permission to root read/write only.
chown root /etc/passphrase ; chmod 600 /etc/passphrase 

3. Use cryptsetup to add /etc/passphrase to the LUKS Volume Encryption.
cryptsetup luksAddKey /dev/xvdb1 /etc/passphrase

5. Edit the /etc/crypttab to create entry to the list of devices to be unlocked at boot:
vi /etc/crypttab (add to the following 3 fields)
name                     device     password-file
example-name    /dev/xvdb1       /etc/passphrase

6.  Create entry in /etc/fstab for persistent boot. 
/dev/mapper/example-name      /example  ext4    defaults    1 2

7. (optional you can reboot to make changes happen now)

And that is all. I know it is a long process, but it’s secure.

jim has written 83 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>