Normally Linux servers are very much secured and illegal or unauthorised access is almost not possible with security policies in linux. However if linux can be installed on the laptop which makes it unsecured and worst situation occurs when you forget the laptop in public places such as trains, airports or bus where any proficient person can get access to your laptop. To bypass this situation we can encrypt disk partition with LUKS.
If you encrypt disk partition with LUKS, any data written on the disk is encrypted and decrypted quickly. So Let’s begin to encrypt disk partition with LUKS.
Step 1: First of all you need to have disk partition or logical volume for which we are performing “encrypt disk partition with LUKS” activity. You can learn more about creating logical volumes here. In our demo we have taken partition as example “/dev/sdd1” which we are going to encrypt.
Step 2: Format the newly created partition as encrypted partition. Please provide passphrase twice and remember the same.
[root@rhel1 ~]# cryptsetup luksFormat /dev/sdd1 WARNING! ======== This will overwrite data on /dev/sdd1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: [root@rhel1 ~]#
Step 3: Open the encrypted partition using below command. System will ask passphrase given in the step 2.
[read more=”Read more” less=”Read less”]
[root@rhel1 ~]# cryptsetup luksOpen /dev/sdd1 encrypted_vol Enter passphrase for /dev/sdd1: [root@rhel1 ~]#
The above operation can be confirmed by checking the device mapper “encrypted_vol” under “/dev/mapper/” directory.
[root@rhel1 ~]# ls /dev/mapper/ control encrypted_vol myvg-etc_dup myvg-lvol0 vg_rhel1-lv_root vg_rhel1-lv_swap [root@rhel1 ~]#
You can see “encrypted_vol” in the above output.
Step 4: Now create file system over the encrypted volume using below command.
[root@rhel1 ~]# mkfs.ext4 /dev/mapper/encrypted_vol
Step 5: Now mount this above device mapper on /mnt mountpoint and copy some files from other directory for demo purpose.
[root@rhel1 ~]# mount /dev/mapper/encrypted_vol /mnt [root@rhel1 ~]# df -h /mnt Filesystem Size Used Avail Use% Mounted on /dev/mapper/encrypted_vol 52M 4.9M 44M 10% /mnt [root@rhel1 ~]#
Step 6: You can unmount the volume using umount command and then close it using “luksClose” option as below:
[root@rhel1 /]# umount /mnt [root@rhel1 /]# cryptsetup luksClose encrypted_vol [root@rhel1 /]# ls /dev/mapper/ control myvg-etc_dup myvg-lvol0 vg_rhel1-lv_root vg_rhel1-lv_swap [root@rhel1 /]#
You can see that our encrypted volume disappears as we close it.
What if you want to mount this encrypted volume during boot, then perform below steps:
Step 7: Add below lines of code in the file “/etc/crypttab”
[root@rhel1 /]# cat /etc/crypttab encrypted_vol /dev/sdd1 [root@rhel1 /]#
Step 8: Make directory “/confidential_data” using below command.
[root@rhel1 /]# mkdir /confidential_data
Step 9: Add below entry in “/etc/fstab”.
/dev/mapper/encrypted_vol /confidential_data ext4 defaults 1 2
That’s it once you reboot the server system will prompt for the passphrase as below , just enter the passphrase and it will get mounted automatically.
[root@rhel1 ~]# df -h /confidential_data Filesystem Size Used Avail Use% Mounted on /dev/mapper/encrypted_vol 52M 6.0M 43M 13% /confidential_data [root@rhel1 ~]#