X
    Categories: Linux

How To encrypt disk partition with LUKS in 9 easy steps

Normally Linux servers are very much secured and illegal or unauthorised  access is almost not possible with security policies in linux. However if linux can be installed on the laptop which makes it unsecured and worst situation occurs when you forget the laptop in public places such as trains, airports or bus where any proficient person can get access to your laptop. To bypass this situation we can encrypt disk partition with LUKS.

If you encrypt disk partition with LUKS, any data written on the disk is encrypted and decrypted quickly. So Let’s begin to encrypt disk partition with LUKS.

Step 1: First of all you need to have disk partition or logical volume for which we are performing “encrypt disk partition with LUKS” activity. You can learn more about creating logical volumes here. In our demo we have taken partition as example “/dev/sdd1” which we are going to encrypt.

Step 2:  Format the newly created partition as encrypted partition. Please provide passphrase twice and remember the same.

[root@rhel1 ~]# cryptsetup luksFormat /dev/sdd1

WARNING!
========
This will overwrite data on /dev/sdd1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
[root@rhel1 ~]#

Step 3: Open the encrypted partition using below command. System will ask passphrase given in the step 2.

[read more=”Read more” less=”Read less”] 

[root@rhel1 ~]# cryptsetup luksOpen /dev/sdd1 encrypted_vol
Enter passphrase for /dev/sdd1:
[root@rhel1 ~]#

The above operation can be confirmed by checking the device mapper “encrypted_vol” under “/dev/mapper/” directory.

[root@rhel1 ~]# ls /dev/mapper/
control encrypted_vol myvg-etc_dup myvg-lvol0 vg_rhel1-lv_root vg_rhel1-lv_swap
[root@rhel1 ~]#

You can see “encrypted_vol” in the above output.

Step 4: Now create file system over the encrypted volume using below command.

[root@rhel1 ~]# mkfs.ext4 /dev/mapper/encrypted_vol

Step 5: Now mount this above device mapper on /mnt mountpoint and copy some files from other directory for demo purpose.

[root@rhel1 ~]# mount /dev/mapper/encrypted_vol /mnt
[root@rhel1 ~]# df -h /mnt
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/encrypted_vol
52M 4.9M 44M 10% /mnt
[root@rhel1 ~]#

Step 6: You can unmount the volume using umount command and then close it using “luksClose” option as below:

[root@rhel1 /]# umount /mnt
[root@rhel1 /]# cryptsetup luksClose encrypted_vol
[root@rhel1 /]# ls /dev/mapper/
control myvg-etc_dup myvg-lvol0 vg_rhel1-lv_root vg_rhel1-lv_swap
[root@rhel1 /]#

You can see that our encrypted volume disappears as we close it.

What if you want to mount this encrypted volume during boot, then perform below steps:

Step 7: Add below lines of code in the file “/etc/crypttab”

[root@rhel1 /]# cat /etc/crypttab
encrypted_vol /dev/sdd1
[root@rhel1 /]#

Step 8: Make directory “/confidential_data” using below command.

[root@rhel1 /]# mkdir /confidential_data

Step 9: Add below entry in “/etc/fstab”.

/dev/mapper/encrypted_vol /confidential_data ext4 defaults 1 2

That’s it once you reboot the server system will prompt for the passphrase as below , just enter the passphrase and it will get mounted automatically.

[root@rhel1 ~]# df -h /confidential_data
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/encrypted_vol
52M 6.0M 43M 13% /confidential_data
[root@rhel1 ~]#

[/read]

Related Post