Linux Unified Key Setup-on-disk-format (LUKS) allows you to encrypt partitions on your Red Hat Enterprise Linux 6 (server), which is particularly important when it comes to mobile computers and removable media. LUKS allows multiple user keys to decrypt a master key that is used for the bulk encryption of the partition.
What LUKS does:
- Encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop disk drives.
- The underlying contents of the encrypted block device are arbitrary, making it useful for encrypting swap devices. The encrypting can also be useful with certain databases that use specially formatted block devices for data storage.
- Uses the existing device mapper kernel subsystem.
- Provides passphrase strengthening, which protects against dictionary attaches.
- Allows users to add backup keys or passphrases because LUKS devices contain multiple key slots.
What LUKS does not do:
- Allow applications requiring many (more than eight) users to have distinct access keys to same devices.
- Work with applications requiring file-level encryption, more information.
The steps to set up a new LUKS encrypted volume with SoftLayer Endurance Block Storage are below. The steps assume the server already has access to a new, unencrypted block storage volume that has not been formatted or mounted. Click here for how to access SoftLayer Block Storage with Linux.
Note that performing data encryption creates a load on the host that could potentially impact performance.
- Type the following at a shell prompt as root to install the required package:
# yum install cryptsetup-luks
- Get the disk ID:
# fdisk –l | grep /dev/mapper
- Locate your volume in the listing.
- Encrypt the block device; this command initializes the volume and allows you to set a passphrase:
# cryptsetup -y -v luksFormat /dev/mapper/3600a0980383034685624466470446564
Respond with YES (all uppercase letters.)
The device will now appear as an encrypted volume:
# blkid | grep LUKS /dev/mapper/3600a0980383034685624466470446564: UUID="46301dd4-035a-4649-9d56-ec970ceebe01" TYPE="crypto_LUKS"
- Open the volume and create a mapping:
# cryptsetup luksOpen /dev/mapper/3600a0980383034685624466470446564 cryptData
- Enter the password previously provided.
- Verify the mapping and view status of the encrypted volume:
# cryptsetup -v status cryptData /dev/mapper/cryptData is active. type: LUKS1 cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/mapper/3600a0980383034685624466470446564 offset: 4096 sectors size: 41938944 sectors mode: read/write Command successful
- Write random data to /dev/mapper/cryptData encrypted device. This ensures that outside world will see this as random data, i.e., it is protected against disclosure of usage patterns. Be aware that this step can take a while.
# shred -v -n1 /dev/mapper/cryptData
- Format the volume:
# mkfs.ext4 /dev/mapper/cryptData
- Mount the volume:
# mkdir /cryptData # mount /dev/mapper/cryptData /cryptData # df -H /cryptData
How to unmount and close the encrypted volume securely
# umount /cryptData # cryptsetup luksClose cryptData
How to remount and mount an existing LUKS encrypted partition
# cryptsetup luksOpen /dev/mapper/3600a0980383034685624466470446564 cryptData Enter the password previously provided. # mount /dev/mapper/cryptData /cryptData # df -H /cryptData # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT xvdb 202:16 0 2G 0 disk └─xvdb1 202:17 0 2G 0 part [SWAP] xvda 202:0 0 25G 0 disk ├─xvda1 202:1 0 256M 0 part /boot └─xvda2 202:2 0 24.8G 0 part / sda 8:0 0 20G 0 disk └─3600a0980383034685624466470446564 (dm-0) 253:0 0 20G 0 mpath └─cryptData (dm-1) 253:1 0 20G 0 crypt /cryptData sdb 8:16 0 20G 0 disk └─3600a0980383034685624466470446564 (dm-0) 253:0 0 20G 0 mpath └─cryptData (dm-1) 253:1 0 20G 0 crypt /cryptData