Use LUKS in Red Hat Enterprise Linux for Full Disk Encryption

Linux Unified Key Setup-on-disk-format (LUKS) allows you to encrypt partitions on your Red Hat Enterprise Linux 6 (server), which is particularly important when it comes to mobile computers and removable media. LUKS allows multiple user keys to decrypt a master key that is used for the bulk encryption of the partition.

What LUKS does:

  • Encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop disk drives.
    • The underlying contents of the encrypted block device are arbitrary, making it useful for encrypting swap devices. The encrypting can also be useful with certain databases that use specially formatted block devices for data storage.
  • Uses the existing device mapper kernel subsystem.
  • Provides passphrase strengthening, which protects against dictionary attaches.
  • Allows users to add backup keys or passphrases because LUKS devices contain multiple key slots.

What LUKS does not do:

  • Allow applications requiring many (more than eight) users to have distinct access keys to same devices.
  • Work with applications requiring file-level encryption, more information.

The steps to set up a new LUKS encrypted volume with SoftLayer Endurance Block Storage are below. The steps assume the server already has access to a new, unencrypted block storage volume that has not been formatted or mounted. Click here for how to access SoftLayer Block Storage with Linux.

Note that performing data encryption creates a load on the host that could potentially impact performance.

  1. Type the following at a shell prompt as root to install the required package:   
# yum install cryptsetup-luks
  1. Get the disk ID:
# fdisk –l | grep /dev/mapper
  1. Locate your volume in the listing.
  2. Encrypt the block device; this command initializes the volume and allows you to set a passphrase: 
# cryptsetup -y -v luksFormat /dev/mapper/3600a0980383034685624466470446564

Respond with YES (all uppercase letters.)

The device will now appear as an encrypted volume:   

# blkid | grep LUKS
/dev/mapper/3600a0980383034685624466470446564: UUID="46301dd4-035a-4649-9d56-ec970ceebe01" TYPE="crypto_LUKS"
  1. Open the volume and create a mapping:   
# cryptsetup luksOpen /dev/mapper/3600a0980383034685624466470446564 cryptData
  1. Enter the password previously provided.
  2. Verify the mapping and view status of the encrypted volume:   
# cryptsetup -v status cryptData
  /dev/mapper/cryptData is active.
    type:  LUKS1
    cipher:  aes-cbc-essiv:sha256
    keysize: 256 bits
    device:  /dev/mapper/3600a0980383034685624466470446564
    offset:  4096 sectors
    size:    41938944 sectors
    mode:    read/write
    Command successful
  1. Write random data to /dev/mapper/cryptData encrypted device. This ensures that outside world will see this as random data, i.e., it is protected against disclosure of usage patterns. Be aware that this step can take a while.
# shred -v -n1 /dev/mapper/cryptData
  1. Format the volume:
# mkfs.ext4 /dev/mapper/cryptData
  1. Mount the volume:
# mkdir /cryptData
# mount /dev/mapper/cryptData /cryptData
# df -H /cryptData

How to unmount and close the encrypted volume securely

# umount /cryptData
# cryptsetup luksClose cryptData

How to remount and mount an existing LUKS encrypted partition

  # cryptsetup luksOpen /dev/mapper/3600a0980383034685624466470446564 cryptData
     Enter the password previously provided.
  # mount /dev/mapper/cryptData /cryptData
  # df -H /cryptData
  # lsblk
  NAME                                       MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
  xvdb                                       202:16   0    2G  0 disk
  └─xvdb1                                    202:17   0    2G  0 part  [SWAP]
  xvda                                       202:0    0   25G  0 disk
  ├─xvda1                                    202:1    0  256M  0 part  /boot
  └─xvda2                                    202:2    0 24.8G  0 part  /
  sda                                          8:0    0   20G  0 disk
  └─3600a0980383034685624466470446564 (dm-0) 253:0    0   20G  0 mpath
    └─cryptData (dm-1)                       253:1    0   20G  0 crypt /cryptData
    sdb                                          8:16   0   20G  0 disk
    └─3600a0980383034685624466470446564 (dm-0) 253:0    0   20G  0 mpath
    └─cryptData (dm-1)                       253:1    0   20G  0 crypt /cryptData