Linux volume encryption (LUKS, Linux Unified Key Setup) in RedHat/CentOS 6

In this post we will create an encrypted volume, which is useful if you work with a laptop and want to ensure your data against theft.

You can do interesting things, as we ask the key to start or hold the key for example in a USB. It seems to me very good choice of a USB device with the key to start.

Let the matter, the steps are:

1- make sure we have the kernel module loaded with dm_crypt :

Source   
[root@test ~]# lsmod | grep dm_crypt
dm_crypt 10848 2
dm_mod 63859 11 dm_crypt

If the line does not appear dm_crypt have to load it with:

Source   
[root@test ~]# modprobe dm_crypt

If the above has not given problems, we have to make it load automatically at startup, this can be done by adding a file:

Source   
/etc/sysconfig/modules/crypt.modules

With content:

Source   
#!/bin/bash
modprobe dm_crypt

You must restart the machine and verify that the module is loaded automatically.

2- packages necessary to work with encrypted volumes. The necessary tool that must be installed is cryptsetup, we can install it with:

Source   
yum install cryptsetup-luks

3- Creating random key. We create a random key of 256 bits (32 bytes) with:

Source   
[root@test ~]# dd if=/dev/urandom of=/root/hd_key bs=32 count=1
1+0 records in
1+0 records out
32 bytes (32 B) copied, 0.000201264 s, 159 kB/s

The key is created in /root/hd_key

4- Format partition (use /dev/sdb2) for encryption with the key generated in the previous section:

Source   
[root@test ~]# cryptsetup luksFormat /dev/sdb2 --key-file /root/hd_key
WARNING!
========
This will overwrite data on /dev/sdb2 irrevocably.
Are you sure? (Type uppercase yes): YES

One thing to consider is that if we do not define the parameter –key-file we asked for a password interactively, this can be useful to set the key to something easy to remember and we is requested during startup.

5- Mapping encrypted volume. Encrypted volumes are mappings in /dev/mapper, this is done with:

Source   
[root@test ~]# ls /dev/mapper/
control vg_test-lv_root vg_test-lv_swap vol_encriptado
[root@test ~]# cryptsetup luksOpen /dev/sdb2 vol_enc_key --key-file /root/hd_key
[root@test ~]# ls /dev/mapper/
control vg_test-lv_root vg_test-lv_swap vol_enc_key vol_encriptado

Now the volume is mapped to /dev/mapper/vol_enc_key

6- Now we can work with /dev/mapper/vol_enc_key as if it were a normal volume, format it and install:

Source   
[root@test ~]# mkfs.ext4 /dev/mapper/vol_enc_key
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
13552 inodes, 54176 blocks
2708 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=55574528
7 block groups
8192 blocks per group, 8192 fragments per group
1936 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 28 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
[root@test ~]# mkdir /vol_enc
[root@test ~]# mount /dev/mapper/vol_enc_key /vol_enc/

You can verify that you can access the /vol_enc, what is missing is to do this automatically.

7- Mapping and automatic mounting machine to boot. First it was to map the encrypted volume by adding a line in /etc/crypttab:

Source   
vol_enc_key /dev/sdb2  /root/hd_key

This file is read by the dm_crypt module and performs the mapping /dev/mapper/vol_enc_key using the /dev/sdb2 with the keyword /root/hd_key.

If we have the external USB key, just we have to copy and identify the device assigned for and replace the key path. Obviously you must first install the USB device and to avoid surprises working with UUID at mount.

If we do not define the key during startup you will ask us. This is interesting to not have to depend on any other device and not having stored therein HD (quite useless considering what we’re talking about).

Mounting is now like any other HD in /etc/fstab:

Source   
/dev/mapper/vol_enc_key       /vol_enc        ext4    defaults        1       2

Come in short, we need to work with encryption:

-We choose the partition you want to encrypt (note that all lost).

-Format the partition with random key or define interactively with: setupcrypt luksFormat

-Mapping encrypted partition, setup interactively with setupcrypt luksOpen or automatic editing /etc/crypttab

-Volume format and mapping: mkfs.ext4

-Mounting interactively with mount or automatic editing /etc/fstab

I hope you find it useful …

Leave a Reply