Skip to main content

LUKS Encryption on RHEL6 and RHEL7


With the help of this post you will be able to fix below issue-
How to configure LUKS encryption on a partition?
How to setup LUKS on top of a logical volume?
How to encrypt physical volumes with LUKS?
How to encrypt a filesystem with LUKS?

LUKS (Linux Unified Key Setup) is the standard for Linux Partitions(file system) encryption, I am not talking about hard disk. Normally we heard that encryption of hard disk using LUKS but the reality is that we can't save data in hard disk directly. Before saving data in hard disk we have to create some partitions after that only data can be stored in hard disk. To achieve this LUKS can help us to protect our data if somehow our hard disk has stolen.
Below are the steps to setup LUKS-

First of all find your hard disk which you want to protect.
[root@localhost ~]# fdisk -cul
In my case it is /dev/sdb hard disk, where empty space is available. Let's create /dev/sdb1 partition.
[root@localhost ~]# fdisk -cu /dev/sdb

[root@localhost ~]# partprobe /dev/sdb -> update your partition in kernel.
Now let's create LVM using newly created partition.
[root@localhost ~]# pvcreate /dev/sdb1
[root@localhost ~]# vgcreate myvg /dev/sdb1
[root@localhost ~]# lvcreate --size 1G --name mylv myvg

Format lvm that means encrypt your partition using cryptsetup.
[root@localhost ~]# rpm -q cryptsetup
[root@localhost ~]# yum install cryptsetup -y
[root@localhost ~]# cryptsetup luksFormat /dev/myvg/mylv
Note :- Passphrase(for me - redhat@123) will be your "master key" decrypt this partition when required.
Decrypt partition to store data in it.
[root@localhost ~]# cryptsetup luksOpen /dev/myvg/mylv newpart
Enter passphrase for /dev/myvg/mylv:
[root@localhost ~]#

[root@localhost ~]# ll /dev/mapper/newpart
lrwxrwxrwx. 1 root root 7 Jan 18 13:50 /dev/mapper/newpart -> ../dm-3
[root@localhost ~]#

Now we have to format this partition using mkfs, with any file system(ext4, ext4,xfs etc)
[root@localhost ~]# mkfs.ext4 /dev/mapper/newpart
[root@localhost ~]# mkdir /mnt/new
[root@localhost ~]# mount /dev/mapper/newpart /mnt/new

Store some data in secure partition which is in decrypted as of now so you can store the partition easily.
[root@localhost ~]# cp /etc/services /mnt/new/
[root@localhost ~]# ll /mnt/new/
total 644
drwx------. 2 root root  16384 Jan 18 13:56 lost+found
-rw-r--r--. 1 root root 641020 Jan 18 13:58 services

Once you have done with your data operations(read/write) you can close (lock/encrypt) partition so that you can restrict unauthorized access.
[root@localhost ~]# umount /mnt/new/
[root@localhost ~]# cryptsetup luksClose /dev/mapper/newpart
[root@localhost ~]# cryptsetup luksOpen /dev/myvg/mylv newpart -> again decrypt if want to add some more data.

It is not not persistent till now, if system reboot partition will be locked and won't be available for users to store the data.
Normally we put partition details in /etc/fstab for automatic mount after reboot but in case of LUKS you can't do it directly else encrypted partition won't be available for mount and system won't be able mount all the partition and result will be your system DOWN(maintenance mode).

To avoid this we can tell system that it is a special(cryptsetup) partition so please check it's details in /etc/crypttab file.
[root@localhost ~]# vim /etc/crypttab
newpart /dev/myvg/mylv

Now your system won't go in maintenance mode but it will prompt for password every time. So you have to enter your passphrase, but I'll say this is the best practice.
Still if you want you can do enable a key which help system to mount encrypted partition automatically.

[root@localhost ~]# touch /etc/secret.key
[root@localhost ~]# dd if=/dev/urandom of=/etc/secret.key bs=4096 count=1
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.0247903 s, 165 kB/s
[root@localhost ~]# cryptsetup luksAddKey /dev/myvg/mylv /etc/secret.key
Enter any passphrase:
[root@localhost ~]# vim /etc/crypttab
newpart /dev/myvg/mylv  /etc/secret.key
We have generated a key using random values, and in next command I have added the same key for /dev/myvg/mylv partition. At last same has been configured in /etc/crypttab so that it can checked by system while reboot.

That's all the task has been completed.

Comments

Popular posts from this blog

error: db5 error(11) from dbenv->open: Resource temporarily unavailable

If rpm command is not working in your system and it is giving an error message( error: db5 error(11) from dbenv->open: Resource temporarily unavailable ). What is the root cause of this issue? How to fix this issue?   just a single command- [root@localhost rpm]# rpm --rebuilddb Detailed error message- [root@localhost rpm]# rpm -q firefox ^Cerror: db5 error(11) from dbenv->open: Resource temporarily unavailable error: cannot open Packages index using db5 - Resource temporarily unavailable (11) error: cannot open Packages database in /var/lib/rpm ^Cerror: db5 error(11) from dbenv->open: Resource temporarily unavailable error: cannot open Packages database in /var/lib/rpm package firefox is not installed [root@localhost rpm]# RPM manage a database in which it store all information related to packages installed in our system. /var/lib/rpm, this is directory where this information is available. [root@localhost rpm]# cd /var/lib/rpm ...

Failed to get D-Bus connection: Operation not permitted

" Failed to get D-Bus connection: Operation not permitted " - systemctl command is not working in Docker container. If systemctl command is not working in your container and giving subjected error message then simple solution of this error is, create container with -- privileged option and also provide init file full path  /usr/sbin/init [root@server109 ~]# docker container run -dit --privileged --name systemctl_not_working_centos1 centos:7 /usr/sbin/init For detailed explanation and understanding I am writing more about it, please have look below. If we have a daemon based program(httpd, sshd, jenkins, docker etc.) running inside a container and we would like to start/stop or check status of daemon inside docker then it becomes difficult for us to perform such operations , because by default systemctl and service  commands don't work inside docker. Normally we run below commands to check services status in Linux systems. [root@server109 ~]# systemctl status ...

AWS cloud automation using Terraform

In this post I'll create multiple resources in AWS cloud using Terraform . Terraform is an infrastructure as code( IAC ) software which can do lots of things but it is superb in cloud automation. To use Terraform we have write code in a high-level configuration language known as Hashicorp Configuration Language , optionally we can write code in JSON as well. I'll create below service using Terraform- 1. Create the key-pair and security group which allow inbound traffic on port 80 and 22 2. Launch EC2 instance. 3. To create EC2 instance use same key and security group which created in step 1 4. Launch Volume(EBS) and mount this volume into /var/www/html directory 5. Upload index.php file and an image on GitHub repository 6. Clone GitHub repository into /var/www/html 7. Create S3 bucket, copy images from GitHub repo into it and set permission to public readable 8 Create a CloudFront use S3 bucket(which contains images) and use the CloudFront URL to update code in /var/w...