I’m currently preparing for the Red Hat Certified Specialist in Security: Linux exam (EX415). One of the exam objectives is about storage encryption using LUKS.

Here’s my note learning about LUKS. It’s not meant to be a guide which you should copy and paste and run it on your production system.

Suppose I have a new disk (/dev/vdb) attached to my server and I’d like to use it as an encrypted storage using LUKS. Here is how I’d do it.

Create a new partition

[root@servera ~]# ls -l /dev/vdb
brw-rw----. 1 root disk 252, 16 Aug 29 22:41 /dev/vdb
# parted

There are many tools which can be used to create a disk partition: fdisk, parted, cfdisk, etc. My favorite is cfdisk or cgdisk, but I will be using fdisk in this note:

[root@servera ~]# fdisk /dev/vdb
Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1): 
First sector (2048-4194303, default 2048): 
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-4194303, default 4194303): 
Using default value 4194303
Partition 1 of type Linux and of size 2 GiB is set

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Format the device as LUKS encrypted device

# cryptsetup luksFormat /dev/vdb1

WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/vdb1: 
Verify passphrase:

Make sure to type “YES” (upper case yes), and provide a password longer than 8 characters.

Create a mapping to allow access to the encrypted device

To find a LUKS device’s UUID, run the following command:

# cryptsetup luksUUID /dev/vdb1
b6eedfee-0926-4044-9e03-c77f627bed3b

Let’s choose encvol as the mapping name:

# cryptsetup luksOpen /dev/vdb1 encvol
Enter passphrase for /dev/vdb1:

To see some information about the mapped device, type the following command"

# dmsetup info encvol
Name:              encvol
State:             ACTIVE
Read Ahead:        8192
Tables present:    LIVE
Open count:        0
Event number:      0
Major, minor:      253, 2
Number of targets: 1
UUID: CRYPT-LUKS1-b6eedfee092640449e03c77f627bed3b-encvol

Create filesystem on the mapped device

Let’s format this encrypted device with xfs filesystem:

# mkfs.xfs /dev/mapper/encvol

Once formatted, this device can be mounted to a directory. Here is an example:

# mkdir /mnt/envol
# mount /dev/mapper/encvol /mnt/envol

Close the encrypted the device

# umount /dev/mapper/encvol
# cryptsetup luksClose encvol

References: