Last year, I already wrote a blog post about the same topic: Configure Encrypted Storage With LUKS, and I had used fdisk to create a disk partition. In this post, I’ll use parted to achieve the same thing.

I’m going to perform this operation on a server called servera on a disk device /dev/vdb.

First, let’s verify that vdb is available and has no partition:

[root@servera ~]# parted -l
...

Error: /dev/vdb: unrecognised disk label
Model: Virtio Block Device (virtblk)
Disk /dev/vdb: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:

Use parted to create a partition on vdb using the whole disk.

[root@servera ~]# parted /dev/vdb \
> mklabel msdos \
> mkpart primary xfs 1M 1G
Information: You may need to update /etc/fstab.

List the partition on vdb.

[root@servera ~]# parted /dev/vdb print
Model: Virtio Block Device (virtblk)
Disk /dev/vdb: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags: 

Number  Start   End     Size    Type     File system  Flags
 1      1049kB  1074MB  1073MB  primary

Note that, even though we specify xfs (mkpart primary xfs 1M 1G), parted doesn’t create the xfs file system on this partition.

With this newly created partition /dev/vdb1, we’re almost ready to encrypt it with LUKS. On this minimal install of CentOS 7 server, I need to first install cryptsetup package as it wasn’t installed by default.

[root@servera ~]# yum install -y cryptsetup
...

[root@servera ~]# cryptsetup luksFormat /dev/vdb1

WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/vdb1: superSecretPassword
Verify passphrase: superSecretPassword


[root@servera ~]# blkid | grep -i luks
/dev/vdb1: UUID="a3149833-3c52-4d06-8bdc-9a73fcdd4968" TYPE="crypto_LUKS"

Note, you must enter (upper case) “YES” above.

At this stage, we can proceed with formatting this encrypted partition.

First, we need to “open” this encrypted partition, and give it a name. I’ll pick “encrypteddisk”.

[root@servera ~]# cryptsetup luksOpen /dev/vdb1 encrypteddisk
Enter passphrase for /dev/vdb1: superSecretPassword

Verify that the partition is created under /dev/mapper:

[root@servera ~]# ls -l /dev/mapper/encrypteddisk 
lrwxrwxrwx. 1 root root 7 Jun 28 21:54 /dev/mapper/encrypteddisk -> ../dm-2

Before the above partition can be mounted to a directory, it needs to be formatted first. You’re free to pick any file system. In my case, I’ll pick xfs.

[root@servera ~]# mkfs.xfs /dev/mapper/encrypteddisk 
meta-data=/dev/mapper/encrypteddisk isize=512    agcount=4, agsize=65344 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=0, sparse=0
data     =                       bsize=4096   blocks=261376, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=1
log      =internal log           bsize=4096   blocks=855, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0

Let’s create a mount point, mounting this xfs partition.

[root@servera ~]# mkdir /encrypted
[root@servera ~]# mount -t xfs /dev/mapper/encrypteddisk /encrypted/

We can perform a small testing by writing a file to the mounted directory:

[root@servera ~]# echo 'Hello LUKS encrypted partition' > /encrypted/hello_world.txt
/dev/mapper/encrypteddisk on /encrypted type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
[root@servera ~]# cat /encrypted/hello_world.txt
Hello LUKS encrypted partition

Finally, let’s clean up by unmount the file system, and lock the encrypted partition:

[root@servera ~]# umount /encrypted
[root@servera ~]# cryptsetup luksClose encrypteddisk

Reference: