LUKS encrypted file systems

To use a LUKS encrypted file system in RHEL7 we need the  dm_crypt  module which comes as part of the kernel plus the  cryptsetup-luks  rpm package.

# lsmod | grep dm_crypt         → module is not presently loaded
.
# modprobe dm_crypt             → so we'd better load it!
.
# lsmod | grep dm_crypt         → now it looks better
dm_crypt 23138 0
dm_mod 102999 27 dm_raid,dm_log,dm_mirror,dm_crypt
.
# rpm -qa | grep cryptsetup             → do we have the rpm package? 
cryptsetup-python-1.6.3-2.el7.x86_64
cryptsetup-libs-1.6.3-2.el7.x86_64
cryptsetup-1.6.3-2.el7.x86_64           → Yes, we do!

Important:  If we are encrypting a disk (rather than a partition), we need to create a partition table with fdisk or parted and save it. Without a partition table, things won't work!

Optionally and immediately afterwards, we can fill the disk/partition with random sequences of zeros and ones or zero-out the heck out of it:

# dd if=/dev/zero of=/dev/sdf1          → zero-out everything!
# dd if=/dev/urandom of=/dev/sdf1       → random 0s and 1s

Now we can proceed with setting up the encrypted volume!:

# cryptsetup luksFormat /dev/sdb                 → create the encrypted volume
.
WARNING!
========
This will overwrite data on /dev/sdc irrevocably.
.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
.
# cryptsetup luksUUID /dev/sdb > /root/uuid      → assign it a UUID (optional)
.
# cryptsetup luksDump /dev/sdb                   → check settings (optional)
LUKS header information for /dev/sdcb
.
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: 20 30 95 e2 32 df a5 c4 a5 bb 2d da 41 a4 05 8d 8e 2d e3 9f
MK salt: 1b 06 e4 82 60 45 03 31 af 48 32 23 30 b5 9d 6b
ad cf 1b e0 ea f7 5e 2d 1f bb 90 da 32 aa e3 d6
MK iterations: 87875
UUID: 6686fcc2-c9f2-4fd5-bf49-498ca536fb43
.
Key Slot 0: ENABLED
Iterations: 348298
Salt: 78 fc 8b 46 9a 53 5a 25 ae 78 7d 26 00 55 be 7b
d9 5a aa 63 4a 07 fd 77 bf a0 c5 df 36 21 6a e2
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
.
# cryptsetup luksOpen /dev/sdb cryptvol          → make volume accessible
Enter passphrase for /dev/sdb:
.
# cd /dev/mapper/                                → check that volume is in /dev/mapper
# ll
total 0
crw-------. 1 root root 10, 236 Apr 8 17:14 control
lrwxrwxrwx. 1 root root 7 Apr 8 17:38 cryptvol -> ../dm-3
lrwxrwxrwx. 1 root root 7 Apr 8 17:24 vg-home -> ../dm-1
lrwxrwxrwx. 1 root root 7 Apr 8 17:24 vg-root -> ../dm-0
lrwxrwxrwx. 1 root root 7 Apr 8 17:24 vg-var -> ../dm-2
.
# mkfs.ext4 /dev/mapper/cryptvol                 → create a file system on device
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
65408 inodes, 261632 blocks
13081 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=268435456
8 block groups
32768 blocks per group, 32768 fragments per group
8176 inodes per group
Superblock backups stored on blocks:
.      32768, 98304, 163840, 229376
.
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
.
# mkdir /cryptvol
# mount /dev/mapper/cryptvol /cryptvol           → Voila! We have /cryptvol available!

When we are done (or automatically at shutdown time) we need to umount the directory and close the luks volume:

# umount /cryptvol
# cryptsetup luksClose cryptvol

If we want the volume to be available automatically after a reboot, then we need to edit /etc/fstab and /etc/crypttab. We can do it in two different ways depending on whether we want to be prompted for the encryption password (not a good idea for servers!) or we want to store the key in a file that will be read at boot time.

Let's first see the steps necessary for the prompted case. We add this entry to /etc/crypttab:

cryptvol                      UUID=0c5be11c-f679-4efa-8449-8742a24462c2

The UUID is the one that belongs to /dev/sdb. Now we determine the UUID of the mapped device:

# dumpe2fs /dev/mapper/cryptvol | grep UUID             → extract this device's UUID
dumpe2fs 1.42.9 (28-Dec-2013)
Filesystem UUID: e01a7b5c-83cf-4476-8767-b158fad92746

And we add the entry to /etc/fstab:

UUID=e01a7b5c-83cf-4476-8767-b158fad92746           /cryptvol            ext4     defaults      0      2

Warning: The UUID is the one that belongs to the mapped device (/dev/mapper/cryptvol) and not the real device (/dev/sdb)! Very important also to set the last digit to 2 so that the file system is not mounted too early.

If we now reboot, we'll see that we get prompted for the encryption password of cryptvol during the boot process. Upon providing it, the boot process will continue and the directory /cryptvol will be there when it's over.

However, if what we want is to encrypt the data but save the password in a file so that we do not get asked for it at every boot, then we can keep /etc/fstab as is, but we need to change /etc/crypttab to point it to the password file. We do that in a series of steps:

First we create a key file with 4 Kbytes of random bits to act as a key:

# dd if=/dev/urandom of=/root/cryptvol.key bs=512 count=8

Then we add that key file as another valid authentication method to unlock the volume. We need to enter the original password/passphrase!

# cryptsetup luksAddKey /dev/sdb /root/cryptvol.key
Enter any passphrase:
.
# chmod 0600 /root/cryptvol.key

And finally we edit crypttab to add the following entry:

# vi /etc/crypttab
cryptvol              UUID=0c5be11c-f679-4efa-8449-8742a24462c2        /root/cryptvol.key       luks

We can reboot the system to test the setup (a tad risky...) or preferably we can umount /cryptvol and run mount -a to see if it works as expected.

<< firewalld