LUKS (Linux Unified Key Setup) is a standard for hard disk encryption. This is the native Linux (Red Hat variants) utility to perform hard drive encryption to protect data. To get this done, install the required package if not installed. The package needed is "cryptsetup-luks". Once this is done, the "cryptsetup" command would be available to use.
- First, check if the required package is installed:
[root@server3 Desktop]# rpm -q --last cryptsetup-luks
cryptsetup-luks-1.2.0-6.el6 Sun 31 Aug 2014 05:22:01 PM PDT
- Next, ensure that the "dm_crypt" module is loaded:
[root@server3 Desktop]# modinfo dm_crypt
filename: /lib/modules/2.6.32-220.el6.x86_64/kernel/drivers/md/dm-crypt.ko
license: GPL
description: device-mapper target for transparent encryption / decryption
author: Christophe Saout <christophe@saout.de>
srcversion: DEE25614AF5497C1F6507BA
depends: dm-mod
vermagic: 2.6.32-220.el6.x86_64 SMP mod_unload modversions
--------------------------------------------------
Creating LUKS partition/volume
--------------------------------------------------
A logical volume (LV) would be used as the underlying block device for LUKS mapped device in this demonstration.
- Create the LV with required size.
- Next, using the corresponding LV format it as LUKS device (this would initializes the LUKS partition):
# cryptsetup luksFormat /dev/mapper/vg1-lv1
This would ask for a passphrase which needs to be typed twice.
- Now, use a logical name to map to this to LUKS block device :
# cryptsetup luksOpen /dev/mapper/vg1-lv1 mydata
In the above line <mydata> would be the logical mapped name being used later.
- Format the LUKS logical device now:
# mkfs.ext4 /dev/mapper/mydata
- Check the status of the LUKS device :
# cryptsetup status /dev/mapper/mydata
- Mount this device now: #mkdir /fdata
# mount /dev/mapper/mydata /fdata
- Create a passprhase :
# dd if=/dev/urandom of=/root/my-key bs=4096 count=1
- Add the above key/passprhase to the underlying block device :
# cryptsetup luksAddKey /dev/maper/vg1-lv1 /root/my-key
- Add the key to /etc/crypttab so that it would be used while the system is booting up to mount it and the format should be:
<LogicalNameofTheLUKSDevice> <UnderlyingBlockDevice> <PathToTheKeyFile>
# cat /etc/crypttab
mydata /dev/mapper/vg1-lv1 /root/my-key
# chmod 400 /root/my-key
- Add the LUKS device and mount point to the /etc/fstab:
/dev/mapper/mydata /fdata ext4 defaults 1 2
The LUKS LVM has been created successfully now!
--------------------------------------------------------------------------------------------
How to check if the underlying block device is LUKS initialized?
--------------------------------------------------------------------------------------------
- Verify the block device being used is LUKS formatted using "cryptsetup status <LUKSDeviceName>" command as shown below:
[root@server8 Desktop]# cryptsetup status /dev/mapper/fdata
/dev/mapper/fdata is active and is in use.
type: LUKS1
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/mapper/vg1-lv1
offset: 4096 sectors
size: 192512 sectors
mode: read/write
The above details says that underlying block device for the LUKS device /dev/mapper/fdata is /dev/mapper/vg1-lv1
Otherwise, using the "dmsetup info <LUKSDevice>" command:
Example:
------------------
[root@server8 Desktop]# dmsetup info /dev/mapper/fdata
Name: fdata
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 1
Event number: 0
Major, minor: 253, 2
Number of targets: 1
UUID: CRYPT-LUKS1-2f08863b3729433ab1ea8f9f915ce886-fdata
- With the above details we could say that logical device /dev/mapper/fdata is a LUKS formatted.
- You could also verify whether the block device is LUKS formatted device as shown below:
[root@server8 Desktop]# cryptsetup -v isLuks /dev/mapper/vg1-lv1
Command successful.
Also using the command "dmsetup" command as shown below:
[root@server8 Desktop]# dmsetup table testing
0 192512 crypt aes-cbc-essiv:sha256
0000000000000000000000000000000000000000000000000000000000000000 0 253:2 4096
- If you wish to verify or view the UUID set on the underlying LUKS device:
#cryptsetup luksUUID <UnderlyingBlockDevice>
Example:
---------------
[root@server3 ~]# cryptsetup luksUUID /dev/sdc1
bfdc34aa-1c10-4a35-b77f-b7d295802050
Otherwise, using "blkid" command as shown below:
[root@server3 ~]# blkid /dev/sdc1
/dev/sdc1: UUID="bfdc34aa-1c10-4a35-b77f-b7d295802050" TYPE="crypto_LUKS"
Alternatively using the "cryptsetup luksDump" command:
[root@server3 ~]# cryptsetup luksDump /dev/sdc1|grep UUID
UUID: bfdc34aa-1c10-4a35-b77f-b7d295802050
- To understand the encryption method being used, key slots being used/available etc., in encryption, use the command "cryptsetup luksDump":
[root@server3 ~]# cryptsetup luksDump /dev/sdc1
LUKS header information for /dev/sdc1
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: d9 f9 2e f5 d4 d3 da d8 51 d0 8b 3f 8d b3 4e c6 b8 95 db 18
MK salt: 79 2c a3 89 2a ad f2 a7 86 11 6e 2b fa cb c7 ff
00 06 79 cf 48 16 ff ac 49 ac ca e5 cd 49 51 0d
MK iterations: 53250
UUID: bfdc34aa-1c10-4a35-b77f-b7d295802050
Key Slot 0: ENABLED
Iterations: 213408
Salt: af a2 c3 10 76 3b 4d 50 1b 65 01 17 bc 61 9c a6
75 dc 9c 22 fd b1 53 28 72 14 0b 5e 91 f9 53 ff
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 206314
Salt: 4e a6 8c 4b b9 7e e3 7b 4f ec 51 e3 2c 42 7c d1
4a b1 5c 11 99 57 0e 75 1d a4 55 57 4b 20 89 e8
Key material offset: 264
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Thanks for viewing this post!
No comments:
Post a Comment