LUKS Encryption on RedHat

Creating an Encrypted Disk Partition

1. Created a new logical partition (/dev/vda5) which is 500MB in size

2. After a reboot, check the partition is there and looks okay: fdisk -cul /dev/vda

3. Prepare the partition for encryption (enter YES and passphrase when prompted): cryptsetup luksFormat /dev/vda5

4. Unlock the encrypted partition cryptsetup luksOpen /dev/vda5 encpartition

5. Have a look in the /dev/mapper directory, there’s an entry for /dev/mapper/encrypted partition: lrwxrwxrwx. 1 root root 7 Feb 21 12:24 /dev/mapper/encpartition -> ../dm-3

6. Make a filesystem on the new partition: mkfs.ext4 /dev/mapper/encpartition

7. Create a mount point for the new encrypted partition: mkdir /mnt/encpartition

8. Mount the new partition to the new mountpoint: mount /dev/mapper/encpartition /mnt/encpartition/

9. Create an entry in the /etc/cryptab file: encpartition /dev/vda5

10. Create an entry in the /etc/fstab /dev/mapper/encpartition /mnt/encpartition ext4 defaults 1 2

11. Reboot the system. You should be prmompted for your passphrase at boot time. Once the machine has booted, the mount command should show that the ```encrypted (and unlocked) partition is now mounted:

[root@server1 ~]# mount | grep encpartition
/dev/mapper/encpartition on /mnt/encpartition type ext4 (rw)

12. You can create a file which stores the passphrase. This allows the encrypted partition to be unlocked at boot time without asking for the passphrase. - There are obvious security implications to this. Create the password file like this:

echo -n "secret" > /root/encpartition
chown root /root/encpartition
chmod 600 /root/encpartition

13. Now, you need to tell the Luks system about this new password file:

cryptsetup luksAddKey /dev/vda5 /root/encpartition

It asks you to enter ANY passphrase. This is because multiple passphrases can be created to unlock a particular partition. What you are really being asked here is “Enter any of the valid passphrases for this particular partition”

14. If you make a mess of the crypttab of fstab files, the system won’t boot and you’ll be dropped into a rescue shell once you’ve entered the root password. Before you can edit the crypttab or fstab files to fix any mistakes you’ve made, you’ll need to remount the / partition as rw (linux mounts it as ro by default):

mount -o rw,remount /