How to Encrypt Filesystem using LUKS in Linux

The Linux Unified Key Setup (LUKS) is a disk encryption specification that can help protect the data on devices it is configured on. Major companies have now started adopting it on workstations/laptops given to employees so that the confidential data can be encrypted. LUKS protects the filesystem using a passphrase that provides an extra layer of security.

The following example will create a Logical Volume, Encrypt the partition, format that with ext4 filesystem and mount it on RHEL 6. You can also use LUKS to protect a partition rather than LVM. When configuring a partition or Logical Volume for LUKS, be prepared with a passphrase and remember it.

Load the Kernel Modules

The first step is to load the dm_crypt and dm_mod modules. One way to do so is with the modprobe dm_crypt command. If successful, you should see the following modules in the output to the 'lsmod | grep dm_ command':

# modprobe dm_crypt
# lsmod | grep dm_
dm_crypt 13022 0
dm_mod 81500 3 dm_crypt,dm_mirror,dm_log

Let's create a Logical Volume and Encrypt it using LUKS

1. Create a Logical Volume

First you'll need to create the device you want to encrypt. This can be an LVM logical volume or a partition.

Note: Please create a new partition because creating a LUKS volume on the existing filesystem will erase everything on that file system.

The following example will create another Logical Volume in existing Volume Group. Make sure the VG is resizable and has enough space to create one.

# vgs --> To see the free space
VG #PV #LV #SN Attr VSize VFree
vg_server 1 1 0 wz--n- 4.39g 990.00m

# lvcreate -L 500M -n lv_luks vg_server
Logical volume "lv_luks" created

2. Encrypt the Logical Volume

After creating the device, you need to format it as an encrypted device. To do that, use the 'cryptsetup luksFormat /dev/yourdevice' command. While doing this, you'll also set the decryption password. Make sure to remember this password, because it is the only way to get access to a device once it has been encrypted!

# cryptsetup luksFormat /dev/mapper/vg_server-lv_luks

This will overwrite data on /dev/mapper/vg_server-lv_luks irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:

3. Create a device

You need to open this device before you can do anything with it. When opening it, you assign a name to the encrypted device. This name occurs in the '/dev/mapper' directory, We will create luis-dev1 as device which will appear in '/dev/mapper' and later used to format and mount.

# cryptsetup luksOpen /dev/mapper/vg_server-lv_luks luks-dev1
Enter passphrase:

4. Create Filesystem on Encrypted partition

Now format the encrypted device with a command like 'mkfs.ext4' the device file should be available in the '/dev/mapper' directory.

# mkfs.ext4 /dev/mapper/luks-dev1
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
128016 inodes, 512000 blocks
25600 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67633152
63 block groups
8192 blocks per group, 8192 fragments per group
2032 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Writing inode tables: done
Creating journal (8192) blocks): done
Writing superblocks and filesystem accounting information

This filesystem will be automatically checked every 30 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

5. The /etc/crypttab file

If you rebooted now, the dm_crypt module wouldn’t even be loaded. To set up the LUKS-encrypted file system properly, you need to configure the '/etc/crypttab' file. Each encrypted volume gets one line in that file, using the following format:

device      unformatted volume        passphrase_file           options

The device is the file created earlier in the '/dev/mapper/luks-dev1' directory. The unformatted volume may be the partition or the LV that has been encrypted. Set passphrase_file to none and RHEL 6 will prompt you with passphrase during the boot time. This provides added security. In case of theft of the device, the encrypted volume can not be booted without providing the passphrase. If you don't want to ask for a passphrase during boot time then the passphrase_file can be configured with 600 permissions

Edit /etc/crypttab and enter as below:

luks-dev1                   /dev/mapper/vg_server-lv_luks             none

6. Mount LUKS file system

Mount this LUKS encrypted file system on your choice of a directory. I've mounted that on /LUKS

# mkdir /LUKS
# mount -t ext4 /dev/mapper/luks-dev1 /LUKS

Add this entry in /etc/fstab file so that it can be mounted during boot time.

/dev/mapper/luks-dev1   /LUKS      ext4      defaults     1 2

Your LUKS volume is now ready. You can protect / file system while installing Linux and encrypt it. This way your entire hard disk can be encrypted and adds an extra layer of protection even if it is stolen because the Linux will ask for passphrase while booting.

Leave a Comment