HowTo: Configure LUKS on CentOS / RHEL

LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. If you use a laptop then you are best advised to ensure that at least your home partition is encrypted. This HowTo will show you how to do this for CentOS / RHEL and also applies to Fedora.

Summary

In this howto we assume we have a laptop with /home mounted at /dev/VolumeGroupHome/lv_home and we have backed up all the contents of this directory and we can wipe it.

Here are the steps in summary for the impatient :

  • cryptsetup -y -v luksFormat /dev/xvdc
  • cryptsetup luksOpen /dev/xvdc backup2
  • cryptsetup -v status backup2
  • cryptsetup luksDump /dev/xvdc
  • cryptsetup luksAddKey /dev/xvdc
  • cryptsetup luksRemoveKey /dev/xvdc
  • cryptsetup luksChangeKey /dev/xvdc

The examples will instead focus on changing an LVM partition

  • login as root and make sure nothing is writing to /home so you can unmount it. Alternatively login as root and do the command *telinit 1*
  • umount /home
  • cryptsetup -y -v luksFormat /dev/VolumeGroupHome/lv_home
  • cryptsetup luksOpen /dev/VolumeGroupHome/lv_home lv_home_encrypted
  • mount /dev/mapper/lv_home_encrypted /home
  • edit /etc/crypttab and add the line: lv_home_encrypted /dev/mapper/lv_home none
  • update your /etc/fstab to reflect that you should now mount /dev/mapper/lv_home_encrypted instead of lv_home
  • if you have selinux: /sbin/restorecon -v -R /home

Install the required package.

Installing is as simple as:

[root@rhel-lab1 ~]# yum install cryptsetup-luks

Configure the partition to use LUKS

In this example I have decided to turn /dev/VolumeGroupHome/lv_home LVM device into an encrypted device.

The first step is to format the partition with luksFormat

warning: This will totally wipe the partition so make sure that you have a backup.

[root@rhel-lab1 ~]# cryptsetup -y -v luksFormat /dev/VolumeGroupHome/lv_home 

WARNING!
========
This will overwrite data on /dev/VolumeGroupHome/lv_home irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
Command successful.

Next step we initialize and create the mapping.

[root@rhel-lab1 ~]# cryptsetup luksOpen /dev/VolumeGroupHome/lv_home lv_home_encrypted
Enter passphrase for /dev/VolumeGroupHome/lv_home:

The above command maps the /dev/VolumeGroupHome/lv_home as an encrypted device called /dev/mapper/lv_home_encrypted. Note that the passphrase it is asking for is the LUKS passphrase that you setup earlier above.

We can see the details about the created device as follows:

[root@rhel-lab1 ~]# cryptsetup -v status lv_home_encrypted
/dev/mapper/lv_home_encrypted is active.
  type:  LUKS1
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/mapper/VolumeGroupHome-lv_home
  offset:  4096 sectors
  size:    8384512 sectors
  mode:    read/write
Command successful.

Final steps:

The encrypted device we created must be filled with zeros before we started using it. To do this we use dd.

[root@rhel-lab1 ~]# dd if=/dev/zero of=/dev/mapper/lv_home_encrypted

The above command might take a bit of time before finishing. A faster way would be as follows:

pv -tpreb /dev/zero | dd of=/dev/mapper/backup2 bs=128M

Finally we format and mount the encrypted partition

mkfs.ext4 /dev/mapper/lv_home_encrypted

<</code ext=bash>>
mount /dev/mapper/lv_home_encrypted /home
<</code>>

And before rebooting ensure that our mapped device gets recreated.

dd if=/dev/random of=/root/luks.key bs=32 count=1
cryptsetup luksAddKey /dev/VolumeGroupHome/lv_home /root/luks.key
echo "lv_home_encrypted /dev/VolumeGroupHome/lv_home /root/luks.key" > /etc/crypttab