LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. If you use a laptop then you are best advised to ensure that at least your home partition is encrypted. This HowTo will show you how to do this for CentOS / RHEL and also applies to Fedora.
In this howto we assume we have a laptop with /home mounted at /dev/VolumeGroupHome/lv_home and we have backed up all the contents of this directory and we can wipe it.
Here are the steps in summary for the impatient :
The examples will instead focus on changing an LVM partition
Installing is as simple as:
[root@rhel-lab1 ~]# yum install cryptsetup-luks
In this example I have decided to turn /dev/VolumeGroupHome/lv_home LVM device into an encrypted device.
warning: This will totally wipe the partition so make sure that you have a backup.
[root@rhel-lab1 ~]# cryptsetup -y -v luksFormat /dev/VolumeGroupHome/lv_home WARNING! ======== This will overwrite data on /dev/VolumeGroupHome/lv_home irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
[root@rhel-lab1 ~]# cryptsetup luksOpen /dev/VolumeGroupHome/lv_home lv_home_encrypted Enter passphrase for /dev/VolumeGroupHome/lv_home:
The above command maps the /dev/VolumeGroupHome/lv_home as an encrypted device called /dev/mapper/lv_home_encrypted. Note that the passphrase it is asking for is the LUKS passphrase that you setup earlier above.
We can see the details about the created device as follows:
[root@rhel-lab1 ~]# cryptsetup -v status lv_home_encrypted /dev/mapper/lv_home_encrypted is active. type: LUKS1 cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/mapper/VolumeGroupHome-lv_home offset: 4096 sectors size: 8384512 sectors mode: read/write Command successful.
The encrypted device we created must be filled with zeros before we started using it. To do this we use dd.
[root@rhel-lab1 ~]# dd if=/dev/zero of=/dev/mapper/lv_home_encrypted
The above command might take a bit of time before finishing. A faster way would be as follows:
pv -tpreb /dev/zero | dd of=/dev/mapper/backup2 bs=128M
mount /dev/mapper/lv_home_encrypted /home
dd if=/dev/random of=/root/luks.key bs=32 count=1 cryptsetup luksAddKey /dev/VolumeGroupHome/lv_home /root/luks.key echo "lv_home_encrypted /dev/VolumeGroupHome/lv_home /root/luks.key" > /etc/crypttab