Luks Encryption Setup in Linux


LUKS (Linux Unified Key Setup). It is a disk encryption specification created by Clemens Fruhwirth in 2004. It operates on Linux and is based on an enhanced version of cryptsetup.

1. LUKS is a standard format for device encryption.
2. LUKS ensures the data protection inside the partition, especially against the data breach.
3. It encrypts the partition or volume, which will decrypt only by providing correct password.
4. The partition must be decrypted before the file system in it can be mounted.
5. Once it is open (decrypted), you can work with the partition normally i.e mounting and adding the data to the partition.
6. After the completion of work the partition has go to be closed.

LUKS Encryption

Now we will see the different options in LUKS setup.
1. cryptsetup luksFormat – To format the partition with encryption, and assigning the password.
2. cryptsetup luksOpen – To open or decrypt the partition. You need to assign some name to it, which will be used for further operation as /dev/mapper/name.
3. cryptsetup luksClose – To close or encrypt back the partition after use.
4. cryptsetup luksAddKey – To add the key to the configuration to automatically decrypting the partition.

Steps to Encrypt a partition

  1. Create a normal partition using fdisk.
  2. Format the partition using luks and assign the passphrase
  3. Decrypt the partition
  4. Now again format it with ext4 formatting.
  5. Mount the partition, make a permanent mount.
  6. Access the partition and add the data
  7. Unmount the partition, and close the partition i.e encrypt back.

Create a normal partition using fdisk:

fdisk <disk name>
ex: fdisk /dev/sdd
Create a normal partition using fdisk:

Format the partition using luks and assign the passphrase.

cryptsetup luksFormat <disk name>
ex: cryptsetup luksFormat /dev/sdd5
Format the partition using luks and assign the passphrase.

Decrypt the partition

cryptsetup  luksOpen <disk name> <partition name>
ex: cryptsetup  luksOpen /dev/sdd5 lv_hadoop_sdd5
Decrypt the partition

You can see a mapping name /dev/mapper/lv_hadoop_sdd5 after successful verification of the supplied key material which was created with luksFormat command extension:

ls -l <partition name>
ex: ls -l /dev/mapper/lv_hadoop_sdd5
Decrypt the partition

You can use the following command to see the status for the mapping:

cryptsetup -v status <partition name>
ex: cryptsetup -v status lv_hadoop_sdd5
Decrypt the partition

Format the partition

mkfs.ext4 <partition name>
ex: mkfs.ext4 /dev/mapper/lv_hadoop_sdd5
Format the partition

Mount the partition

mount <partition name> <dir name>
ex: mount /dev/mapper/lv_hadoop_sdd5 /mnt_sdd5
Mount the partition
update the entry in /etc/fstab.

Validate this by using mount -a. If you found any errors then check dmesg command to find the errors.

Mount the partition

Saving the passphrase in file, to auto mount the partition

  1. When you assign the label of the partition in the /etc/crypttab, the system will be halted at the time of boot and will ask you to enter the passphrase of that particular partition so that the partition can be decrypt and mounted.
  2. Either you should type passphrase to continue or can ignore it by using ctrl+c to continue booting without decrypting and mounting the partition.
  3. In order to make the o/s to take the passphrase automatically and unlock the partition, we can save the passphrase in a file, so that it can take the passphrase and mount it and boot it normally without halting.

Create a file and store the passphrase in it.

vim /key

Change the permission of the file (600) and add the path of the file in /etc/crypttab.
vim /etc/crypttab

#partition name    disk name     directory name
lv_hadoop_sdd5     /dev/sdd5     /key

Add the key in LUKS configuration

cryptsetup luksAddKey  /dev/sdd5  /key
Saving the passphrase in file, to auto mount the partition

If you are not saved it in /key and added using luksAddKey then it will ask you after rebooting the server.

Saving the passphrase in file, to auto mount the partition

Note: We can add upto 8 passphrases for the disk.
We can remove the passphrases cryptsetup luksRemoveKey <disk name>

Closing the luks setup

It involves the below steps.

Unmount the partition

umount <dir name>
ex: umount /mnt_sdd5

Close the lukssetup

cryptsetup luksClose <partition name>
ex: cryptsetup luksClose /dev/mapper/lv_hadoop_sdd5 or lv_hadoop_sdd5
Closing the luks setup

Format the disk

mkfs.ext4 <disk name>
ex: mkfs.ext4 /dev/sdd5
Format the disk



Please enter your comment!
Please enter your name here