LUKS (Linux Unified Key Setup). It is a disk encryption specification created by Clemens Fruhwirth in 2004. It operates on Linux and is based on an enhanced version of cryptsetup.
1. LUKS is a standard format for device encryption.
2. LUKS ensures the data protection inside the partition, especially against the data breach.
3. It encrypts the partition or volume, which will decrypt only by providing correct password.
4. The partition must be decrypted before the file system in it can be mounted.
5. Once it is open (decrypted), you can work with the partition normally i.e mounting and adding the data to the partition.
6. After the completion of work the partition has go to be closed.
Now we will see the different options in LUKS setup.
1. cryptsetup luksFormat – To format the partition with encryption, and assigning the password.
2. cryptsetup luksOpen – To open or decrypt the partition. You need to assign some name to it, which will be used for further operation as /dev/mapper/name.
3. cryptsetup luksClose – To close or encrypt back the partition after use.
4. cryptsetup luksAddKey – To add the key to the configuration to automatically decrypting the partition.
Steps to Encrypt a partition
- Create a normal partition using fdisk.
- Format the partition using luks and assign the passphrase
- Decrypt the partition
- Now again format it with ext4 formatting.
- Mount the partition, make a permanent mount.
- Access the partition and add the data
- Unmount the partition, and close the partition i.e encrypt back.
Create a normal partition using fdisk:
fdisk <disk name> ex: fdisk /dev/sdd
Format the partition using luks and assign the passphrase.
cryptsetup luksFormat <disk name> ex: cryptsetup luksFormat /dev/sdd5
Decrypt the partition
cryptsetup luksOpen <disk name> <partition name> ex: cryptsetup luksOpen /dev/sdd5 lv_hadoop_sdd5
You can see a mapping name /dev/mapper/lv_hadoop_sdd5 after successful verification of the supplied key material which was created with luksFormat command extension:
ls -l <partition name> ex: ls -l /dev/mapper/lv_hadoop_sdd5
You can use the following command to see the status for the mapping:
cryptsetup -v status <partition name> ex: cryptsetup -v status lv_hadoop_sdd5
Format the partition
mkfs.ext4 <partition name> ex: mkfs.ext4 /dev/mapper/lv_hadoop_sdd5
Mount the partition
mount <partition name> <dir name> ex: mount /dev/mapper/lv_hadoop_sdd5 /mnt_sdd5
Validate this by using mount -a. If you found any errors then check dmesg command to find the errors.
Saving the passphrase in file, to auto mount the partition
- When you assign the label of the partition in the /etc/crypttab, the system will be halted at the time of boot and will ask you to enter the passphrase of that particular partition so that the partition can be decrypt and mounted.
- Either you should type passphrase to continue or can ignore it by using ctrl+c to continue booting without decrypting and mounting the partition.
- In order to make the o/s to take the passphrase automatically and unlock the partition, we can save the passphrase in a file, so that it can take the passphrase and mount it and boot it normally without halting.
Create a file and store the passphrase in it.
Change the permission of the file (600) and add the path of the file in /etc/crypttab.
#partition name disk name directory name lv_hadoop_sdd5 /dev/sdd5 /key
Add the key in LUKS configuration
cryptsetup luksAddKey /dev/sdd5 /key
If you are not saved it in /key and added using luksAddKey then it will ask you after rebooting the server.
Note: We can add upto 8 passphrases for the disk.
We can remove the passphrases cryptsetup luksRemoveKey <disk name>
Closing the luks setup
It involves the below steps.
Unmount the partition
umount <dir name> ex: umount /mnt_sdd5
Close the lukssetup
cryptsetup luksClose <partition name> ex: cryptsetup luksClose /dev/mapper/lv_hadoop_sdd5 or lv_hadoop_sdd5
Format the disk
mkfs.ext4 <disk name> ex: mkfs.ext4 /dev/sdd5