version 1.0.0, 2014-07-06 : Initial version
Cheasheet about encrypted filesystemsSome stuffs I keep as a reminder about LUKS encryption.
1. About algorithms
In RHEL6, the default is AES-128 encryption with 256SHA hashing. But the following ciphers are also available: AES, Twofish, Serpent, Cast5, Cast6.
This document supposes that you already install the
cryptsetup-luks package on
2. Creating an encrypted partition
# Then ensure your partition is unmounted (here /dev/sdb1) mount | grep /dev/sdb1 # Then fill your partition with /dev/urandom (optional but a best practice) dd if=/dev/urandom of=/dev/sdb1 # Initialize your partition in LUKS Format and setup initial key # NOTE: Type YES in UPPERCASE! cryptsetup luksFormat /dev/sdb1 # Open LUKS partition and map a name on it (in /dev/mapper/) cryptsetup luksOpen /dev/sdb1 encr_sdb1 # Formation device and mount it as a classic FS mkfs -t ext4 /dev/mapper/encr_sdb1 mkdir -p /media/encrypted_disks/test_sdb1 mount /dev/mapper/encr_sdb1 /media/encrypted_disks/test_sdb1
To configure automount:
# First, create a keystore file (only needed if you want to open the FS without # having to type passphrase during the boot phase on boot dd if=/dev/urandom of=/root/luks_sdb1.keyfile bs=1K count=4 # As it will be some kind of private key, be strict on security chmod 0400 /root/luks_sdb1.keyfile # Add the key to the keystore cryptsetup luksAddKey /dev/sdb1 /root/luks_sdb1.keyfile # Add your filesystem to crypttab and fstab (if you want automatic mount on boot) # If you don't want to mount without asking for the passphrase, replace the last # 2 fields by a simple "none" echo -e "encr_sdb1 \t /dev/sdb1 \t /root/luks_sdb1.keyfile \t luks" >> /etc/crypttab echo -e "/dev/mapper/encr_sdb1 \t /media/encrypted_disks/test_sdb1 \t ext4 \t defaults \t 1 \t 2" >> /etc/fstab # Restore default SELinux security context and reboot /sbin/restorecon -v -R /media/encrypted_disks/test_sdb1 shutdown -r now # Be sure you have access to the console before that!
LUKS only protects against a disk robbery, so never store your keyfile on a partition located on the same disk as the encrypted partition.
Check that a device is a LUKS device:
cryptsetup isLuks /dev/sdb1 && echo "Encrypted device"