LUKs a concept used to encrypt disks for securing data. Partitions will not be accessible without decrypting that device with an defined PASSPHRASE
1) Install LUKs utilities
yum -y install crypt*
2) Load dm_crypt module
modprobe dm_crypt
3) Add dm_crypt in system, so that after reboot this should be loaded
cat > /etc/sysconfig/modules/dm_crypt.modules
#!/bin/bash
modprobe dm_crypt
save and exit with CTRL+D
chmod 755 /etc/sysconfig/modules/dm_crypt.modules
NOTE: dm_crypt.modules script created to loaod module
4) Lets say /dev/sdb is the disk to encrypt, First Create setup and format /dev/sdb with following command:
cryptsetup luksFormat /dev/sdb
This will ask for passphrase which will be used to decrypt/open this disk before using this disk
To mount or use /dev/sdb disk follow below given steps as at this point /dev/sdb will not be available to mount
5) Open LUKs disk/device by mapping/assigning an name, this will create and file/mapping in /dev/mapper
cryptsetup luksOpen /dev/sdb myluksdev_map
This will ask for passphrase to decrypt disk. Enter passphrase set in step number 4
NOTE : myluksdev_map given name can be anything as per your desire
6) As above command has opened/decrypted disk, now we can format with ext4
mkfs.ext4 /dev/mapper/myluksdev_map
7) Create an folder and mount /dev/sdb
mkdir /mnt/my_secret_dir
mount /dev/mapper/myluksdev_map /mnt/my_secret_dir
[Above /dev/mapper/myluksdev_map is name which is given at the time of opening/decrypting /dev/sdb device]
8) If we want to close encryption, have to follow given steps
umount /mnt/my_secret_dir
cryptsetup luksClose myluksdev_map
8) To make partition persistent or permanent after reboot we should add MOUNT entry in /etc/fstab but for mounting encrypted file system, we should decrypt disk/device. So, we should follow given steps to mount disks at the time of boot
a) Create a file /etc/crypttab
b) Update with given content
MAPname Device/path ------------------- example
In our case MAPname = myluksdev_map , Device Path = /dev/sdb
c) Content should be
cat /etc/crypttab
myluksdev_map /dev/sdb
d) Now update /etc/fstab file with below content
/dev/mapper/myluksdev_map /mnt/my_secret_dir ext4 defaults 0 0
Now reboot your server, this will ask for PASSPHRASE while mounting device /dev/mapper/myluksdev_map
To automatically unlock passphrase or avoiding asking password use below given steps:
a) Create an file, lets say /root/cpasswd which will store password
echo -n "password" > /root/cpasswd
chmod 600 /root/cpasswd
b) Now update /etc/crypttab like this
MAPNAME /DEVICE/PATH /PASSWORD/FILE
So, in our case this should be
myluksdev_map /dev/sdb /root/cpasswd
Now try rebooting your server, this should not ask for password.
Thats it!!!
Please comment with your feedback :-)
How to setup encrypted disks with LUKs?
1) Install LUKs utilities
yum -y install crypt*
2) Load dm_crypt module
modprobe dm_crypt
3) Add dm_crypt in system, so that after reboot this should be loaded
cat > /etc/sysconfig/modules/dm_crypt.modules
#!/bin/bash
modprobe dm_crypt
save and exit with CTRL+D
chmod 755 /etc/sysconfig/modules/dm_crypt.modules
NOTE: dm_crypt.modules script created to loaod module
4) Lets say /dev/sdb is the disk to encrypt, First Create setup and format /dev/sdb with following command:
cryptsetup luksFormat /dev/sdb
This will ask for passphrase which will be used to decrypt/open this disk before using this disk
To mount or use /dev/sdb disk follow below given steps as at this point /dev/sdb will not be available to mount
5) Open LUKs disk/device by mapping/assigning an name, this will create and file/mapping in /dev/mapper
cryptsetup luksOpen /dev/sdb myluksdev_map
This will ask for passphrase to decrypt disk. Enter passphrase set in step number 4
NOTE : myluksdev_map given name can be anything as per your desire
6) As above command has opened/decrypted disk, now we can format with ext4
mkfs.ext4 /dev/mapper/myluksdev_map
7) Create an folder and mount /dev/sdb
mkdir /mnt/my_secret_dir
mount /dev/mapper/myluksdev_map /mnt/my_secret_dir
[Above /dev/mapper/myluksdev_map is name which is given at the time of opening/decrypting /dev/sdb device]
8) If we want to close encryption, have to follow given steps
umount /mnt/my_secret_dir
cryptsetup luksClose myluksdev_map
8) To make partition persistent or permanent after reboot we should add MOUNT entry in /etc/fstab but for mounting encrypted file system, we should decrypt disk/device. So, we should follow given steps to mount disks at the time of boot
a) Create a file /etc/crypttab
b) Update with given content
MAPname Device/path ------------------- example
In our case MAPname = myluksdev_map , Device Path = /dev/sdb
c) Content should be
cat /etc/crypttab
myluksdev_map /dev/sdb
d) Now update /etc/fstab file with below content
/dev/mapper/myluksdev_map /mnt/my_secret_dir ext4 defaults 0 0
Now reboot your server, this will ask for PASSPHRASE while mounting device /dev/mapper/myluksdev_map
To automatically unlock passphrase or avoiding asking password use below given steps:
a) Create an file, lets say /root/cpasswd which will store password
echo -n "password" > /root/cpasswd
chmod 600 /root/cpasswd
b) Now update /etc/crypttab like this
MAPNAME /DEVICE/PATH /PASSWORD/FILE
So, in our case this should be
myluksdev_map /dev/sdb /root/cpasswd
Now try rebooting your server, this should not ask for password.
Thats it!!!
Please comment with your feedback :-)
Nice. I wanted to add that it seems with more attention to security I am seeing a lot more about enabling the FIPS standard for encryption. You can read about FIPS here:
ReplyDeletehttp://en.wikipedia.org/wiki/FIPS_140-2
I wrote about enabling FIPS (and then using LUKS similar to you to encrypt a device)
http://geekswing.com/geek/how-to-encrypt-a-filesystem-on-redhat-6-4centos-6-4-linux-fips-or-no-fips/
Hope this is helpful!
Casinos Near Borgata Hotel Casino & Spa
ReplyDeleteFind 계룡 출장샵 the 서귀포 출장샵 best casinos 영천 출장안마 near Borgata Hotel Casino & Spa in Atlantic City, NJ near M life 삼척 출장마사지 Rewards, 구미 출장안마 Casinos near Borgata Hotel Casino & Spa Atlantic City, NJ.