Luks Encryption

Create an encrypted partition that will automatically mount at boot.

Sometimes it’s nice to have encryption, sometimes it’s mandatory, either way, there are a couple of thing you should take in mind. Most solutions you find are at disk level but these have some pro’s and con’s.

Every application can work with it Data is only secured from physical theft
No extra development required Can cause some overhead, as everything goes through encryption/decryption, everything

There are also a couple of choisen you can make implementing LUKS, you could create a LVM layer on top of a LUKS partition or, what we are doing in this guide, add a LUKS encrypted mount on top of a LVM stack. The latter allows you to automatically mount the encrypted disk after or at boot time.

Add a new disk (LVM)

This is unrelated to encrypting the disk, but in our setup we started by adding a new disk to the server.

The commands below are just some I often use as a group. From lines 1 to 3 you can just copy/paste. Line 1 makes sure a rescan is triggered to detect the newly added disk. 2 & 3 create some variables, which can be checked and used later. Make sure the output of these are what you expected. You can echo them as shown on 4 & 5.

Create a Physical Volume and extend the Volume Group ‘centos’

root@server:/dev/centos # for i in /sys/class/scsi_host/host*; do echo "- - -" > $i/scan; done
root@server:/dev/centos # NEWDISK=$(dmesg|tail|grep 'Attached'|awk '{print $4}'|tail -n1|cut -d "[" -f2|cut -d "]" -f1)
root@server:/dev/centos # VGROUP=$(vgdisplay|grep Name|head -n1|awk '{print $3}')
root@server:/dev/centos # echo ${NEWDISK}
root@server:/dev/centos # echo ${VGROUP}
root@server:/dev/centos # pvcreate /dev/${NEWDISK}
Physical volume "/dev/sdd" successfully created.
root@server:/dev/centos # vgextend ${VGROUP} /dev/${NEWDISK}
Volume group "centos" successfully extended

Create a logical volume (LVM)

Add a Logical Volume named ‘encrypted’ to the Volume Group ‘centos’.

root@server:/dev/centos # lvcreate -L 15G -n encrypted centos
Logical volume "encrypted" created. 

Encrypt the partition

Ok, the fun parts starts here (CAUTION before continueing make sure there is no important data on /dev/centos/encrypted, this will be wiped). We encrypt the Logical Volume with the first command. A passphrase is required (see it as a backup) LUKS can contain up to 5 different passwords. In a future section we add a second, more complex, password to use as key on boot. Hold tight.

After the first command (the actual formatting of the partition) we need to ‘open’ the partition. By opening we mean creating a new disk, but you should notice there is a password required to do so. Use the password you just created.

root@server:/dev/centos # cryptsetup -v --verify-passphrase luksFormat /dev/centos/encrypted
root@server:/dev/mapper # cryptsetup luksOpen /dev/centos/encrypted luks-encrypted

Create a mountpoint

Before you can use the encrypted partition you should mount it. Do it like you always do it. Create a directory to mount to and mount /dev/mapper/luks-encrypted with mount.

root@server:/dev/mapper # mkdir /encrypted
root@server:/dev/mapper # mount /dev/mapper/luks-encrypted /encrypted

From here on you are actually done, if you want to type password manually on every boot. I highly doubt you want that so lets go on. (It is ofourse more safe to do so).

Create a key (to auto-mount the encrypted disk)

Create a key-file we can add to /etc/crypttab, any random string will do, but we create it with /dev/urandom. Make sure to set some strict permissions.

root@server:/dev/mapper # dd if=/dev/urandom of=/root/lukskey bs=1024 count=4
root@server:/dev/mapper # chmod 0400 /root/lukskey

Unmount and add the key

Add the key you just created to make it valid for LUKS, but first unmount the mount and close the vault.

root@server:/ # umount /encrypted
root@server:/ # cryptsetup luksClose luks-encrypted
root@server:/ # cryptsetup luksAddKey /dev/mapper/centos-encrypted /root/lukskey


Get the UUID of the disk, using the UUID to mount disk is a more solid solution than using the disknames (/dev/sd*). These disknames CAN change, the UUID cannot.

root@server:/ # blkid /dev/mapper/centos-encrypted
/dev/mapper/centos-encrypted: UUID="0dab9a5c-1870-478d-8d74-226eeb512f78" TYPE="crypto_LUKS"

Auto-mount LUKS (edit /etc/crypttab)

Add a entry to the /etc/crypttab, see it as the /etc/fstab file. Just as fstab crypttab will automount the defined entries.

root@server:/ # blkid /dev/mapper/centos-encrypted
/dev/mapper/centos-encrypted: UUID="0dab9a5c-1870-478d-8d74-226eeb512f78" TYPE="crypto_LUKS"

Auto-mount LUKS (edit /etc/cypttab)

luks-encrypted /dev/disk/by-uuid/0dab9a5c-1870-478d-8d74-226eeb512f78 /root/lukskey luks

Check your work

Congrats, this should be it, reboot and make sure the disk is mounted automatically.

More Reading
comments powered by Disqus