In this guide, we are about to see how to create an encrypted file system in Red Hat Enterprise Linux and it’s variants.

Hence I’m testing this before implementing in Production we are about to use a physical disk /dev/sdb with 20 GB in size. This will differ in your setup make sure to choose the correct disk to avoid any accidental encryption on any data disks.

# fdisk -l /dev/sdb

[[email protected] ~]# fdisk -l /dev/sdb 
Disk /dev/sdb: 21.5 GB, 21474836480 bytes, 41943040 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes
To start with the encryption we need to run with below luksFormat command.
# cryptsetup luksFormat /dev/sdb
[[email protected] ~]# cryptsetup luksFormat /dev/sdb
This will overwrite data on /dev/sdb irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
[[email protected] ~]#

Once the disk encrypted using luksFormat we need to open the filesystem to use it. myfiles is just a name you can choose your own.

# cryptsetup luksOpen /dev/sdb myfiles

Even this not under a logical volume management it will be treated as a mapper device.

# ls -lthr /dev/mapper/myfiles

[[email protected] ~]# 
[[email protected] ~]# cryptsetup luksOpen /dev/sdb myfiles
Enter passphrase for /dev/sdb: 
[[email protected] ~]# 
[[email protected] ~]# ls -lthr /dev/mapper/myfiles 
lrwxrwxrwx. 1 root root 7 Jan 1 11:56 /dev/mapper/myfiles -> ../dm-9
[[email protected] ~]#

Create the filesystem on the encrypted disk.

# mkfs -t ext4 /dev/mapper/myfiles
[[email protected] ~]# mkfs -t ext4 /dev/mapper/myfiles
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
1310720 inodes, 5242368 blocks
262118 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2153775104
160 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks: 
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 

Allocating group tables: done 
Writing inode tables: done 
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

[[email protected] ~]#

Create a directory and mount the created file system and mount it.

# mkdir /myfiles
# mount /dev/mapper/myfiles /myfiles
# df -h /myfiles

[[email protected] ~]# mkdir /myfiles
[[email protected] ~]# 
[[email protected] ~]# mount /dev/mapper/myfiles /myfiles
[[email protected] ~]# 
[[email protected] ~]# df -h /myfiles
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/myfiles 20G 45M 19G 1% /myfiles
[[email protected] ~]#

Above steps are non-persistent during reboot. To make the encrypted filesystem persistent during reboot we need to follow with below three steps.

Create a file with random data to make it as key for the encrypted mount point. Make sure to change the ownership and permission for the created key as 600. Moreover never put this file inside the encrypted filesystem which you have created.

# dd if=/dev/urandom of=/tmp/crypt_file bs=4096 count=1
# chmod 600 /tmp/crypt_file
# mv /tmp/crypt_file /etc/

[[email protected] ~]# dd if=/dev/urandom of=/tmp/crypt_file bs=4096 count=1
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.000410369 s, 10.0 MB/s
[[email protected] ~]# chmod 600 /tmp/crypt_file
[[email protected] ~]# ls -lthr /tmp/crypt_file 
-rw-------. 1 root root 4.0K Jan 1 11:59 /tmp/crypt_file
[[email protected] ~]# mv /tmp/crypt_file /etc/
[[email protected] ~]#

Add the luks Key by pointing yo created random data file.

# cryptsetup luksAddKey /dev/sdb /etc/crypt_file

[[email protected] ~]# cryptsetup luksAddKey /dev/sdb /etc/crypt_file
Enter any existing passphrase: 
[[email protected] ~]#

Create an entry in crypttab and fstab.

vi /etc/crypttab

myfiles /dev/sdb /etc/crypt_file

vi /etc/fstab

/dev/mapper/myfiles /myfiles ext4 defaults 0 0

Filesystem successfully mounted after the reboot.

[[email protected] ~]# uptime
12:17:08 up 0 min, 2 users, load average: 1.10, 0.28, 0.10
[[email protected] ~]# 
[[email protected] ~]# df -h /myfiles/
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/myfiles 20G 45M 19G 1% /myfiles
[[email protected] ~]#

That’s it we have done with creating an Encrypted file System and made it as persistent mount point during reboots.


Please enter your comment!
Please enter your name here