In this guide, we are about to see how to create an encrypted file system in Red Hat Enterprise Linux, CentOS or any other RHEL based Linux variants.
We will use the Linux Unified Key Setup (LUKS) to encrypt the filesystem to prepare our encrypted filesystem. Once all the setups are done, make sure to backup your key and passphrase. FYI, if we forgot the key or passphrase for LUKS1 devices it’s possible to recover the key/Passphrase, however, it’s not possible to recover if you are using a LUKS2 device. Because the key stored directly in the kernel.
Let’s quickly start with the setup.
In a minimal installed RHEL or CentOS by default it won’t get installed, to start with the encryption setup first we need to install the required packages.
Upgraded: cryptsetup-libs-2.3.3-2.el8.x86_64 Installed: cryptsetup-2.3.3-2.el8.x86_64 Complete!
Now we are good to start.
Encrypting the Disk
Hence I’m testing this before implementing in Production we are about to use a physical disk /dev/sdb with 20 GB in size. This will differ in your setup, make sure to choose the right disk to avoid any accidental encryption on any data disks.
# fdisk -l /dev/sdb [root@rhel7 ~]# fdisk -l /dev/sdb Disk /dev/sdb: 21.5 GB, 21474836480 bytes, 41943040 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes
To start with the encryption we need to run with below
# cryptsetup luksFormat /dev/sdb
[root@rhel7 ~]# cryptsetup luksFormat /dev/sdb WARNING! ======== This will overwrite data on /dev/sdb irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: [root@rhel7 ~]#
Enter the passphrase, make sure to remember this.
Open to create the filesystem
Once the disk encrypted using luksFormat we need to open the filesystem to use it. In my setup myfiles is just a name, you can choose your own.
# cryptsetup luksOpen /dev/sdb myfiles
Even this not under a logical volume management it will be treated as a mapper device.
# ls -lthr /dev/mapper/myfiles
[root@rhel7 ~]# [root@rhel7 ~]# cryptsetup luksOpen /dev/sdb myfiles Enter passphrase for /dev/sdb: [root@rhel7 ~]# [root@rhel7 ~]# ls -lthr /dev/mapper/myfiles lrwxrwxrwx. 1 root root 7 Jan 1 11:56 /dev/mapper/myfiles -> ../dm-9 [root@rhel7 ~]#
After opening the encrypted disk, we are good with creating the filesystem on the encrypted disk.
# mkfs -t ext4 /dev/mapper/myfiles
[root@rhel7 ~]# mkfs -t ext4 /dev/mapper/myfiles mke2fs 1.42.9 (28-Dec-2013) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 1310720 inodes, 5242368 blocks 262118 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=2153775104 160 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000 Allocating group tables: done Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done [root@rhel7 ~]#
Mounting the Filesystem
Create a mount point to mount the created file system.
# mkdir /myfiles # mount /dev/mapper/myfiles /myfiles # df -h /myfiles
[root@rhel7 ~]# mkdir /myfiles [root@rhel7 ~]# [root@rhel7 ~]# mount /dev/mapper/myfiles /myfiles [root@rhel7 ~]# [root@rhel7 ~]# df -h /myfiles Filesystem Size Used Avail Use% Mounted on /dev/mapper/myfiles 20G 45M 19G 1% /myfiles [root@rhel7 ~]#
The above steps are non-persistent during reboot. To make the encrypted filesystem persistent during reboot we need to follow with below three steps.
Create a file with random data to make it as key for the encrypted mount point. Make sure to change the ownership and permission for the created key as 600. Moreover never put this file inside the encrypted filesystem which you have created.
# dd if=/dev/urandom of=/tmp/crypt_file bs=4096 count=1 # chmod 600 /tmp/crypt_file # mv /tmp/crypt_file /etc/
[root@rhel7 ~]# dd if=/dev/urandom of=/tmp/crypt_file bs=4096 count=1 1+0 records in 1+0 records out 4096 bytes (4.1 kB) copied, 0.000410369 s, 10.0 MB/s [root@rhel7 ~]# chmod 600 /tmp/crypt_file [root@rhel7 ~]# ls -lthr /tmp/crypt_file -rw-------. 1 root root 4.0K Jan 1 11:59 /tmp/crypt_file [root@rhel7 ~]# mv /tmp/crypt_file /etc/ [root@rhel7 ~]#
Add the luks Key by pointing to the random data file.
# cryptsetup luksAddKey /dev/sdb /etc/crypt_file
[root@rhel7 ~]# cryptsetup luksAddKey /dev/sdb /etc/crypt_file Enter any existing passphrase: [root@rhel7 ~]#
Create an entry in crypttab and fstab.
# vi /etc/crypttab myfiles /dev/sdb /etc/crypt_file # vi /etc/fstab /dev/mapper/myfiles /myfiles ext4 defaults 0 0
Let’s take a reboot to confirm the functionality.
Before reboot, cross check the fstab and crypttab for any misconfigurations.
Verifying Encrypted Filesystem
Filesystem successfully mounted after the reboot.
[root@rhel7 ~]# uptime 12:17:08 up 0 min, 2 users, load average: 1.10, 0.28, 0.10 [root@rhel7 ~]# [root@rhel7 ~]# df -h /myfiles/ Filesystem Size Used Avail Use% Mounted on /dev/mapper/myfiles 20G 45M 19G 1% /myfiles [root@rhel7 ~]#
That’s it we have done with creating an Encrypted file System and made it as persistent mount point during reboots.
To create an encrypted filesystem we have used luksformat with cryptsetup, by following we have seen how to open an encrypted filesystem using luksOpen. By following the filesystems are created and mounted persistently across the reboot. Finally rebooted the server to confirm the configuration. Thus it’s easy to configure the encrypted logical volume or RAW disk in Linux.