Wednesday, November 14, 2012

Volume Encryption with the Linux Unified Key Setup (LUKS)

Hello everybody,
LUKS is a way to encrypt devices on a system. Keep in mind that LUKS works on a block level and it applies to block devices files such as partitions and Logical Volumes(LVs) associated with storage. So, it encrypts your partitions and your data is secure in case that you lost your computer because the LUKS-protected partition requires either passphrase or a key file.
During installation of Linux, you have an opportunity to encrypt your partitions or volumes which could be the easiest way to encrypt the partitions; however, the following description is related to encryption of a partition or volume after installation of RedHat, CentOS, Fedora, or SELinux and also how to create, configure, mount, and unmount LUKS-encrypted filesystems.



Prepare Encryption


To install cryptsetup-luks RPM package, run the following command:
yum install cryptsetup-luks

In order to work with LUKS and encryption, you need to load dm_crypt module if it's not loaded already. Try the following command first:
lsmod | grep dm_crypt
and it should return something like this:


                                                                              Figure 1

If you don't see any output, you can load the module with following command:
modprobe dm_crypt

Now, if you run "lsmod | grep dm_crypt" command again, you will see the output.

Before creating an encrypted filesystem, we need a partition. Now, I am going to create a partition on /dev/sdb with fdisk command (that's a regular partition from existing empty space on my second hard drive):



                                                                            Figure 2

Prepare the New Filesystem


If you want to create a more secure filesystem, fill it with random data. You can use the badblocks command to do this:

badblocks -c 20480 -s -w -t random -v /dev/sdb2

which -c is the number of blocks at a time, in this case 20480, -s shows the progress of the command, -w writes data, -t writes data in a random pattern, and -v is verbose mode.



                                                                             Figure 3

Also, you can use an alternative way to do this by using Linux random number generator device:

dd if=/dev/urandom of=/dev/sdb2

This command starts by filling random data, block by block, on the /dev/sdb2 device.

 

Create the New Filesystem


cryptsetup is the command that creates a LUKS-based filesystem.

cryptsetup luksFormat /dev/sdb2


                                                                               Figure 4
Note:
  1. Don't forget uppercase F in luksFormat switch
  2. When it asks you to overwrite data, you must type uppercase YES, otherwise it doesn't ask  you for passphrase and the volume will be encrypted
  3. You can include space in your passphrase
Now, since the /dev/sdb2 is encrypted, it cannot be read. So, in order to read encrypted device, we create a map to a different device, which is actually the decrypted version of the device. First, let's take a look at /dev/mapper directory:


                                                                                Figure 5

In order to do a map to a different device, we need UUID of encrypted device. The following command creates a UUID for /dev/sdb2:

cryptsetup luksUUID /dev/sdb2


                                                                             Figure 6

Next, type the following command (I pasted the UUID that I got from pervious command here):

cryptsetup luksOpen /dev/sdb2 e8c60fe0-2a9d-4e4d-a4af-c80a8fe70726

                                                                              Figure 7

An alternative way is using a name instead of UUID number of an encrypted device. For example, you can use the following command as well which has exactly the same result and even easier and more human readable:

cryptsetup luksOpen /dev/sdb2 test

                                                                             Figure 8

After running the above command,the mapped device is added to the /dev/mapper directory. Let's take a look:

                                                                             Figure 9

Or if you are using a name instead of UUID, you should see something like this:

                                                                            Figure 10

Then, we are ready to format the device with the following command:

mkfs.ext4 /dev/mapper/test

                                                                             Figure 11 

We can mount the new created LUKS device to a directory now and it's ready to use:

                                                                             Figure 12

Finally, you should setup /etc/fstab file to make sure that encrypted filesystem is mounted by next time that system is booted. But you need some works to do on this part:

1. Setting up encrypted volumes during system boot

To access the data on this encrypted partition, you must recreate that /dev/mapper/test device with cryptsetup each time you boot. You can automated this process by setting up encrypted volumes during the boot process. This can be done easily by editing /etc/crypttab and add the following line to this file:

MappingName    DeviceName    Password_File_Path

The third column is optional and you can store the password of encrypted volume in somewhere like /mnt/mypassword.txt, but it has security issue and you don't want to store a password file in plain text. So, it's better to remove that column and it will ask you for a password when you reboot or boot your system. So, in my system, it looks like this:

                                                                         Figure 13

and when you boot or reboot your system, it will ask you for password:

                                                                          Figure 14

 

2. Setting up /etc/fstab

Here is the tricky part if you want to use UUID in fstab. The UUID that we got from previous commands above corresponds to the original partition and is not associated with the encrypted filesystem. To get UUID of encrypted filesystem, run the following command:

dumpe2fs /dev/mapper/test | grep UUID

dumpe2fs prints the super blocks information for the filesystem present on device. That UUID number that we get from dumpe2fs command can then be used to represent the encrypted volume in /etc/fstab. For example, in my case, it would be:

                                                                          Figure 15

Note:
If you use the UUID of original partition, you will get the following error or something like that after reboot:

                                                                           Figure 16

If you see such an error, run the following commands:

mount / -o remount,rw 
vi /etc/fstab 
  

and then remove that UUID from fstab and save it. And reboot system. 

Alternatively, you can use the mapper name in fstab. For example,in my case, adding the following line in /etc/fstab works exactly in the same way as above in Figure 15 (I mean the same result).

/dev/mapper/test    /test-luks    ext4    defaults    1 2

So, the followings are two ways such a volume could be configured in the /etc/fstab file:

UUID=8cd80c73-8140-4006-9d22-ba4da3e29e83    /test-luks    ext4    defaults    1 2
OR
/dev/mapper/test    /test-luks    ext4    defaults    1 2

Now, if you reboot you system, you encrypted partition will mount automatically.

And that's all. Hope you enjoyed.
Khosro Taraghi