How to setup LUKS for RHEL6
Tags encrypt, encryption, luks, rhel
Wanted to write up a quick HOWTO on how to encrypt an LVM disk on RHEL6. Linux Unified Key Setup or LUKS is one way to encrypt data at a block level, for a laptop or hard disk. If the laptop is lost or if the system is compromised, then as long as LUKS is used, then the data should be secure.
Again, there are a number of tutorials online that are either missing steps, aren't clear, or are not well explained. I wanted to writeup a step-by-step HOWTO that works with RHEL6, in a virtual environment, using Virtual Box as the Hypervisor.
This HOWTO assumes basic knowledge of Linux, VirtualBox, RHEL, fdisk, LVM and the user must be logged in as Root user. Remember to use this HOWTO at your own risk. Backup all data first before proceeding.
First, add new storage to the Virtual Machine. In this case, we'll add 5 GB of storage.
Bootup the VM and log back in.
Run the following commands. In this case the new storage device appears as /dev/sdb, however depending how many storage devices listed, the naming convention could be different.
Let the OS know about the disk changes and also scan the current LVM structure with the following commands:
Depending on the output, is how you will create your Physical Volume, Volume Group and Logical Volume. However for this example /dev/sdb1 will become its own Volume Group of Vol_Group02 and Logical Volume of LogVol00.
Confirm again that the LVMs are setup correctly:
Lets begin the LUKS setup, first confirm the module is loaded:
If not, add the module in with the following command:
Here is the first LUKS command. Enter LUKS Passphrase, something easy for you to remember and hard for someone else to guess:
Here is the second LUKS command. Enter LUKS Passphrase, something easy for you to remember and hard for someone else to guess:
Confirm LUKS file system exist with the following command:
Create file system on LUKS file system with the following command:
Setup the encrypted drive to mount at boot time by editing /etc/crypttab:
1st parameter is the device mapper to the encrypted device
2nd parameter can either be the UUID or the mount point
3rd parameter will cause a prompt for the passphrase during bootup
4th parameter defines a timeout in seconds
Add the following to /etc/fstab:
1st parameter is the device mapper or UUID to be mounted
2nd parameter is the mount point
3rd parameter is the file system type
4th parameter is mount command, which is defaults mount options
5th parameter is dump value or zero (0)
6th parameter is fsck order, set to two (2)
Create a directory under /mnt:
Confirm everything is ok by mounting it:
The true test is the reboot.
If everything is setup correct, then great, the system will survive a reboot. Keep in mind during the reboot, you will have to enter in the passphrase for LUKS, in order to login.
Reference URLs:
https://www.digitalocean.com/communi...-an-ubuntu-vps
https://wiki.archlinux.org/index.php..._configuration
Again, there are a number of tutorials online that are either missing steps, aren't clear, or are not well explained. I wanted to writeup a step-by-step HOWTO that works with RHEL6, in a virtual environment, using Virtual Box as the Hypervisor.
This HOWTO assumes basic knowledge of Linux, VirtualBox, RHEL, fdisk, LVM and the user must be logged in as Root user. Remember to use this HOWTO at your own risk. Backup all data first before proceeding.
First, add new storage to the Virtual Machine. In this case, we'll add 5 GB of storage.
Bootup the VM and log back in.
Run the following commands. In this case the new storage device appears as /dev/sdb, however depending how many storage devices listed, the naming convention could be different.
Code:
fdisk /dev/sdb n (for new) p (for primary and accept all other defaults here) t (for data type) 8e (Linux LVM) p (print or show output before writing) w (write changes to /dev/sdb)
Code:
partprobe /dev/sdb1 ; pvs ; vgs ; lvs
Code:
pvcreate /dev/sdb1 ; vgcreate Vol_Group02 ; lvcreate -L +5G -n LogVol00 Vol_Group02
Code:
pvs ; vgs ; lvs
Code:
lsmod | grep dm_crypt
Code:
modprobe dm_crypt
Code:
cryptsetup luksFormat /dev/mapper/Vol_Group02-LogVol00
Code:
cryptsetup luksOpen /dev/mapper/Vol_Group02-LogVol00 encrypt_sdb1
Code:
ls -al /dev/mapper
Code:
mkfs -t ext4 /dev/mapper/encrypt_sdb1
Setup the encrypted drive to mount at boot time by editing /etc/crypttab:
1st parameter is the device mapper to the encrypted device
2nd parameter can either be the UUID or the mount point
3rd parameter will cause a prompt for the passphrase during bootup
4th parameter defines a timeout in seconds
Code:
vim /etc/crypttab encrypt_sdb1 UUID= none luks,timeout=60
1st parameter is the device mapper or UUID to be mounted
2nd parameter is the mount point
3rd parameter is the file system type
4th parameter is mount command, which is defaults mount options
5th parameter is dump value or zero (0)
6th parameter is fsck order, set to two (2)
Code:
vim /etc/fstab /dev/mapper/encrypt_sdb1 /mnt/encrypt_sdb1 ext4 defaults,errors=remount-ro 0 2
Code:
mkdir -p /mnt/encrypt_sdb1
Code:
mount -a
If everything is setup correct, then great, the system will survive a reboot. Keep in mind during the reboot, you will have to enter in the passphrase for LUKS, in order to login.
Reference URLs:
https://www.digitalocean.com/communi...-an-ubuntu-vps
https://wiki.archlinux.org/index.php..._configuration