How to setup LUKS for RHEL6

Posted 02-08-2016 at 08:17 PM by JockVSJock
Updated 02-08-2016 at 08:20 PM by JockVSJock

Wanted to write up a quick HOWTO on how to encrypt an LVM disk on RHEL6. Linux Unified Key Setup or LUKS is one way to encrypt data at a block level, for a laptop or hard disk. If the laptop is lost or if the system is compromised, then as long as LUKS is used, then the data should be secure.

Again, there are a number of tutorials online that are either missing steps, aren't clear, or are not well explained. I wanted to writeup a step-by-step HOWTO that works with RHEL6, in a virtual environment, using Virtual Box as the Hypervisor.

This HOWTO assumes basic knowledge of Linux, VirtualBox, RHEL, fdisk, LVM and the user must be logged in as Root user. Remember to use this HOWTO at your own risk. Backup all data first before proceeding.

First, add new storage to the Virtual Machine. In this case, we'll add 5 GB of storage.

Bootup the VM and log back in.

Run the following commands. In this case the new storage device appears as /dev/sdb, however depending how many storage devices listed, the naming convention could be different.

Code:

fdisk /dev/sdb 

n (for new)

p (for primary and accept all other defaults here)  

t (for data type)

8e (Linux LVM) 

p (print or show output before writing)

w (write changes to /dev/sdb)

Let the OS know about the disk changes and also scan the current LVM structure with the following commands:

Code:

partprobe /dev/sdb1 ; pvs ; vgs ; lvs

Depending on the output, is how you will create your Physical Volume, Volume Group and Logical Volume. However for this example /dev/sdb1 will become its own Volume Group of Vol_Group02 and Logical Volume of LogVol00.

Code:

pvcreate /dev/sdb1 ; vgcreate Vol_Group02 ; lvcreate -L +5G -n LogVol00 Vol_Group02

Confirm again that the LVMs are setup correctly:

Code:

pvs ; vgs ; lvs

Lets begin the LUKS setup, first confirm the module is loaded:

Code:

lsmod | grep dm_crypt

If not, add the module in with the following command:

Code:

modprobe dm_crypt

Here is the first LUKS command. Enter LUKS Passphrase, something easy for you to remember and hard for someone else to guess:

Code:

cryptsetup luksFormat /dev/mapper/Vol_Group02-LogVol00

Here is the second LUKS command. Enter LUKS Passphrase, something easy for you to remember and hard for someone else to guess:

Code:

cryptsetup luksOpen /dev/mapper/Vol_Group02-LogVol00 encrypt_sdb1

Confirm LUKS file system exist with the following command:

Code:

ls -al /dev/mapper

Create file system on LUKS file system with the following command:

Code:

mkfs -t ext4 /dev/mapper/encrypt_sdb1

Setup the encrypted drive to mount at boot time by editing /etc/crypttab:

1st parameter is the device mapper to the encrypted device
2nd parameter can either be the UUID or the mount point
3rd parameter will cause a prompt for the passphrase during bootup
4th parameter defines a timeout in seconds

Code:

vim /etc/crypttab 

encrypt_sdb1  UUID=   none     luks,timeout=60

Add the following to /etc/fstab:

1st parameter is the device mapper or UUID to be mounted
2nd parameter is the mount point
3rd parameter is the file system type
4th parameter is mount command, which is defaults mount options
5th parameter is dump value or zero (0)
6th parameter is fsck order, set to two (2)

Code:

vim /etc/fstab 

/dev/mapper/encrypt_sdb1    /mnt/encrypt_sdb1    ext4   defaults,errors=remount-ro 0 2

Create a directory under /mnt:

Code:

mkdir -p /mnt/encrypt_sdb1

Confirm everything is ok by mounting it:

Code:

mount -a

The true test is the reboot.

If everything is setup correct, then great, the system will survive a reboot. Keep in mind during the reboot, you will have to enter in the passphrase for LUKS, in order to login.

Reference URLs:

https://www.digitalocean.com/communi...-an-ubuntu-vps

https://wiki.archlinux.org/index.php..._configuration

Posted in RHEL

Views 3202 Comments 0

« Prev Main Next »