How To Encrypt Linux Hard Disks Using LUKS
Protecting data is essential, especially for businesses. Whether its data from your customers, sensitive information from the industry, credit card or financial details, or employee records, enforcing proper access and preserving confidentiality is essential to your relationships, reputation, and staying on the right side of the law.
A critical aspect of data security is ensuring that it can't be accessed if it were somehow to be stolen or accidentally lost. This might take the form of a laptop being misplaced during travel, or a computer being stolen from your offices. In both of these scenarios, the best way to protect the data is to encrypt it.
Encryption is a special way of encoding information to hide the true nature of the data. When data is encrypted, it can't be read without first "decrypting" it. To decrypt data, you need a special passphrase or token (sometimes called a key) to turn it back into a "plain text format."
Generally, there are two ways to encrypt information, at the file level or block device level:
- file-level encryption allows you to encrypt individual files that might have sensitive data in them such as a customer database
- block-device level encryption works at the hard drive (or block level device) level
In Linux, multiple technologies can be used to apply encryption at either level. For files, the options include eCryptfs and EncFS. At the block level, it includes systems like LoopAES, VeraCrypt, and Linux Unified Key Setup-on-disk-format (LUKS). In this article, we'll look at how to use LUKS to encrypt entire disks. We'll cover:
- a brief background of what LUKS is and how it works
- show how to install the needed libraries to use LUKS
- explore the options for using LUKS with Linux Logical Volume Manager (LVM)
- configure a LUKS encrypted logical volume and provision it with a filesystem
- show how to unlock and mount the LUKS encrypted volume manually
- configure the system to automatically unlock the LUKS volumes on startup using
/etc/crypttab
and/etc/fstab
What is LUKS?
LUKS is a standard on-disk format for hard disk encryption. It uses device mapper crypt (dm-crypt
) and is implemented as a Kernel module to manage encryption at the block device level.
Configure Disks for Encryption (Ubuntu 20.04)
Install LUKS and other dependencies needed by Linux for the management of encrypted volumes.
apt-get install cryptsetup parted
cryptsetup
is the utility used by Ubuntu for the management of encrypted volumes. It is how encrypted volumes are created and unlocked.
LUKS and LVM
LUKS can be used alongside LVM to create expandable/encrypted volumes. While there are multiple approaches to configuring the volumes, one of the more robust and expandable options is to create an encrypted volume inside a logical volume. To do this:
- create a volume group of one or more disks
- use the volume group to create logical volumes
- apply encryption to the filesystem of the logical volumes
Using a logical volume allows for disks to be mounted on boot and provides for a volume that can be dynamically expanded without sacrificing security.
LVM Utilities
LVM includes a set of utilities for managing physical volumes (pv
), volume groups (vg
), and logical volumes (lv
). Each of these utilities -- used for creating (create
), retrieving information (display
), or extending (extend
) -- are prefixed with the abbreviation of the type of resource they work with. The convention can be used to intuit which command should be used for a particular operation.
The command for creating/tagging a physical volume is pvcreate
, for example, while the command for creating a logical volume is lvcreate
. Information about physical volumes can be retrieved using pvdisplay
while similar details for logical volumes would be retrieved using lvdisplay
.
Creating the Logical Volume
Creating a logical volume is a three step process:
- Tag the hard disk or storage device as a "physical volume"
- Associate the physical volume with a "volume group"
- Allocate a portion of the storage capacity of the group to a "logical volume"
Tag Storage Device As Physical Volume (pvcreate
)
Storage devices can be tagged by using their device identifier (example: /dev/sda
), partition (example: /dev/sda1
), or by the UUID:
# Specify partition 2 of attached disk sdd as a physical volume
pvcreate /dev/sdd2
Add Physical Volume to Volume Group
Once a storage device is tagged as a physical volume, it can be added to a volume group using vgcreate
or vgextend
:
# Create a new volume group vgcreate volume-groupname /dev/sdd2 # Extend an existing volume group with an additional storage device vgextend volume-groupname /dev/sdc
Create Logical Volume
Logical volumes are allocated from the capacity of a volume group using lvcreate
by specifying the size (using the -L
option), the name (--name
), and the volume group from which the volume should be created:
# Allocate a 6.2 terabyte volume called minio
lvcreate -L +6.2T --name minio volume-groupname
Extending Existing Logical Volumes
Additional capacity can be added to a logical volume using vgextend
:
lvextend -L +1T /dev/volume-groupname/minio
Encrypting a Logical Volume With LUKS
To create an encrypted logical volume with LUKS:
- the volume needs to be setup with LUKS using
cryptsetup
- after setup of the encrpyted volume, it needs to be opened so that a filesystem can be initialized on top of the encrypted volume
- initialize a filesystem so that the volume can be mounted
Once the filesystem has been initialized, the volume can be attached to a mount point.
Setting Up LUKS
The encryption for the logical volume is setup and opened using cryptsetup
. For LVM volumes, the device mapper to the logical volume should be used for the path. Example :/dev/volume-groupname/lvolume
:
# Setup encryption for a logical volume named lvolume # that belongs to volume group volume-groupname cryptsetup luksFormat /dev/volume-groupname/lvolume
Open the Encrypted Volume
In addition to setup of the volume, cryptsetup
is also used to open encrypted volumes for input/output via the open
subcommand. crypsetup open
takes uses the device mapper for the logical volume (including volume group) for the path. Example: /dev/volume-groupname/lvolume
.
crypsetup open
also requires a volume name for the second argument. This volume name will become part of the unencrypted device map used to initialize the filesystem and mount
commands. Example of open device map: /dev/mapper/open-lvolume
.
# Open an encrypted logical volume
cryptsetup open /dev/volume-groupname/lvolume open
Initialize Filesystem
Creating a logical volume (either encrypted or un-encrypted) does not create the filesystem. That task must be performed separately using mkfs
. When initializing a filesystem for the volume, it is best to use an "extended" filesystem such as ext3
or ext4
.
mkfs
requires that specify the device mapper path to the open and un-encrpyted volume. Example for a logical volume opened with the volume name open-lvolume
: /dev/mapper/open-lvolume
.
# Initialize an ext4 file system for an open logical volume mkdfs.ext4 -m 1 /dev/mapper/open-lvolume
Unlocking and Mounting Existing LUKS Encrypted Volumes
Mounting an existing volume is a two-step process:
- Open the volume so that it can be read and written to using
cryptsetup
. - Mount the volume filesystem to a point on the machine.
LVM
Use cryptsetup
to open the volume for read/write. For LVM managed volumes, use the device mapper for the first argument of the command followed by the logical volume name. You will be prompted for the volume password.
$ cryptsetup open /dev/mapper/vg-group-lvolume
Enter password for /dev/mapper/vg-group-lvolume:
Once the volume has been opened, it can be mounted directly using a mount
command or an entry can be added to /etc/fstab
so that the volume will mount at startup or with mount -a
.
Whole Disk
Use cryptsetup
to open the volume for read/write. For whole disks, use the device entry (/dev/sdb
, /dev/sdc
, /dev/sdd
, etc.) as the first argument for the command followed by the LUKS volume name. You will be prompted for the volume password. By convention, it is a good idea to use the same name for the LUKS volume and logical volume.
$ cryptsetup open /dev/sdc luks-309cca3c-644c-412a-a6ec-a50ea1470e04
Enter password for /dev/sdc:
When the volume is open, it can also be mounted using a mount
command or entry in /etc/fstab
.
Configure a LUKS Volume to Auto Mount
LUKs encryption can be configured to auto-mount in one of two ways:
- through the use of a secret key
- via a password prompt that appears as part of the boot sequence
This section describes how to configure the second of these two options by adding entries for the encrypted volume in /etc/crypttab
and /etc/fstab
. When properly configured, the machine will prompt for the disk passphrase during boot and will mount the volume after it has been unlocked.
Configure the Machine to Prompt for the Volume Passphrase
Linux reads the /etc/crypttab
file when first booting in order to unlock encrypted volumes. /etc/crypttab
is a listing of volume labels, their UIDs, and their mount options. Example:
sda6_crypt UUID=7cb1b762-59c9-495d-b6b3-18e5b458ab70 none luks,discard
Working from left to right, the fields provide:
- the label of the un-encrypted storage device
- the UUID of encrypted storage volume
- the key file which should be used to mount the volume or passphrase if
none
is used - the encryption options (
luks
)
The example above will attempt to unlock the storage volume associated with UUID 7cb1...
using sda6_crypt
as the label via a passphrase.
Each line of the volume corresponds to a separate encrypted volume, and additional volumes are added by extending the file.
Retrieving the UUID of Encrypted Volumes
Storage devices are added to the crypttab
using their UUIDs. The UUIDs of LUKS encrypted storage volumes can be retrieved using the luksUUID
option of the cryptsetup
command.
The command takes the device path for the storage volume as its only input and works for drives, partitions, and logical volumes.
Example 1: Disks and Partitions
# Retrieve UUID for entire disk $ cryptsetup luksUUID /dev/sdc 309cca3c-644c-412a-a6ec-a50ea1470e04 # Retrieve UUID for partition $ cryptsetup luksUUID /dev/sdd1 309ffb3d-644d-412b-b6ec-a51ea1471e09
Example 2: Logical Volume
# Retrieve UUID for a logical volume named lvolume from # the volume group "volume-groupname" $ cryptsetup luksUUID /dev/volume-groupname/lvolume 5844554a-f835-4b07-8195-aace77dd4524
Configure Mount Points for Unlocked Volumes
Mount points in Linux are configured using the /etc/fstab
file. Entries in /etc/fstab
will be mounted upon boot or when invoking the mount -a
command.
The file is a list of the volumes, their mount points, the filesystem types, and mount options. Example:
/dev/mapper/luks-309cca3c... /data/object-storage ext4 defaults 0 0 /dev/mapper/k8s-object2 /data/object-storage2 ext4 errors=remount-ro 0 1 /dev/mapper/k8s-block /data/glusterfs ext4 errors=remount-ro 0 1
The first column corresponds to the device mapper entry of the unlocked storage device, the second is the folder to be used as the mount point, and the third is the type of filesystem. The fourth column provides the mount options (defaults
or errors=remount-ro
in the example above), the fifth column is used by Linux utility dump
to determine which filesystems need to be dumped (0 indicates "don't dump" the drive), and the sixth column indicates how file system checks should be performed.
Comments
Loading
No results found