How to encrypt root partition and entire file system using LUKS in Linux


LUKS, Linux, Security

During scratch installation of Red Hat or CentOS, you can select the checkbox to encrypt all the available disks but it is also possible to encrypt root partition and other volumes once OS is installed. We will encrypt volume group and underlying physical volume and root partition with LUKS online using cryptsetup.

NOTE:
It is not possible to encrypt the physical volume online directly without any data loss. So, there is other way around where we can add another physical volume to the existing volume group and encrypt it using LUKS. Then move the contents of existing un-encrypted physical volume to encrypted physical volume.

Below are some more articles on LUKS based Disk Encryption

 

Lab Environment

I have a Virtual machine with CentOS 8 Linux running on Oracle VirtualBox installed on my Linux Server. There are two disks attached to this VM.

First Disk → Size: 15GB → /dev/sda3 → The node is installed on this disk which is un-encrypted.
Second Disk → Size: 20GB → /dev/sdb1 → We will use this disk to move the all the available file system from /dev/sda3 which will be encrypted with LUKS

NOTE:
Make sure the second disk to which you plan to migrate the file system is of same size or larger then the first disk which contains the un-encrypted data.

These are the steps to replace an existing un-encrypted PV (/dev/sda3) with an encrypted Physical Volume (/dev/sdb1) in a running/active system for root volume:

IMPORTANT NOTE:

 

Install Cryptsetup in Linux

To encrypt root partition and our physical volume in Linux we need cryptsetup rpm

NOTE:
On RHEL Linux system you must have an active subscription to RHN or you can configure a local offline repository using which "yum" package manager can install the provided rpm and it's dependencies.
[root@centos-8 ~]# yum install cryptsetup -y

 

Encrypt alternate partition /dev/sdb1 with LUKS

Initialise new disk/partition as LUKS device using luksFormat

[root@centos-8 ~]# cryptsetup luksFormat /dev/sdb1

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdb1:
Verify passphrase:

Open the encrypted LUKS device using a mapping. Here I am mapping my LUKS device to /dev/mapper/secret. After this step you should see /dev/mapper/secret encrypted file system on your LInux system

[root@centos-8 ~]# cryptsetup luksOpen /dev/sdb1 secret
Enter passphrase for /dev/sdb1:

 

Create Encrypted Physical Volume

Now we will start with the steps to encrypt root partition. The first steps would be to create physical volume using our LUKS Mapping /dev/mapper/secret.

[root@centos-8 ~]# pvcreate /dev/mapper/secret
  Physical volume "/dev/mapper/secret" successfully created.

List the available physical devices. Currently as you see we have one encrypted physical volume /dev/mapper/secret available on /dev/sdb1 and one un-encrypted physical volume /dev/sda3

[root@centos-8 ~]# pvs
  PV                 VG   Fmt  Attr PSize   PFree
  /dev/mapper/secret      lvm2 ---   19.99g 19.99g
  /dev/sda2          rhel lvm2 a--  <14.50g     0

 

Encrypt Volume Group

Next extend the volume group by adding the newly created physical volume. With this we are one step closer to encrypt volume group in our Linux system.

[root@centos-8 ~]# vgextend rhel /dev/mapper/secret
  Volume group "rhel" successfully extended

List the available Volume Groups. As you see our VG has two physical volumes wherein one of the PV /dev/mapper/secret is LUKS encrypted.

[root@centos-8 ~]# vgs
  VG   #PV #LV #SN Attr   VSize  VFree
  rhel   2   2   0 wz--n- 34.48g <19.99g

List the available Physical Volumes. As you see in the encrypted Physical Volume we have 19GB free while un-encrypted PV (/dev/sda3) has content of 14.5GB so we can easily migrate the content to encrypted physical volume.

[root@centos-8 ~]# pvs
  PV                 VG   Fmt  Attr PSize   PFree
  /dev/mapper/secret rhel lvm2 a--  <19.99g <19.99g
  /dev/sda2          rhel lvm2 a--  <14.50g      0

 

Encrypt root partition with LUKS

Our root and swap partition are logical volume in rhel volume group. Now since we have added encrypted physical volume to our existing volume group. We will move the content of PV1 (/dev/sda3) to PV2 (/dev/mapper/secret) using pvmove

[root@centos-8 ~]# pvmove /dev/sda2 /dev/mapper/secret
  /dev/sda2: Moved: 0.05%
  /dev/sda2: Moved: 6.44%
  /dev/sda2: Moved: 32.93%
  /dev/sda2: Moved: 58.18%
  /dev/sda2: Moved: 78.15%
  /dev/sda2: Moved: 100.00%

As you see now our encrypted physical volume has all the content from PV1 /dev/sda3 and PV1 is empty.

[root@centos-8 ~]# pvs
  PV                 VG   Fmt  Attr PSize   PFree
  /dev/mapper/secret rhel lvm2 a--  <19.99g   5.49g
  /dev/sda2          rhel lvm2 a--  <14.50g <14.50g

Similar using vgs we see our VG have 2 physical volumes

[root@centos-8 ~]# vgs
  VG   #PV #LV #SN Attr   VSize  VFree
  rhel   2   2   0 wz--n- 34.48g <19.99g

To encrypt volume group, since we have migrated our data to encrypted physical volume, we can remove the un-encrypted physical volume from the rhel VG.

[root@centos-8 ~]# vgreduce rhel /dev/sda2
  Removed "/dev/sda2" from volume group "rhel"

Once done also remove the un-encrypted physical volume to completely encrypt volume group as we do not have any more un-encrypted physical volume.

[root@centos-8 ~]# pvremove /dev/sda2
  Labels on physical volume "/dev/sda2" successfully wiped.

 

Update encrypted LUKS device details in GRUB2 and /etc/crypttab

Now since we have migrated all the data to encrypted LUKS device to encrypt root partition, we must also configure our GRUB2 to handle the reboot. Update LUKS device details in /etc/crypttab and grub.cfg

We will update /etc/crypttab with the key details of our LUKS device.

This command will generate UUID of our LUKS device and append the same to /etc/crypttab

[root@centos-8 ~]# echo "luks-$(cryptsetup luksUUID /dev/sdb1) UUID=$(cryptsetup luksUUID /dev/sdb1) none" >> /etc/crypttab
[root@centos-8 ~]# echo "luks-$(cryptsetup luksUUID /dev/sdb1)"
luks-4c9b0973-407f-44e4-a91b-446014832ce6

Below is my crypttab file content

[root@centos-8 ~]# cat /etc/crypttab
luks-4c9b0973-407f-44e4-a91b-446014832ce6 UUID=4c9b0973-407f-44e4-a91b-446014832ce6 none

Next update /etc/sysconfig/grub by adding rd.luks.uuid=<UUID> of the LUKS device as highlighted. This UUID should be the same as we added in /etc/crypttab

[root@centos-8 ~]# cat /etc/sysconfig/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet biosdevname=0 net.ifnames=0 rd.luks.uuid=4c9b0973-407f-44e4-a91b-446014832ce6"
GRUB_DISABLE_RECOVERY="true"
GRUB_ENABLE_BLSCFG=true

Next rebuild your GRUB2 configuration using grub2-mkconfig

[root@centos-8 ~]# grub2-mkconfig -o /etc/grub2.cfg
Generating grub configuration file ...
done

Rebuild initramfs:

[root@centos-8 ~]# dracut -f

 

Now you can reboot your Linux node. Since we encrypt root partition the boot up screen will prompt you for the LUKS passphrase before coming UP.

encrypt root partition, volume group, swap volume and physical volume

 

In our next article I will explain all about Network Based Disc Encryption (NBDE) wherein you can configure a tang server to get the key so that the system with encrypt root partition will automatically fetch the key from the tang server and continue to boot.

 

Lastly I hope the steps from the article to encrypt root partition, encrypt volume group and have an encrypted physical volume using LUKS in Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References:
pvmove man page
vgreduce man page

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

9 thoughts on “How to encrypt root partition and entire file system using LUKS in Linux”

  1. I have tpm1.2, where I store my master keys. In order to unencrypt data I use trousers service, which helps to read master keys from tpm and unlock the encrypted volumes.

    I would like to encrypt the root partition, however don’t know how to let the data be read from tpm while the trousers service is still not started.

    Have you tried to work on that?

    Reply
  2. This howto ignores what happens with the original harddisk after removing it from the LVM.

    Therefore I’d recommend a slightly lengthier approach:
    * Don’t encrypt sdb1 but add it to the VG without encryption.
    * Use “pvmove sda2” to move content to sdb1, then “pvremove sda2”.
    * Encrypt sda2.
    * Use “pvmove sdb1” to move content to the crypted sda2, then “pvremove sdb1”.
    * You can then remove the temporary harddisk sdb from your system (see necessary steps to cleanly remove a disk from Linux in other howtos).

    Reply
    • Thanks Andreas, This is also actually a good suggestion. This way we can utilize the existing disk and use additional disk just for the backup and restore purpose
      I will try to test this and update the article with detailed steps using both methods

      Reply
    • I found one problem with this approach. While trying to restore my data on sda2, I got following error:

        Insufficient free space: 3711 extents needed, but only 3707 available
        Unable to allocate mirror extents for rhel/pvmove0.
        Failed to convert pvmove LV to mirrored.

      This is because my sdb1 was 15GB while sda2 was 14.5GB. So to follow your steps, the size of both the disks should be “EXACTLY” the same size or else the operation would fail.
      In such case I would prefer to stick with what is written in the tutorial and end user can decide what they want to do with sda2

      Reply
      • How can I remove the first disk and still get it to boot? When I removed disk 1 my centos 7 vm wouldn’t start because the boot files were still on hard disk 1

        Reply
        • Once all your data is moved to second disk then you should be able to boot using that disk as I have shown. Later you can plan to remove first disk as well

          Reply
  3. How can I do this on a debian system when my root/boot partition isn’t created with LVM2, therefore, the PV move step won’t work. The only way to write to the lv is by mounting it to a dir in /mnt. I was eventually going to use dropbear to access the box during boot and unlock the luks container, but given the additional step needed to access the files after unlocking then mounting, I’m not sure this will work. Thanks for your time.

    Reply
    • In such case an entire backup and restore may be performed but this is all theoretical as I have never tried this. If you do manage to get a working procedure kindly share here.

      Reply

Leave a Comment