Earlier I had shared an article to encrypt, decrypt and sign a file using GPG key in Linux. In this article I will show you the steps to create an encrypted block device using LUKS. By default if somebody connects your hard disk to their computer, it can be mounted automatically, even without entering any user credentials, and that is why we should always encrypt hard disk.
If your hard disk was encrypted then in order to mount an encrypted device, you need to enter a passphrase, without passphrase, nobody can mount it. So this will protect your hard disk, or your server, hard disk from being lost or stolen or whatever, after which data can be accessed easily.
To create encrypted devices in Linux we use LUKS. LUKS is the Linux encryption layer.
Attach new hard disk (optional)
So to start with, you need an empty device. I have added a new virtual disk to my virtual machine as /dev/sdb
[[email protected] ~]# cat /proc/partitions major minor #blocks name 11 0 1048575 sr0 8 0 31457280 sda 8 1 524288 sda1 8 2 28844032 sda2 8 16 5242880 sdb 253 0 26738688 dm-0 253 1 2097152 dm-1
Create new partition
We will create a new partition /dev/sdb1 on this disk
[[email protected] ~]# fdisk /dev/sdb Welcome to fdisk (util-linux 2.23.2). Changes will remain in memory only, until you decide to write them. Be careful before using the write command. Device does not contain a recognized partition table Building a new DOS disklabel with disk identifier 0xa12bdd47. Command (m for help): n Partition type: p primary (0 primary, 0 extended, 4 free) e extended Select (default p): Using default response p Partition number (1-4, default 1): First sector (2048-10485759, default 2048): Using default value 2048 Last sector, +sectors or +size{K,M,G} (2048-10485759, default 10485759): Using default value 10485759 Partition 1 of type Linux and of size 5 GiB is set Command (m for help): p Disk /dev/sdb: 5368 MB, 5368709120 bytes, 10485760 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk label type: dos Disk identifier: 0xa12bdd47 Device Boot Start End Blocks Id System /dev/sdb1 2048 10485759 5241856 83 Linux Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks.
So our partition is successfully created.
[[email protected] ~]# partprobe
So our partition is successfully created.
[[email protected] ~]# cat /proc/partitions major minor #blocks name 11 0 1048575 sr0 8 0 31457280 sda 8 1 524288 sda1 8 2 28844032 sda2 8 16 5242880 sdb 8 17 5241856 sdb1 253 0 26738688 dm-0 253 1 2097152 dm-1
Format the partition using luksFormat
So you would do luksFormat on the device, and the luksFormat command is going to create the encryption layer. This is the passphrase that needs to be entered by anyone who wants to access the device. In real life of course, you wanna have something that really is secure because devices are not mounted that often. (computer keys tapping and clicking)
[[email protected] ~]# cryptsetup luksFormat /dev/sdb1 WARNING! ======== This will overwrite data on /dev/sdb1 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase for /dev/sdb1: Verify passphrase:
Open the LUKS device
Next, you need to do luksOpen, and that brings you to a different level where you are going to work with the encrypted device. So this will create a new device, and this new device is managed by the device mapper, so let’s call it /dev/mapper/secret.
[[email protected] ~]# cryptsetup luksOpen /dev/sdb1 secret Enter passphrase for /dev/sdb1:
As we will see when you are using the cryptsetup, luksOpen command, a new device is created, and you will provide the name for the device. In this example, the name for the device is /dev/mapper/secret
[[email protected] ~]# cd /dev/mapper/
[[email protected] mapper]# ls -l total 0 lrwxrwxrwx. 1 root root 7 Feb 25 21:11 centos-root -> ../dm-0 lrwxrwxrwx. 1 root root 7 Feb 25 21:11 centos-swap -> ../dm-1 crw-------. 1 root root 10, 236 Feb 25 21:09 control lrwxrwxrwx. 1 root root 7 Feb 25 21:14 secret -> ../dm-2
Create file system on LUKS device
Now the important step is that you need to create a file system on the encrypted device, and that means that the file system is going to be created here.
[[email protected] mapper]# mkfs.ext4 /dev/mapper/secret mke2fs 1.42.9 (28-Dec-2013) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 327680 inodes, 1309952 blocks 65497 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=1342177280 40 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736 Allocating group tables: done Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done
Mount the LUKS partition
Once a file system has been created on the LUKS device, you can move on, you can create a mount point and mount it.
[[email protected] mapper]# mkdir /secret [[email protected] mapper]# cd [[email protected] ~]# mount /dev/mapper/secret /secret/
Once we can verify using the mount command, you can see that from the mount command perspective, there’s nothing visible about the device being encrypted, we just see a device that is encrypted.
[[email protected] ~]# mount | grep secret /dev/mapper/secret on /secret type ext4 (rw,relatime,seclabel,data=ordered)
So we can create files on top of it. (computer keys tapping and clicking) And these files will be safely stored on the encrypted device.
Dis-connect the encrypted partition
let me also show you how to disconnect the encrypted device.
[[email protected] ~]# umount /secret
[[email protected] ~]# cryptsetup luksClose /dev/mapper/secret [[email protected] ~]# mount | grep secret
Lastly I hope the steps from the article to encrypt hard disk (partition) using LUKS on Linux was helpful. So, let me know your suggestions and feedback using the comment section.
In the next article I will share the steps to automatically decrypt and mount the encrypted partition at booting stage using key file on Linux