How to encrypt root volume group online using `LUKS` in RHEL?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux(RHEL) 7.
  • LUKS

Issue

  • Encrypt system vg with LUKS online.
  • Is there any way to encrypt the root VG on running system without downtime?

Resolution

It is not possible to encrypt the physical volume online directly without any data loss. So, there is other way around where we can add another physical volume to the existing volume group and encrypt it using LUKS. Then move the contents of existing physical volume to encrypted physical volume.

These are the steps to replace an existing unencrypted PV with an encrypted PV in a running/active system for root volume:

Note: As a safety measurement please take backup before applying the below steps.

1. Initialize new disk/partition as LUks device:

#  yum install cryptsetup                          # This command will install LUKS encryption setup(cryptsetup)
#  cryptsetup luksFormat <disk_name>               # where disk_name is the encrypted disk/partition
#  cryptsetup luksOpen <disk_name>  <Luks_name>    # This command will unlock this device as <Luks_name>

2. Create PV on new device:

#  pvcreate /dev/mapper/<Luks_name>

3. Extend VG with new PV:

#  vgextend <group_volume> /dev/mapper/<Luks_name>   #where <group_volume> is the group name.

4. Move all PE's from old PV to new one:

#  pvmove <disk_unencrypted> /dev/mapper/<Luks_name>

5. Once pvmove operation is done, remove old PV from VG:

#  vgreduce <group_volume> /dev/disk_unencrypted
#  pvremove /dev/disk_unencrypted

6. Update luks device details in /etc/crypttab and grub.cfg. For example

# grep "GRUB_CMDLINE_LINUX" /etc/sysconfig/grub 
GRUB_CMDLINE_LINUX=" rd.luks.uuid=<luks_uuid>  vconsole.keymap=us rd.lvm.lv=<rootvg/rootlv> rd.lvm.lv=<rootvg/swapLV>   vconsole.font=latarcyrheb-sun16 rhgb quiet"

  • Where rd.luks.uuid= UUID of a LUKS device

  • Use this command to get luksUUID:

# echo "luks-$(cryptsetup luksUUID <disk_name> )"

  • vconsole.keymap=us and vconsole.font=latarcyrheb-sun16 options are used to detect keyboard.

  • Rebuild grub:

# grub2-mkconfig -o /etc/grub2.cfg
  • Update luks device details in /etc/crypttab:
# echo "luks-$(cryptsetup luksUUID <disk_name>) UUID=$(cryptsetup luksUUID <disk_name>) none" >> /etc/crypttab

7. Rebuild initramfs:

# dracut -f -v
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.