How to create LUKS-Encrypted image and mount it at boot

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat Enterprise Linux 7

Issue

How to create a LUKS-Encrypted image (file) and mount it automatically during boot ?

Resolution

Create a directory

# mkdir /var/loopfs

Preallocate a space to a file

# fallocate -l 1G /var/loopfs/Stage

Set up a loop device

# losetup /dev/loop0 /var/loopfs/Stage

Initializes a LUKS partition and set the initial passphrase

# cryptsetup --verbose --verify-passphrase luksFormat /dev/loop0

WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
Command successful.

Open LUKS device

# cryptsetup luksOpen /dev/loop0 Stage 
Enter passphrase for /var/loopfs/Stage:

Format the device with xfs filesystem

# mkfs.xfs /dev/mapper/Stage

Add new key for LUKS

 # echo "___KEY___" > /root/luks-Stage.key

Add the key to device

 # cryptsetup luksAddKey /dev/loop0 /root/luks-Stage.key

Make an entry in /etc/crypttab

# echo "Stage /var/loopfs/Stage /root/luks-Stage.key" > /etc/crypttab

Add entry in /etc/fstab

 # vim /etc/fstab
	/dev/mapper/Stage            /mnt    xfs defaults 0 0

Reboot the system to verify

 # reboot
 # df -h
   /dev/mapper/Stage             1019M   81M  938M   8% /mnt

SBR

Product(s)

Red Hat Enterprise Linux

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.