How to configure encrypted storage with LUKS using passphrases

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5
  • LUKS

Issue

  • How to configure LUKS encryption on a partition?
  • How to setup LUKS on top of a logical volume?
  • How to encrypt physical volumes with LUKS?
  • How to encrypt a filesystem with LUKS?

Resolution

See also: How to configure encrypted storage with LUKS using exportable keys instead of passphrases and How to add a passphrase, key, or keyfile to an existing LUKS device

  1. Initialize a LUKS partition with the command: cryptsetup luksFormat DEV
    Potential containers for a "LUKS partition": /dev/sda3, /dev/sdb, /dev/VG/LV, /dev/mapper/mpath1, etc.
    From here on in this document, this will be referred to as DEV
    Examples:

    # cryptsetup luksFormat /dev/sda3

    OR

    # cryptsetup luksFormat /dev/VG/LV

  2. Choose and make note of a name for the dm-device which will offer a decrypted view of DEV
    From here on in this document, this will be referred to as MAPPING
    Examples:

    • luks-DEV
      • luks-sda3
      • luks-logvol_name
      • luks-mpath1
    • luks-UUID-of-DEV
      • luks-33fbddf3-0a10-4911-aef4-77102201a938
      • luks-$(cryptsetup luksUUID /dev/sda3)
    • completely-arbitrary-name
      • sda3-unlocked
      • mpath1-decrypted
      • secret_monkeys

    Note that the full path to the decrypted view of DEV will be /dev/mapper/MAPPING -- this will be the device on which further data can be laid.

  3. Next up, a choice must be made -- interactive boot-time decryption or manual decryption?

    • Should DEV prompt for a passphrase at boot?
      If so, a new entry must be added to /etc/crypttab in the form of: "MAPPING DEV"

      • MAPPING is the arbitrary name chosen in step 2
      • DEV is either the path or UUID of device from step 1

      Examples:

        # echo "luks-sda3 /dev/sda3" >>/etc/crypttab

    OR

        # echo "luks-$(cryptsetup luksUUID /dev/sda3) UUID=$(cryptsetup luksUUID /dev/sda3)" >>/etc/crypttab

    Note: Device names in Linux are extremely volatile (e.g., multipath maps and VG/LV names can be renamed; SCSI dev node names like sda & sdb are non-deterministic and can be different between boots). For this reason the author must unequivocally recommended the use of device UUIDs for the second field. A LUKS device's UUID can be found with cryptsetup luksUUID DEV (as seen above) or with blkid DEV.*

    • Should DEV require manual intervention to be unlocked?
      If so, nothing needs to be added to /etc/crypttab
      Instead, root (or users with sudo access) will have to execute cryptsetup luksOpen and cryptsetup luksClose commands (not to mention potentially mount and umount)
      Examples:
        # cryptsetup luksOpen DEV MAPPING
    # cryptsetup luksOpen /dev/sda3 sda3-unlocked
    # cryptsetup luksOpen UUID=$(cryptsetup luksUUID /dev/sda3) sda3-unlocked
    # cryptsetup luksClose MAPPING
    # cryptsetup luksClose sda3-unlocked

    If this manual intervention method is chosen, Step 4 can be skipped

  4. Recommended: reboot to ensure there are no problems auto-unlocking DEV at boot time
    Once the system comes up, check that DEV was unlocked using one of the following:

    # cryptsetup status MAPPING
    • (Should say "/dev/mapper/MAPPING is active.")
    # lsblk
    • (Should show MAPPING as a "crypt" device under parent DEV)
    # ls /dev/mapper/MAPPING
    • (If this file is not there, the device is not opened)

    Note: If rebooting is not an option, use the cryptsetup luksOpen DEV MAPPING command demonstrated in step 3 before continuing*

  5. Use /dev/mapper/MAPPING for whatever purpose intended, e.g., put a filesystem on it, use it as the backing storage for an LVM volume group, etc.

    Examples:

    # mkfs.ext4 /dev/mapper/MAPPING
# mkfs.xfs /dev/mapper/sda3-unlocked
# vgcreate SOME_NEW_VG /dev/mapper/sda3-unlocked
# vgextend SOME_EXISTING_VG /dev/mapper/sda3-unlocked

    Note: Assuming success in step 4, there are no special considerations for storing a filesystem on top of /dev/mapper/MAPPING -- simply put it in /etc/fstab as normal. Related: How to configure encrypted swap and How to extend a LUKS encrypted volume.*

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.