This tutorial explains how to configure LUKS File encryption in Linux step by step with practical example. LUKS (Linux Unified Key Setup) File encryption can be configure during the installation and after the installation. Learn both method in detail and add an additional layer of security in Linux.
In linux world security is the top priority. Best way to secure the data is encryption. RHEL use LUKS (Linux Unified Key Setup) for encryption. Encryption with LUKS works on a block level. If a hard disk encrypted with LKUS is lost, data within is at least more secure as LUKS protected data require a passphrase to access it. You could enable encryption during the installation or after the installation.
Encryption during the installation
Best way to prepare a LUKS-encrypted volume is during the installation process. Entire system can be encrypted easily during the installation.
To encrypt a volume during the installation check the encrypt check box and you are done.
Encryption after the installation
In RHCSA requirement :- you need to know how to create, configure, mount, and unmount LUKS-encrypted filesystems.
As configuration of LUKS is added RHCSA exam objective. You should also learn how to configure LUKS after installation.
Pre quest for LUKS
- dm_crypt modules
- cryptsetup-luks rpm
- /test test partition for practice
LUKS require dm_crypt modules and cryptsetup-luks rpm.
Check dm_crypt modules. dm_crypt module is installed as part of the baseline RHEL 6 kernel package. run lsmod | grep dm_crypt command. You should get following output
dm_crypt 12860 0 dm_mod 76856 dm_crypt,dm_mirror,dm_log
Now check rpm cryptsetup-luks
Before creating an encrypted filesystem, you need a partition. You could use logical volume or even more advance raid array for this but for exam purpose you should practice with regular partition. Create a simple partition of 100MB using fdisk.
after reboot fill the newly created partition with random data.
don't do it on an exam unless you're specifically asked to do so. Because it take time and in exam time is everything.
Now
set up the passphrase for the filesystem with cryptsetup command You would be prompted for
confirmation and a passphrase.
The passphrases that you type in are not shown
at the console. If you type in yes in lowercase, the command does not prompt for a passphrase, and the volume is not encrypted.
Now that we have encrypted the partition, we would open it and give it a label. The label is the name that it will show up as under /dev/mapper/
Once the partition is setup and luks encrypted, it will be available in the /dev/mapper/ directory. You can do an ls on the /dev/mapper/ directory to confirm it
To make it writable we need to create a filesystem, So format it
Now we need to make its entry in /etc/crypttab and in /etc/fstab so be available even after restart.
open /etc/crypttab
In the /etc/crypttab file you would simply place the name of the encrypted device, as well as the path to the device:
secure_data /dev/sda6
save and exit from /etc/crypttab file
now create mount point and make its entry in the /etc/fstab file in order to configure automounting on boot
Add the following in end of file:
/dev/mapper/secure_data /secure_data ext4 defaults 0 0
Thats it. You should run the mount command in order to verify your entries are correct in fstab, to prevent any boot issues.
Now when you reboot the system it would ask for passphrases type the passphrases to unlock the partition, try first entering some worng passphrases
you could only be able to access secured partition by entering correct passphrases, after entering correct passphrases check the partition
Ok you have successfully implemented LUKS. Now it’s time to remove it. open /etc/fstab
and remove the entry
now remove entry from /etc/crypttab
now delete it from fdisk command
after reboot confirm that we have removed LUKS
repeat this process until you feel comfort with LUKS.