How to Configure LUKS File Encryption in Linux

This tutorial explains how to configure LUKS File encryption in Linux step by step with practical example. LUKS (Linux Unified Key Setup) File encryption can be configure during the installation and after the installation. Learn both method in detail and add an additional layer of security in Linux.

In linux world security is the top priority. Best way to secure the data is encryption. RHEL use LUKS (Linux Unified Key Setup) for encryption. Encryption with LUKS works on a block level. If a hard disk encrypted with LKUS is lost, data within is at least more secure as LUKS protected data require a passphrase to access it. You could enable encryption during the installation or after the installation.

Encryption during the installation

Best way to prepare a LUKS-encrypted volume is during the installation process. Entire system can be encrypted easily during the installation.

luks during installation

To encrypt a volume during the installation check the encrypt check box and you are done.

Encryption after the installation

In RHCSA requirement :- you need to know how to create, configure, mount, and unmount LUKS-encrypted filesystems.
As configuration of LUKS is added RHCSA exam objective. You should also learn how to configure LUKS after installation.

Pre quest for LUKS

  • dm_crypt modules
  • cryptsetup-luks rpm
  • /test test partition for practice

LUKS require dm_crypt modules and cryptsetup-luks rpm.

Check dm_crypt modules. dm_crypt module is installed as part of the baseline RHEL 6 kernel package. run lsmod | grep dm_crypt command. You should get following output

dm_crypt    12860   0
dm_mod      76856   dm_crypt,dm_mirror,dm_log
 
if you do not get this output run # modprobe dm_crypt

modules

Now check rpm cryptsetup-luks

rpm

Before creating an encrypted filesystem, you need a partition. You could use logical volume or even more advance raid array for this but for exam purpose you should practice with regular partition. Create a simple partition of 100MB using fdisk.

create partition
after reboot fill the newly created partition with random data. don't do it on an exam unless you're specifically asked to do so. Because it take time and in exam time is everything.

dd
Now set up the passphrase for the filesystem with cryptsetup command You would be prompted for confirmation and a passphrase.
The passphrases that you type in are not shown at the console. If you type in yes in lowercase, the command does not prompt for a passphrase, and the volume is not encrypted.

cryptsetup

Now that we have encrypted the partition, we would open it and give it a label. The label is the name that it will show up as under /dev/mapper/

Once the partition is setup and luks encrypted, it will be available in the /dev/mapper/ directory. You can do an ls on the /dev/mapper/ directory to confirm it

ls dev mapper
To make it writable we need to create a filesystem, So format it

mkfs secure data

Now we need to make its entry in /etc/crypttab and in /etc/fstab so be available even after restart.

open /etc/crypttab

vi crypttab

In the /etc/crypttab file you would simply place the name of the encrypted device, as well as the path to the device:

secure_data     /dev/sda6

entry in crypttab

save and exit from /etc/crypttab file

cat crypttab

now create mount point and make its entry in  the /etc/fstab file in order to configure automounting on boot
mkdir open fstab

Add the following in end of file:

/dev/mapper/secure_data    /secure_data     ext4    defaults    0 0

fstab with entry Thats it. You should run the mount command in order to verify your entries are correct in fstab, to prevent any boot issues.

mount check before restart
Now when you reboot the system it would ask for passphrases type the passphrases to unlock the partition, try first entering some worng passphrases

prompt for password after restart

you could only be able to access secured partition by entering correct passphrases, after entering correct passphrases check the partition

check partition
Ok you have successfully implemented LUKS. Now it’s time to remove it. open /etc/fstab

vi etc fstab

and remove the entry

fstab withput swap entry

now remove entry from /etc/crypttab

check removed entry from crypttab

now delete it from fdisk command

fdisk remove partition

after reboot confirm that we have removed LUKS

check remove partition

repeat this process until you feel comfort with LUKS.

ComputerNetworkingNotes RHCE 7 Study Guide How to Configure LUKS File Encryption in Linux