LUKS or a Linux Unified Key Setups is a partition encrypted system. encrypted file system are extremely useful and ensure that your
data is stored on partition and on your removable drives is safe when its lost or stolen.
`Setting up encrypted filesystem on RHEL6 system is a part of RHCSA exam and you may ask to setup a encrypted partition asking password
on boot.
so we will demonstrate you how to setup encrypted partition that will prompt for password at system boot time.
Warning: Do not setup encryption on a partition that already has data on it as you will lose all of your data on that partition. If you want to encrypt a partition that has data on it so you must backup all of your data before you attempt encryption.
we have a separate hard drive and on it we created a new partition that has no data on it.
For encrypt this partition we run :
[root@server ~]# cryptsetup luksFormat /dev/sdb1 WARNING! ======== This will overwrite data on /dev/sdb1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase:
its warning screen that we will lose all of our data that has on this partition we know we are using a brand new partition that has no
data so we will continue on it and type YES
then we enter password for LUKS
Then we can open our new encrypted partition with the following command:
[root@server ~]# cryptsetup luksOpen /dev/sdb1 secret Enter passphrase for /dev/sdb1:
At last we use word secret (you can use your own) its a name for our partition after we open it.
we can check our encrypted paretition is opened by checking in /dev/mapper directory with the following command:
[root@server ~]# ls -l /dev/mapper | grep secret lrwxrwxrwx. 1 root root 7 Nov 21 00:32 secret -> ../dm-2
now we can create a filesystem in our new encrypted partition.
[root@server ~]# mkfs.ext4 /dev/mapper/secret mke2fs 1.41.12 (17-May-2010) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 131072 inodes, 523600 blocks 26180 blocks (5.00{1c918b003a0fec779e46518dd4d8df22f3dc554de918030f5a1a0cfd93cb28be}) reserved for the super user First data block=0 Maximum filesystem blocks=536870912 16 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912 Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 25 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.
now lets create a new directory to mount our encrypted partition
[root@server ~]# mkdir /secret
next we will mount our encrypted partition on previously created directory
[root@server ~]# mount /dev/mapper/secret /secret
To verify our mount point we can use this command:
[root@server ~]# df -kh Filesystem Size Used Avail Use{1c918b003a0fec779e46518dd4d8df22f3dc554de918030f5a1a0cfd93cb28be} Mounted on /dev/mapper/vg_server-lv_root 18G 6.7G 9.8G 41{1c918b003a0fec779e46518dd4d8df22f3dc554de918030f5a1a0cfd93cb28be} / tmpfs 504M 328K 503M 1{1c918b003a0fec779e46518dd4d8df22f3dc554de918030f5a1a0cfd93cb28be} /dev/shm /dev/sda1 485M 31M 429M 7{1c918b003a0fec779e46518dd4d8df22f3dc554de918030f5a1a0cfd93cb28be} /boot /dev/mapper/secret 2.0G 35M 1.9G 2{1c918b003a0fec779e46518dd4d8df22f3dc554de918030f5a1a0cfd93cb28be} /secret
We also need to edit /etc/fstab file and add an entry to automatically mount our partition at boot time.
[root@server ~]# vi /etc/fstab
/dev/sdb1 /secret ext4 default 0 0
in order to mount our encrypted partition at boot with password promted we need to edit /etc/crypttab file.
[root@server ~]# vi /etc/crypttab
add this line in /etc/crypttab file.
secret /dev/sdb1 none
first word is our encrypted partition name and then partition path at end word none mean ask password at boot time
that’s all
now reboot your system you will ask password for open your encrypted partition at boot time.
When you enter password boot process should continue and you can verify your encrypted partition is open and mounted with following command :
[root@server ~]# df -kh Filesystem Size Used Avail Use{1c918b003a0fec779e46518dd4d8df22f3dc554de918030f5a1a0cfd93cb28be} Mounted on /dev/mapper/vg_server-lv_root 18G 6.7G 9.8G 41{1c918b003a0fec779e46518dd4d8df22f3dc554de918030f5a1a0cfd93cb28be} / tmpfs 504M 100K 504M 1{1c918b003a0fec779e46518dd4d8df22f3dc554de918030f5a1a0cfd93cb28be} /dev/shm /dev/sda1 485M 31M 429M 7{1c918b003a0fec779e46518dd4d8df22f3dc554de918030f5a1a0cfd93cb28be} /boot /dev/mapper/secret 2.0G 35M 1.9G 2{1c918b003a0fec779e46518dd4d8df22f3dc554de918030f5a1a0cfd93cb28be} /secret