Block Level Storage Encryption With LUKS

Linux encryption techniques :-

There are two procedures to scramble your information:

1. Filesystem stacked encryption

I) eCryptfs

This is a cryptographic stacked Linux filesystem. eCryptfs stores cryptographic metadata in the header of each record composed, with the goal that encoded documents can be replicated between has.

ii) EncFS

It gives an encoded filesystem in client space. It keeps running with no extraordinary consents and uses the FUSE library and Linux bit module to give the filesystem interface.

2. Block level encryption

I) LooP-AES

Quick and straightforward document framework and swap encryption bundle for linux. No source code changes to linux bit. Works with 3.x, 2.6, 2.4, 2.2 and 2.0 bits.

ii) TrueCrypt

iii) LUKS

dm-tomb is a clear circle encryption subsystem in Linux bit v2.6+ and later and DragonFly BSD. It can encode whole plates, removable media, sections, programming RAID volumes, rational volumes, and records.

Basic : LUKS is the part of Kernel module dm_crypt which must stacked or support by your present segment frame.

Note : To check module proximity

[root@master ~]# lsmod   |  grep -i dm_crypt
[root@master ~]#

No output means not present
To load this module

[root@master ~]# modprobe   dm_crypt

[root@master ~]# lsmod   |  grep -i dm_crypt
dm_crypt               27403  0
dm_mod                114430  14 dm_log,dm_persistent_data,dm_mirror,dm_bufio,dm_crypt,dm_thin_pool
[root@master ~]#

Note:  here  we are going to discuss about  LUKS
Os:    Redhat 7.1

First step :   Install  cryptsetup  in  redhat

[root@localhost ~]# yum  install cryptsetup-luks

Step 1 :    Format  the partition with LUKS

[root@localhost ~]# cryptsetup  luksFormat  /dev/sda3

WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:

Step 2:   Open  it with luks

[root@localhost ~]# cryptsetup  luksOpen  /dev/sda3  newdisk
Enter passphrase for /dev/sda3:
[root@localhost ~]# ls  /dev/mapper/
control  newdisk  rhel-root

Step 3:  Format with desired filesystem  and mount it

[root@localhost ~]# mkfs.xfs   /dev/mapper/newdisk
meta-data=/dev/mapper/newdisk    isize=256    agcount=4, agsize=65408 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=0        finobt=0
data     =                       bsize=4096   blocks=261632, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
log      =internal log           bsize=4096   blocks=853, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0

[root@localhost ~]# mkdir  /mnt/kk
[root@localhost ~]# mount  /dev/mapper/newdisk  /mnt/kk/

Step 4 :   For making it persistant  mount

[root@localhost ~]# dd  if=/dev/urandom  of=/key1.txt  bs=1024 count=4
4+0 records in
4+0 records out
4096 bytes (4.1 kB) copied, 0.00137777 s, 3.0 MB/s

addkey to partition  so that it can read from keys

[root@localhost ~]# cryptsetup luksAddKey  /dev/sda3  /key1.txt

Note : check for keysetup

[root@localhost ~]# cryptsetup luksDump /dev/sda3
LUKS header information for /dev/sda3

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha1
Payload offset: 4096
MK bits:        256
MK digest:      b7 85 12 3c 8d 5b 45 96 0f fe 15 71 fd 41 82 8c ed c8 0c fe
MK salt:        96 6a 7b 45 28 2f ca e8 21 1f b8 c3 4a 24 5f 83
                77 cb bd 6d 46 70 c9 df f4 5f 11 11 88 04 b7 6e
MK iterations:  33875
UUID:           1690a8a9-b735-4659-9a7c-e5538b141c86

Key Slot 0: ENABLED
 Iterations:          136605
 Salt:                89 20 53 e8 8d 68 07 05 bc c2 ba d1 78 ec 80 a5
                        5e e0 10 02 c9 47 44 50 d6 5d 9c 44 0c 20 5b a0
 Key material offset: 8
 AF stripes:             4000
Key Slot 1: ENABLED
 Iterations:          134312
 Salt:                fc 77 cc 91 14 20 b3 92 1f 0d 6f 47 de 55 86 d0
                        15 e1 1c 2e eb 39 2d 0d 39 7c 18 4d 48 59 b4 28
 Key material offset: 264
 AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

[root@localhost ~]# echo  " /dev/mapper/newdisk  /mnt/kk  xfs   defaults   1  2 "  >>/etc/fstab

and cryptab  file has entry like this

[root@localhost ~]# cat  /etc/crypttab
newdisk  /dev/sda3   /key1.txt

Important:   some  extra commads to be taken care of

i)  adding keyslot at  a specific keyslot

 cryptsetup  luksAddKey  --key-slot 4  /dev/sda3  /key2.txt