Block Level Storage Encryption With LUKS
Posted By : Vishnu Gaur | 31-May-2018
Linux encryption techniques :-
There are two procedures to scramble your information:
1. Filesystem stacked encryption
I) eCryptfs
This is a cryptographic stacked Linux filesystem. eCryptfs stores cryptographic metadata in the header of each record composed, with the goal that encoded documents can be replicated between has.
ii) EncFS
It gives an encoded filesystem in client space. It keeps running with no extraordinary consents and uses the FUSE library and Linux bit module to give the filesystem interface.
2. Block level encryption
I) LooP-AES
Quick and straightforward document framework and swap encryption bundle for linux. No source code changes to linux bit. Works with 3.x, 2.6, 2.4, 2.2 and 2.0 bits.
ii) TrueCrypt
iii) LUKS
dm-tomb is a clear circle encryption subsystem in Linux bit v2.6+ and later and DragonFly BSD. It can encode whole plates, removable media, sections, programming RAID volumes, rational volumes, and records.
Basic : LUKS is the part of Kernel module dm_crypt which must stacked or support by your present segment frame.
Note : To check module proximity
[root@master ~]# lsmod | grep -i dm_crypt
[root@master ~]#
No output means not present
To load this module
[root@master ~]# modprobe dm_crypt
[root@master ~]# lsmod | grep -i dm_crypt
dm_crypt 27403 0
dm_mod 114430 14 dm_log,dm_persistent_data,dm_mirror,dm_bufio,dm_crypt,dm_thin_pool
[root@master ~]#
Note: here we are going to discuss about LUKS
Os: Redhat 7.1
First step : Install cryptsetup in redhat
[root@localhost ~]# yum install cryptsetup-luks
Step 1 : Format the partition with LUKS
[root@localhost ~]# cryptsetup luksFormat /dev/sda3
WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Step 2: Open it with luks
[root@localhost ~]# cryptsetup luksOpen /dev/sda3 newdisk
Enter passphrase for /dev/sda3:
[root@localhost ~]# ls /dev/mapper/
control newdisk rhel-root
Step 3: Format with desired filesystem and mount it
[root@localhost ~]# mkfs.xfs /dev/mapper/newdisk
meta-data=/dev/mapper/newdisk isize=256 agcount=4, agsize=65408 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0 finobt=0
data = bsize=4096 blocks=261632, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal log bsize=4096 blocks=853, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
[root@localhost ~]# mkdir /mnt/kk
[root@localhost ~]# mount /dev/mapper/newdisk /mnt/kk/
Step 4 : For making it persistant mount
[root@localhost ~]# dd if=/dev/urandom of=/key1.txt bs=1024 count=4
4+0 records in
4+0 records out
4096 bytes (4.1 kB) copied, 0.00137777 s, 3.0 MB/s
addkey to partition so that it can read from keys
[root@localhost ~]# cryptsetup luksAddKey /dev/sda3 /key1.txt
Note : check for keysetup
[root@localhost ~]# cryptsetup luksDump /dev/sda3
LUKS header information for /dev/sda3
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: b7 85 12 3c 8d 5b 45 96 0f fe 15 71 fd 41 82 8c ed c8 0c fe
MK salt: 96 6a 7b 45 28 2f ca e8 21 1f b8 c3 4a 24 5f 83
77 cb bd 6d 46 70 c9 df f4 5f 11 11 88 04 b7 6e
MK iterations: 33875
UUID: 1690a8a9-b735-4659-9a7c-e5538b141c86
Key Slot 0: ENABLED
Iterations: 136605
Salt: 89 20 53 e8 8d 68 07 05 bc c2 ba d1 78 ec 80 a5
5e e0 10 02 c9 47 44 50 d6 5d 9c 44 0c 20 5b a0
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 134312
Salt: fc 77 cc 91 14 20 b3 92 1f 0d 6f 47 de 55 86 d0
15 e1 1c 2e eb 39 2d 0d 39 7c 18 4d 48 59 b4 28
Key material offset: 264
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
[root@localhost ~]# echo " /dev/mapper/newdisk /mnt/kk xfs defaults 1 2 " >>/etc/fstab
and cryptab file has entry like this
[root@localhost ~]# cat /etc/crypttab
newdisk /dev/sda3 /key1.txt
Important: some extra commads to be taken care of
i) adding keyslot at a specific keyslot
cryptsetup luksAddKey --key-slot 4 /dev/sda3 /key2.txt
Cookies are important to the proper functioning of a site. To improve your experience, we use cookies to remember log-in details and provide secure log-in, collect statistics to optimize site functionality, and deliver content tailored to your interests. Click Agree and Proceed to accept cookies and go directly to the site or click on View Cookie Settings to see detailed descriptions of the types of cookies and choose whether to accept certain cookies while on the site.
About Author
Vishnu Gaur
Vishnu Gaur Is DevOps Engineer in oodles technologies, He is a certified Engineer. His hobbies are reading Books and exploring New places