There may be times when you'll need to either add another encrypted drive to an existing machine or encrypt a portable device, such as a USB memory stick. This procedure works for both scenarios. Follow these steps to add an encrypted partition:
- Shut down your CentOS VM and add another virtual drive:
Bump the drive capacity up to 20 GB, which will give you plenty of room to play with:
- After rebooting the machine, you'll now have a /dev/sdb drive to play with. The next step is to create a partition. It doesn't matter whether you create a new-fangled GPT partition or an old-fashioned MBR partition. To create a GPT partition, my preferred utility is gdisk, simply because it's so similar to the old fdisk that I know and love so well. The only catch is that gdisk isn't installed on CentOS by default. Install gdisk as follows:
On CentOS 7:
sudo yum install gdisk
On CentOS 8:
sudo dnf install gdisk
- Open the drive in gdisk. Use the entire drive for the partition, and leave the partition type set at the default type 8300:
sudo gdisk /dev/sdb
- View the details about your new /dev/sdb1 partition:
[donnie@localhost ~]$ sudo gdisk -l /dev/sdb
[sudo] password for donnie:
GPT fdisk (gdisk) version 0.8.6
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
. . .
. . .
[donnie@localhost ~]$
- Next, use cryptsetup to convert the partition to LUKS format. In this command, the -v signifies verbose mode, and the -y signifies that you'll have to enter your passphrase twice in order to properly verify it. Note that when it says to type yes all in uppercase, it really does mean to type it in uppercase:
[donnie@localhost ~]$ sudo cryptsetup -v -y luksFormat /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Command successful.
[donnie@localhost ~]$
- Look at the information about your new encrypted partition:
[donnie@localhost ~]$ sudo cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
. . .
. . .
There's a lot more to the output than I can show here, but you get the idea.
- Map the partition to a device name. You can name the device pretty much whatever you want. For now, just name this one secrets. I know, it's a corny name. In real life, you won't want to make it so obvious where you're storing your secrets:
[donnie@localhost ~]$ sudo cryptsetup luksOpen /dev/sdb1 secrets
Enter passphrase for /dev/sdb1:
[donnie@localhost ~]$
- Look in the /dev/mapper directory. You'll see your new secrets device listed as a symbolic link to the dm-3 device:
[donnie@localhost mapper]$ pwd
/dev/mapper
[donnie@localhost mapper]$ ls -l se*
lrwxrwxrwx. 1 root root 7 Oct 28 17:39 secrets -> ../dm-3
[donnie@localhost mapper]$
- Use dmsetup to look at the information about your new device:
[donnie@localhost mapper]$ sudo dmsetup info secrets
[sudo] password for donnie:
Name: secrets
State: ACTIVE
Read Ahead: 8192
Tables present: LIVE
Open count: 0
Event number: 0
Major, minor: 253, 3
Number of targets: 1
UUID: CRYPT-LUKS1-6cbdce1748d441a18f8e793c0fa7c389-secrets
[donnie@localhost mapper]$
- Format the partition in the usual manner. You can use any filesystem that's supported by Red Hat and CentOS. But since everything else on the system is already formatted with XFS, just go with it here, as well:
[donnie@localhost ~]$ sudo mkfs.xfs /dev/mapper/secrets
meta-data=/dev/mapper/secrets isize=512 agcount=4, agsize=1374123 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=0, sparse=0
data = bsize=4096 blocks=5496491, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal log bsize=4096 blocks=2683, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
[donnie@localhost ~]$
- Create a mount point and mount the encrypted partition:
[donnie@localhost ~]$ sudo mkdir /secrets
[sudo] password for donnie:
[donnie@localhost ~]$ sudo mount /dev/mapper/secrets /secrets
[donnie@localhost ~]$
- Use the mount command to verify that the partition is mounted properly:
[donnie@localhost ~]$ mount | grep 'secrets'
/dev/mapper/secrets on /secrets type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
[donnie@localhost ~]$