In this lab, you'll set up the encrypted partition that you created in the previous lab to automatically mount when you reboot the machine:
This is where it would be extremely helpful to remotely log in to your virtual machine from your desktop host machine. By using a GUI-type terminal, be it Terminal from a Linux or macOS machine or Cygwin from a Windows machine, you'll have the ability to perform copy-and-paste operations, which you won't have if you work directly from the virtual machine terminal. (Trust me, you don't want to be typing in those long UUIDs.)
- The first step is to obtain the UUID of the encrypted partition:
[donnie@localhost etc]$ sudo cryptsetup luksUUID /dev/sdb1
[sudo] password for donnie:
6cbdce17-48d4-41a1-8f8e-793c0fa7c389
[donnie@localhost etc]$
- Copy that UUID and paste it into the /etc/crypttab file. Edit or create the cryptab file as applicable. Also, note that you'll paste the UUID in twice. The first time, you'll prepend it with luks-, and the second time you'll append it with UUID=:
luks-2d7f02c7-864f-42ce-b362-50dd830d9772 UUID=2d7f02c7-864f-42ce-b362-50dd830d9772 none
luks-6cbdce17-48d4-41a1-8f8e-793c0fa7c389 UUID=6cbdce17-48d4-41a1-8f8e-793c0fa7c389 none
- Edit the /etc/fstab file, adding the last line in the file for your new encrypted partition. Note that you again have to use luks-, followed by the UUID number:
/dev/mapper/centos-root / xfs defaults,x-systemd.device-timeout=0 0 0
UUID=9f9fbf9c-d046-44fc-a73e-ca854d0ca718 /boot xfs defaults 0 0
/dev/mapper/centos-swap swap swap defaults,x-systemd.device-timeout=0 0 0
/dev/mapper/luks-6cbdce17-48d4-41a1-8f8e-793c0fa7c389 /secrets xfs defaults 0 0
When editing the fstab file for adding normal, unencrypted partitions, I always like to do sudo mount -a to check the fstab file for typos. That won't work with LUKS partitions though, because mount won't recognize the partition until the system reads in the crypttab file, and that won't happen until I reboot the machine. So, just be extra careful with editing fstab when adding LUKS partitions.
- Now for the moment of truth. Reboot the machine to see if everything works. Use the mount command to verify that your endeavors have been successful:
[donnie@localhost ~]$ mount | grep 'secrets'
/dev/mapper/luks-6cbdce17-48d4-41a1-8f8e-793c0fa7c389 on /secrets type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
[donnie@localhost ~]$
- End of lab.
Although it's possible to include passwords or keys in the /etc/crypttab file, my own preference is to not do so. If you must do so, be sure that the passwords or keys are stored on an encrypted / partition, for which you'll always have to enter a password upon boot-up. You can read more about that here: Store the passphrase of encrypted disk in /etc/crypttab encrypted: https://askubuntu.com/questions/181518/store-the-passphrase-of-encrypted-disk-in-etc-crypttab-encrypted
Now that we've seen LUKS, let's move on to eCryptfs.