Disk encryption during operating system installation

When you install Red Hat Enterprise Linux 7 or one of its offspring, you have the option of encrypting the drive. All you have to do is to click on a checkbox:

Other than that, I just let the installer create the default partitioning scheme, which means that the / filesystem and the swap partition will both be logical volumes. (I'll cover that in a moment.)

Before the installation can continue, I have to create a passphrase to mount the encrypted disk:

Now, whenever I reboot the system, I need to enter this passphrase:

Once the machine is up and running, I can look at the list of logical volumes. I see both the / logical volume and the swap logical volume:

[donnie@localhost etc]$ sudo lvdisplay
  --- Logical volume ---
  LV Path /dev/centos/swap
  LV Name swap
  VG Name centos
  LV UUID tsme2v-uy87-uech-vpNp-W4E7-fHLf-3bf817
  LV Write Access read/write
  LV Creation host, time localhost, 2017-10-28 13:00:11 -0400
  LV Status available
  # open 2
  LV Size 2.00 GiB
  Current LE 512
  Segments 1
  Allocation inherit
  Read ahead sectors auto
  - currently set to 8192
  Block device 253:2

  --- Logical volume ---
  LV Path /dev/centos/root
  LV Name root
  VG Name centos
  LV UUID MKXVO9-X8fo-w2FC-LnGO-GLnq-k2Xs-xI1gn0
  LV Write Access read/write
  LV Creation host, time localhost, 2017-10-28 13:00:12 -0400
  LV Status available
  # open 1
  LV Size 17.06 GiB
  Current LE 4368
  Segments 1
  Allocation inherit
  Read ahead sectors auto
  - currently set to 8192
  Block device 253:1

[donnie@localhost etc]$

And I can look at the list of physical volumes. (Actually, there's only one physical volume in the list, and it's listed as a luks physical volume.):

[donnie@localhost etc]$ sudo pvdisplay
  --- Physical volume ---
  PV Name               /dev/mapper/luks-2d7f02c7-864f-42ce-b362-50dd830d9772
  VG Name               centos
  PV Size               <19.07 GiB / not usable 0
  Allocatable           yes
  PE Size               4.00 MiB
  Total PE              4881
  Free PE               1
  Allocated PE          4880
  PV UUID               V50E4d-jOCU-kVRn-67w9-5zwR-nbwg-4P725S

[donnie@localhost etc]$

This shows that the underlying physical volume is encrypted, which means that both the / and the swap logical volumes are also encrypted. That's a good thing, because leaving the swap space unencrypted—a common mistake when setting up disk encryption up manually—can lead to data leakage.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.16.79.33