Adding an encrypted partition with LUKS

There may be times when you'll need to either add another encrypted drive to an existing machine, or encrypt a portable device, such as a USB memory stick. This procedure works for both scenarios.

To demonstrate, I'll shut down my CentOS VM and add another virtual drive:

I'll bump the drive capacity up to 20 GB, which will give me plenty of room to play with:

After rebooting the machine, I now have a /dev/sdb drive to play with. My next step is to create a partition. It doesn't matter whether I create a new-fangled GPT partition, or an old-fashioned MBR partition. I'll create a GPT partition, and my preferred utility for doing that is gdisk, simply because it's so similar to the old fdisk that I know and love so well. The only catch is that gdisk isn't installed on CentOS by default:

sudo yum install gdisk
sudo gdisk /dev/sdb

I'll use the entire drive for my partition, and leave the partition type set at the default 8300. I now have the /dev/sdb1 partition:

[donnie@localhost ~]$ sudo gdisk -l /dev/sdb
[sudo] password for donnie:
GPT fdisk (gdisk) version 0.8.6

Partition table scan:
  MBR: protective
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with protective MBR; using GPT.
Disk /dev/sdb: 43978112 sectors, 21.0 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): DC057EC6-3BA8-4269-ABE9-2A28B4FDC84F
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 43978078
Partitions will be aligned on 2048-sector boundaries
Total free space is 2014 sectors (1007.0 KiB)

Number Start (sector) End (sector) Size Code Name
   1 2048 43978078 21.0 GiB 8300 Linux filesystem
[donnie@localhost ~]$

I'll next use cryptsetup to convert the partition to LUKS format. In this command, the -v signifies verbose mode, and the -y signifies that I'll have to enter my passphrase twice in order to properly verify it. Note that when it says to type yes all in uppercase, it really does mean to type it in uppercase:

[donnie@localhost ~]$ sudo cryptsetup -v -y luksFormat /dev/sdb1

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Command successful.
[donnie@localhost ~]$

Although I don't have to, I'd like to look at the information about my new encrypted partition:

[donnie@localhost ~]$ sudo cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1

Version:           1
Cipher name:       aes
Cipher mode:       xts-plain64
Hash spec:         sha256
. . .
. . .

There's a lot more to the output than what I can show here, but you get the idea.

Next, I'll map the partition to a device name. You can name the device pretty much whatever you want, and I'll just name mine secrets. (I know, it's a corny name. You probably won't want to make it so obvious where you're storing your secrets.):

[donnie@localhost ~]$ sudo cryptsetup luksOpen /dev/sdb1 secrets
Enter passphrase for /dev/sdb1:
[donnie@localhost ~]$

When I look in the /dev/mapper directory, I see my new secrets device, listed as a symbolic link to the dm-3 device:

[donnie@localhost mapper]$ pwd
/dev/mapper
[donnie@localhost mapper]$ ls -l se*
lrwxrwxrwx. 1 root root 7 Oct 28 17:39 secrets -> ../dm-3
[donnie@localhost mapper]$

I'll use dmsetup to look at the information about my new device:

[donnie@localhost mapper]$ sudo dmsetup info secrets
[sudo] password for donnie:
Name:              secrets
State:             ACTIVE
Read Ahead:        8192
Tables present:    LIVE
Open count:        0
Event number:      0
Major, minor:      253, 3
Number of targets: 1
UUID: CRYPT-LUKS1-6cbdce1748d441a18f8e793c0fa7c389-secrets

[donnie@localhost mapper]$

The next step is to format the partition in the usual manner. I could use any filesystem that's supported by Red Hat and CentOS. But, since everything else on my system is already formatted with XFS, that's what I'll go with here, as well:

[donnie@localhost ~]$ sudo mkfs.xfs /dev/mapper/secrets
meta-data=/dev/mapper/secrets    isize=512    agcount=4, agsize=1374123 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=0, sparse=0
data     =                       bsize=4096   blocks=5496491, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=1
log      =internal log           bsize=4096   blocks=2683, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
[donnie@localhost ~]$

My final step is to create a mount point and to mount the encrypted partition:

[donnie@localhost ~]$ sudo mkdir /secrets
[sudo] password for donnie:
[donnie@localhost ~]$ sudo mount /dev/mapper/secrets /secrets
[donnie@localhost ~]$

The mount command will verify that the partition is mounted properly:

[donnie@localhost ~]$ mount | grep 'secrets'
/dev/mapper/secrets on /secrets type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
[donnie@localhost ~]$
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.75.217