Thursday, November 20, 2014

How To Create A LUKS Device In Linux

LUKS,  Linux  Unified  Key  Setup,  is  a standard for hard disk encryption. This is the native Linux (Redhat variants) utility to perform hard drive encryption to protect data. 

To get this done, install the required package if not installed. The package needed is "cryptsetup-luks". Once this is done, the "cryptsetup" command would be available to use.

- Ensure for the package presence:
    [root@server3 Desktop]# rpm -q --last cryptsetup-luks
    cryptsetup-luks-1.2.0-6.el6                   Sun 31 Aug 2014 05:22:01 PM PDT

- Ensure the "dm_crypt" module is loaded:

    [root@server3 Desktop]# modinfo dm_crypt

    filename:       /lib/modules/2.6.32-220.el6.x86_64/kernel/drivers/md/dm-crypt.ko
    license:        GPL
    description:    device-mapper target for transparent encryption / decryption
    author:         Christophe Saout <>
    srcversion:     DEE25614AF5497C1F6507BA
    depends:        dm-mod
    vermagic:       2.6.32-220.el6.x86_64 SMP mod_unload modversions

 Creating LUKS partition/volume

In this exercise, I've used a logical volume (lv) as the underlying block device for LUKS mapped device.

- First create a lv of the required size. 

- Next, using the corresponding lv format it as LUKS device (this would initializes the LUKS partition): 

        #cryptsetup luksFormat /dev/mapper/vg1-lv1

        This would ask for a passphrase which needs to be typed twice.

- Now, use a logical name to map to this to LUKS block device :
       #cryptsetup luksOpen /dev/mapper/vg1-lv1 mydata

 In the above line <mydata> would be the logical mapped name being used later.

- Format the LUKS logical device now:

       #mkfs.ext4 /dev/mapper/mydata

- Check the status of the LUKS device :
      #cryptsetup status /dev/mapper/mydata

- Mount this device now: #mkdir /fdata

      #mount /dev/mapper/mydata /fdata

- Create a passprhase :

      #dd if=/dev/urandom of=/root/my-key bs=4096 count=1

- Add the above key/passprhase to the underlying block device :

      #cryptsetup luksAddKey /dev/maper/vg1-lv1 /root/my-key

- Add the key to /etc/crypttab so that it would be used while the system is booting up to mount it:
      #vim /etc/crypttab
      <LogicalNameofTheLUKSDevice>    <UnderlyingBlockDevice>    <PathToTheKeyFile>
      mydata                /dev/mapper/vg1-lv1    /root/my-key

- Change permission of the key (otherwise system would show up an warning while booting up) :

      #chmod 400 /root/my-key

- Add the LUKS device and mount point to the /etc/fstab:

      /dev/mapper/mydata    /fdata    ext4    defaults    1 2

The LUKS LVM has been created now.

 How to check if the underlying block device is LUKS initialized?

- Verify the block device being used is LUKS formatted using "cryptsetup status <LUKSDeviceName>" command as shown below:

    [root@server8 Desktop]# cryptsetup status /dev/mapper/fdata
    /dev/mapper/fdata is active and is in use.
     type:  LUKS1
      cipher:  aes-cbc-essiv:sha256
     keysize: 256 bits
     device:  /dev/mapper/vg1-lv1
     offset:  4096 sectors
    size:    192512 sectors
    mode:    read/write

The above details says that underlying block device for the LUKS device /dev/mapper/fdata is /dev/mapper/vg1-lv1

Otherwise, using the "dmsetup info <LUKSDevice>" command:


    [root@server8 Desktop]# dmsetup info /dev/mapper/fdata
    Name:              fdata
    State:             ACTIVE
    Read Ahead:        256
    Tables present:    LIVE
    Open count:        1
    Event number:      0
    Major, minor:      253, 2
    Number of targets: 1
    UUID: CRYPT-LUKS1-2f08863b3729433ab1ea8f9f915ce886-fdata

- With the above details we could say that logical device /dev/mapper/fdata is a LUKS formatted.

- You could also  verify whether the block device is LUKS formatted device as shown below:

    [root@server8 Desktop]# cryptsetup -v isLuks /dev/mapper/vg1-lv1
    Command successful.

Also using the command "dmsetup" command as shown below:

    [root@server8 Desktop]# dmsetup table testing
    0 192512 crypt aes-cbc-essiv:sha256 0000000000000000000000000000000000000000000000000000000000000000 0 253:2 4096

- If you wish to verify or view the UUID set on the underlying LUKS device:
    #cryptsetup luksUUID <UnderlyingBlockDevice>


    [root@server3 ~]# cryptsetup luksUUID /dev/sdc1

    Otherwise, using "blkid" command as shown below:

    [root@server3 ~]# blkid /dev/sdc1
    /dev/sdc1: UUID="bfdc34aa-1c10-4a35-b77f-b7d295802050" TYPE="crypto_LUKS"
    Alternatively using the "cryptsetup luksDump" command:

    [root@server3 ~]# cryptsetup luksDump /dev/sdc1|grep UUID
    UUID:              bfdc34aa-1c10-4a35-b77f-b7d295802050

- To understand the encryption method being used, key slots being used/available etc., in encryption, use the command "cryptsetup luksDump":

    [root@server3 ~]# cryptsetup luksDump /dev/sdc1
    LUKS header information for /dev/sdc1

    Version:           1
    Cipher name:       aes
    Cipher mode:       cbc-essiv:sha256
    Hash spec:         sha1  
    Payload offset:    4096
    MK bits:           256
    MK digest:         d9 f9 2e f5 d4 d3 da d8 51 d0 8b 3f 8d b3 4e c6 b8 95 db 18
    MK salt:           79 2c a3 89 2a ad f2 a7 86 11 6e 2b fa cb c7 ff
                           00 06 79 cf 48 16 ff ac 49 ac ca e5 cd 49 51 0d
    MK iterations:     53250
    UUID:              bfdc34aa-1c10-4a35-b77f-b7d295802050

    Key Slot 0: ENABLED
        Iterations:             213408
        Salt:                   af a2 c3 10 76 3b 4d 50 1b 65 01 17 bc 61 9c a6
                                  75 dc 9c 22 fd b1 53 28 72 14 0b 5e 91 f9 53 ff
        Key material offset:    8
        AF stripes:                4000
    Key Slot 1: ENABLED
        Iterations:             206314
        Salt:                   4e a6 8c 4b b9 7e e3 7b 4f ec 51 e3 2c 42 7c d1
                                  4a b1 5c 11 99 57 0e 75 1d a4 55 57 4b 20 89 e8
        Key material offset:    264
        AF stripes:                4000
    Key Slot 2: DISABLED
    Key Slot 3: DISABLED
    Key Slot 4: DISABLED
    Key Slot 5: DISABLED
    Key Slot 6: DISABLED
    Key Slot 7: DISABLED

Thanks for viewing this post!!!

No comments: