Thursday, November 20, 2014

How To Create A LUKS Device In Linux?

LUKS (Linux Unified  Key Setup) is a standard for hard disk encryption. This is the native Linux (Red Hat variants) utility to perform hard drive encryption to protect data. To get this done, install the required package if not installed. The package needed is "cryptsetup-luks". Once this is done, the "cryptsetup" command would be available to use.

- First, check if the required package is installed:
[root@server3 Desktop]# rpm -q --last cryptsetup-luks
cryptsetup-luks-1.2.0-6.el6               Sun 31 Aug 2014 05:22:01 PM PDT

- Next, ensure that the "dm_crypt" module is loaded:

[root@server3 Desktop]# modinfo dm_crypt    
    filename:   /lib/modules/2.6.32-220.el6.x86_64/kernel/drivers/md/dm-crypt.ko
license:    GPL
description: device-mapper target for transparent encryption / decryption
author:     Christophe Saout <>
srcversion: DEE25614AF5497C1F6507BA
depends:    dm-mod
vermagic:   2.6.32-220.el6.x86_64 SMP mod_unload modversions

 Creating LUKS partition/volume

A logical volume (LV) would be used as the underlying block device for LUKS mapped device in this demonstration.

- Create the LV with required size.

- Next, using the corresponding LV format it as LUKS device (this would initializes the LUKS partition): 

        # cryptsetup luksFormat /dev/mapper/vg1-lv1

     This would ask for a passphrase which needs to be typed twice.

- Now, use a logical name to map to this to LUKS block device : 
       # cryptsetup luksOpen /dev/mapper/vg1-lv1 mydata 

 In the above line <mydata> would be the logical mapped name being used later.

- Format the LUKS logical device now: 

       # mkfs.ext4 /dev/mapper/mydata

- Check the status of the LUKS device : 
      # cryptsetup status /dev/mapper/mydata

- Mount this device now: #mkdir /fdata

   # mount /dev/mapper/mydata /fdata

- Create a passprhase : 

      # dd if=/dev/urandom of=/root/my-key bs=4096 count=1

- Add the above key/passprhase to the underlying block device : 

      # cryptsetup luksAddKey /dev/maper/vg1-lv1 /root/my-key

- Add the key to /etc/crypttab so that it would be used while the system is booting up to mount it and the format should be:

  <LogicalNameofTheLUKSDevice> <UnderlyingBlockDevice> <PathToTheKeyFile>
  # cat /etc/crypttab
  mydata /dev/mapper/vg1-lv1 /root/my-key

- Change permission of the key (otherwise system would show up an warning while booting up) : 

      # chmod 400 /root/my-key

- Add the LUKS device and mount point to the /etc/fstab:

/dev/mapper/mydata /fdata ext4 defaults 1 2

The LUKS LVM has been created successfully now!

 How to check if the underlying block device is LUKS initialized?

- Verify the block device being used is LUKS formatted using "cryptsetup status <LUKSDeviceName>" command as shown below:

[root@server8 Desktop]# cryptsetup status /dev/mapper/fdata
/dev/mapper/fdata is active and is in use.
  type:  LUKS1
   cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/mapper/vg1-lv1
  offset:  4096 sectors
size: 192512 sectors
mode: read/write

The above details says that underlying block device for the LUKS device /dev/mapper/fdata is /dev/mapper/vg1-lv1

Otherwise, using the "dmsetup info <LUKSDevice>" command:


[root@server8 Desktop]# dmsetup info /dev/mapper/fdata
Name:          fdata
State:         ACTIVE
Read Ahead:    256
Tables present: LIVE
Open count:    1
Event number:  0
Major, minor:  253, 2
Number of targets: 1
UUID: CRYPT-LUKS1-2f08863b3729433ab1ea8f9f915ce886-fdata

- With the above details we could say that logical device /dev/mapper/fdata is a LUKS formatted.

- You could also  verify whether the block device is LUKS formatted device as shown below:

[root@server8 Desktop]# cryptsetup -v isLuks /dev/mapper/vg1-lv1
Command successful.

Also using the command "dmsetup" command as shown below:

[root@server8 Desktop]# dmsetup table testing
0 192512 crypt aes-cbc-essiv:sha256
0000000000000000000000000000000000000000000000000000000000000000 0 253:2 4096

- If you wish to verify or view the UUID set on the underlying LUKS device:
#cryptsetup luksUUID <UnderlyingBlockDevice>


[root@server3 ~]# cryptsetup luksUUID /dev/sdc1

Otherwise, using "blkid" command as shown below:

[root@server3 ~]# blkid /dev/sdc1
/dev/sdc1: UUID="bfdc34aa-1c10-4a35-b77f-b7d295802050" TYPE="crypto_LUKS"
Alternatively using the "cryptsetup luksDump" command:

[root@server3 ~]# cryptsetup luksDump /dev/sdc1|grep UUID
UUID:      bfdc34aa-1c10-4a35-b77f-b7d295802050

- To understand the encryption method being used, key slots being used/available etc., in encryption, use the command "cryptsetup luksDump":

[root@server3 ~]# cryptsetup luksDump /dev/sdc1
LUKS header information for /dev/sdc1
Version:   1
Cipher name:   aes
Cipher mode:   cbc-essiv:sha256
Hash spec: sha1  
Payload offset: 4096
MK bits:   256
MK digest: d9 f9 2e f5 d4 d3 da d8 51 d0 8b 3f 8d b3 4e c6 b8 95 db 18
MK salt:   79 2c a3 89 2a ad f2 a7 86 11 6e 2b fa cb c7 ff
          00 06 79 cf 48 16 ff ac 49 ac ca e5 cd 49 51 0d
MK iterations: 53250
UUID:      bfdc34aa-1c10-4a35-b77f-b7d295802050

Key Slot 0: ENABLED
Iterations:     213408
Salt:           af a2 c3 10 76 3b 4d 50 1b 65 01 17 bc 61 9c a6
              75 dc 9c 22 fd b1 53 28 72 14 0b 5e 91 f9 53 ff
Key material offset: 8
AF stripes:        4000
Key Slot 1: ENABLED
Iterations:     206314
Salt:           4e a6 8c 4b b9 7e e3 7b 4f ec 51 e3 2c 42 7c d1
                  4a b1 5c 11 99 57 0e 75 1d a4 55 57 4b 20 89 e8
Key material offset: 264
AF stripes:        4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Thanks for viewing this post!

No comments: