Using the LUKS disk encryption
In enterprises such as small businesses and government offices users may have to secure their systems in order to protect their private data, which includes customers details, important files, contact details, and so on. To do so, Linux provides good number of cryptographic techniques, which can be used to protect data on physical devices such as hard disks or a removable media. One such cryptographic technique uses the Linux Unified Key Setup-on-disk-format (LUKS). This technique allows for the encryption of Linux partitions.
LUKS has the following functionality:
- An entire block device can be encrypted using LUKS. It's well suited to protecting data on removable storage media or laptop disk drives.
- Once encrypted, the contents of the encrypted block devices are random, thus making it useful for the encryption of swap devices.
- LUKS uses an existing device mapper kernel subsystem.
- It also provides a passphrase strengthener, which helps in protecting against dictionary attacks.
Getting ready
For the following process to work, it is necessary that /home is created on a separate partition while installing Linux.
Tip
WARNING
Configuring LUKS using the given steps will remove all the data on the partition that's being encrypted. So, before starting the process of using LUKS, make sure to back up the data on an external source.
How to do it…
For manually encrypting directories follow these steps:
- Move to Run level 1. Type the following command in the shell prompt or terminal:
telinit 1 - Now, unmount the current /home partition using this command:
umount /home - The previous command might fail if there is any process controlling
/home. Find and kill any such process using thefusercommand:fuser -mvk /home - Check to confirm that the
/homepartition is not mounted now:grep home /proc/mounts - Now, put some random data into the partition:
shred -v --iterations=1 /dev/MYDisk/home - The previous command might take some time to complete, so be patient. The time taken depends on the write speed of your device.
- Once the previous command completes, initialize the partition:
cryptsetup --verbose --verify-passphrase luksFormat /dev/MYDisk/home - Open the newly created encrypted device:
cryptsetup luksOpen /dev/MYDisk/home - Check to confirm that the device is present:
ls -l /dev/mapper | grep home - Now create a filesystem:
mkfs.ext3 /dev/mapper/home - Then, mount the new filesytem:
mount /dev/mapper/home /home - Confirm that the filesystem is still visible:
df -h | grep home - Enter the following line in the
/etc/crypttabfile:home /dev/MYDisk/home none - Make changes in the
/etc/fstabfile to delete the entry for/homeand add the following line:/dev/mapper/home /home ext3 defaults 1 2 - Once completed, run this command to restore the default SELinux security settings:
/sbin/restorecon -v -R /home - Reboot the machine:
shutdown -r now - After rebooting, the system will prompt us for the LUKS passphrase on boot. You can log in as the root now and restore your backup.
Congratulations! You have successfully created an encrypted partition. Now you can keep all your data safe even when your computer is off.
How it works…
We first move into running level 1 and unmounting the /home partition. Once unmounted, we fill some random data in the /home partition. Then, we initialize the partition, using the cryptsetup command to encrypt it.
Once the encryption is done, we mount the filesystem back again, and then make an entry of the partition in the /etc/crypttab file. Also, the /etc/fstab file is edited to add an entry for the preceding encrypted partition.
After completing all the steps, we have restored the default settings of SELinux.
Doing this, the system will always ask for the LUKS passphrase on boot.
