Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Practical Linux Security Cookbook

You're reading from   Practical Linux Security Cookbook Secure your Linux machines and keep them secured with the help of exciting recipes

Arrow left icon
Product type Paperback
Published in Apr 2016
Publisher Packt
ISBN-13 9781785286421
Length 276 pages
Edition 1st Edition
Tools
Arrow right icon
Authors (2):
Arrow left icon
Michael A Lindner Michael A Lindner
Author Profile Icon Michael A Lindner
Michael A Lindner
Tajinder Kalsi Tajinder Kalsi
Author Profile Icon Tajinder Kalsi
Tajinder Kalsi
Arrow right icon
View More author details
Toc

Table of Contents (12) Chapters Close

Preface 1. Linux Security Problems FREE CHAPTER 2. Configuring a Secure and Optimized Kernel 3. Local Filesystem Security 4. Local Authentication in Linux 5. Remote Authentication 6. Network Security 7. Security Tools 8. Linux Security Distros 9. Patching a Bash Vulnerability 10. Security Monitoring and Logging Index

Using the LUKS disk encryption

In enterprises such as small businesses and government offices users may have to secure their systems in order to protect their private data, which includes customers details, important files, contact details, and so on. To do so, Linux provides good number of cryptographic techniques, which can be used to protect data on physical devices such as hard disks or a removable media. One such cryptographic technique uses the Linux Unified Key Setup-on-disk-format (LUKS). This technique allows for the encryption of Linux partitions.

LUKS has the following functionality:

  • An entire block device can be encrypted using LUKS. It's well suited to protecting data on removable storage media or laptop disk drives.
  • Once encrypted, the contents of the encrypted block devices are random, thus making it useful for the encryption of swap devices.
  • LUKS uses an existing device mapper kernel subsystem.
  • It also provides a passphrase strengthener, which helps in protecting against dictionary attacks.

Getting ready

For the following process to work, it is necessary that /home is created on a separate partition while installing Linux.

Tip

WARNING

Configuring LUKS using the given steps will remove all the data on the partition that's being encrypted. So, before starting the process of using LUKS, make sure to back up the data on an external source.

How to do it…

For manually encrypting directories follow these steps:

  1. Move to Run level 1. Type the following command in the shell prompt or terminal:
    telinit 1
    
  2. Now, unmount the current /home partition using this command:
    umount /home
    
  3. The previous command might fail if there is any process controlling /home. Find and kill any such process using the fuser command:
    fuser -mvk /home
    
  4. Check to confirm that the /home partition is not mounted now:
    grep home /proc/mounts
    
  5. Now, put some random data into the partition:
    shred -v --iterations=1 /dev/MYDisk/home
    
  6. The previous command might take some time to complete, so be patient. The time taken depends on the write speed of your device.
  7. Once the previous command completes, initialize the partition:
    cryptsetup --verbose --verify-passphrase luksFormat /dev/MYDisk/home
    
  8. Open the newly created encrypted device:
    cryptsetup luksOpen /dev/MYDisk/home 
    
  9. Check to confirm that the device is present:
    ls -l /dev/mapper | grep home
    
  10. Now create a filesystem:
    mkfs.ext3 /dev/mapper/home
    
  11. Then, mount the new filesytem:
    mount /dev/mapper/home /home
    
  12. Confirm that the filesystem is still visible:
    df -h | grep home
    
  13. Enter the following line in the /etc/crypttab file:
    home /dev/MYDisk/home none
    
  14. Make changes in the /etc/fstab file to delete the entry for /home and add the following line:
    /dev/mapper/home /home ext3 defaults 1 2
    
  15. Once completed, run this command to restore the default SELinux security settings:
    /sbin/restorecon -v -R /home
    
  16. Reboot the machine:
    shutdown -r now
    
  17. After rebooting, the system will prompt us for the LUKS passphrase on boot. You can log in as the root now and restore your backup.

Congratulations! You have successfully created an encrypted partition. Now you can keep all your data safe even when your computer is off.

How it works…

We first move into running level 1 and unmounting the /home partition. Once unmounted, we fill some random data in the /home partition. Then, we initialize the partition, using the cryptsetup command to encrypt it.

Once the encryption is done, we mount the filesystem back again, and then make an entry of the partition in the /etc/crypttab file. Also, the /etc/fstab file is edited to add an entry for the preceding encrypted partition.

After completing all the steps, we have restored the default settings of SELinux.

Doing this, the system will always ask for the LUKS passphrase on boot.

You have been reading a chapter from
Practical Linux Security Cookbook
Published in: Apr 2016
Publisher: Packt
ISBN-13: 9781785286421
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime