In enterprises, small business, and government offices, the users may have to secure their systems in order to protect their private data, which includes customers details, important files, contact details, and so on. To help with this, Linux provides a good number of cryptographic techniques that can be used to protect data on physical devices such as hard disk or removable media. One such cryptographic technique is using Linux Unified Key Setup (LUKS)-on-disk-format. This technique allows the encryption of Linux partitions.
This is what LUKS does:
- The entire block device can be encrypted using LUKS; it’s well suited for protecting the data on removable storage media or the laptop disk drives
- LUKS uses the existing device mapper kernel subsystem
- It also provides passphrase strengthening, which helps protect against dictionary attacks
This post demonstrates how to create a LUKS-Encrypted image (file) and mount it automatically during boot.
1. Create a directory
# mkdir /var/loopfs
2. Preallocate a space to a file.
# fallocate -l 1G /var/loopfs/Stage
3. Set up a loop device.
# losetup /dev/loop0 /var/loopfs/Stage
4. Initializes a LUKS partition and set the initial passphrase.
# cryptsetup --verbose --verify-passphrase luksFormat /dev/loop0 WARNING! ======== This will overwrite data on /dev/loop0 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: Command successful.
5. Open LUKS device.
# cryptsetup luksOpen /dev/loop0 Stage Enter passphrase for /var/loopfs/Stage:
6. Format the device with xfs filesystem.
# mkfs.xfs /dev/mapper/Stage
7. Add new key for LUKS.
# echo "___KEY___" > /root/luks-Stage.key
8. Add the key to device.
# cryptsetup luksAddKey /dev/loop0 /root/luks-Stage.key
9. Make an entry in /etc/crypttab.
# echo "Stage /var/loopfs/Stage /root/luks-Stage.key" > /etc/crypttab
10. Add entry in /etc/fstab.
# vi /etc/fstab /dev/mapper/Stage /mnt xfs defaults 0 0
11. Reboot the system to verify.
# df -h /dev/mapper/Stage 1019M 81M 938M 8% /mnt