Encrypting your
partitions on RHEL after installation
Release:
RHEL 5
RHEL 6Problem:
Encrypting your partitions on RHEL after installation
Solution:
LUKS:
With modern versions of cryptsetup
(i.e., since ~2006), encrypted block devices can be created in two main
formats, plain dm-crypt format or the extended LUKS (Linux Unified Key
Setup-on-disk-format) format. LUKS provides a standard on-disk-format for hard
disk encryption, which facilitates compatibility among Linux distributions and
provides secure management of multiple user passwords. In contrast to previous
Linux disk-encryption solutions, LUKS stores all necessary setup information in
the partition header, enabling the user to more easily transport or migrate
their data.
What
LUKS does?
LUKS encrypts entire block devices and
is therefore well-suited for protecting the contents of mobile devices such as
removable storage media or laptop disk drives.
The underlying contents of the
encrypted block device are arbitrary. This makes it useful for encrypting swap
devices. This can also be useful with certain databases that use specially
formatted block devices for data storage.
ü LUKS
uses the existing device mapper kernel subsystem.
ü LUKS
provides passphrase strengthening which protects against dictionary attacks.
ü LUKS
devices contain multiple key slots, allowing users to add backup
keys/passphrases.
- LUKS
is not well-suited for applications requiring many (more than eight) users
to have distinct access keys to the same device.
- LUKS
is not suited for applications requiring file-level encryption.
dm-crypt
and cryptsetup:
Device-mapper is a part of the Linux
kernel that provides a generic way to create virtual layers of block devices,
most commonly LVM logical volumes. The device-mapper crypt target (dm-crypt)
provides transparent encryption of block devices using the kernel crypto API
(supporting ciphers and digest algorithms via standard kernel modules).
Packages
required for LUKS in Red Hat Enterprise Linux 5 & 6 :
The main package is called
cryptsetup-luks and it depends on cryptsetup-luks-libs. Note that both of these
packages should be part of any installation and therefore available without
extra effort. The below prerequisites can be included as per your requirement.
Create
the block devices if required:
fdisk/parted
pvcreate
lvcreate
mdadm
Initializing
the device:
This can be done by filling random data
on to your device.It is required for strengthening your encryption. You may use
any of the below method to write the random data.
The above method is quite lengthy but
provides you with high quality random data. If required a faster method you may
use the one below.
badblocks -c 10240 -s -w -t random -v <device>
Step
by Step demo on dm-crypt:
Create
you new partition using fdsik:
[root@lvs1 ~]# fdisk /dev/sdb
Device contains neither a valid DOS partition
table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk
identifier 0x0ff9997a.
Changes will remain in memory only, until you
decide to write them.
After that, of course, the previous content
won't be recoverable.
Warning: invalid flag 0x0000 of partition table
4 will be corrected by w(rite)
WARNING: DOS-compatible mode is deprecated.
It's strongly recommended to
switch off the mode (command 'c') and change display units to
sectors (command 'u').
Command (m for help): p
Disk /dev/sdb: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280
bytes
Sector size (logical/physical): 512 bytes / 512
bytes
I/O size (minimum/optimal): 512 bytes / 512
bytes
Disk identifier: 0x0ff9997a
Device
Boot Start End Blocks
Id System
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-2610, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G}
(1-2610, default 2610): +100M
Command (m for help): p
Disk /dev/sdb: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280
bytes
Sector size (logical/physical): 512 bytes / 512
bytes
I/O size (minimum/optimal): 512 bytes / 512
bytes
Disk identifier: 0x0ff9997a
Device
Boot Start End Blocks
Id System
/dev/sdb1 1 14 112423+
83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks
Fill
the data using random data:
[root@lvs1 ~]# dd if=/dev/urandom of=/dev/sdb1
dd: writing to `/dev/sdb1': No space left on
device
224848+0 records in
224847+0 records out
115121664 bytes (115 MB) copied, 23.083 s, 5.0
MB/s
Partition initialization:
[root@lvs1 ~]# cryptsetup --verbose --verify-passphrase
luksFormat /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1
irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
Check
the status of the Encryption:
If Encrypted Device:
[root@lvs1 ~]# cryptsetup isLuks /dev/sdb1 && echo
Success
Success
If on non-encrypted Device:
[root@lvs1 ~]# cryptsetup isLuks /dev/sda1 && echo
Success
Device /dev/sda1 is not
a valid LUKS device.
Now
open your new encrypted device:
For getting the summary on the
encryption performed use the below command:
[root@lvs1 ~]# cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1
Version:
1
Cipher name:
aes
Cipher mode:
cbc-essiv:sha256
Hash spec:
sha1
Payload offset: 4096
MK bits:
256
MK digest:
eb 60 b3 82 4a 41 74 c1 e0 0e e3 54 4d 4b 64 8e ee 31 a8 18
MK salt:
1b 3f a8 04 e1 76 78 de c2 da a8 10 86 5e 1e 80
f1 c2 08 6f 92 99 a3 64 60 ba bb fa 71 3f 6a 19
MK iterations:
44000
UUID: c09e9489-8c34-4694-947d-d2b24147fcac
Key Slot 0: ENABLED
Iterations: 176424
Salt: b3 35 b4
e9 d1 8e 63 f7 10 87 14 cb c7 66 7d b9
b9 b2 52 63 79
84 d4 0b 73 34 64 ef 7e 25 df 37
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Create
a Mapping for device access:
To access your device's decrypted
content you need to use the device mapper(dm). Inorder to create this ie,
/dev/mapper/<name> to represent this device use the below command:
[root@lvs1 ~]# cryptsetup luksOpen /dev/sdb1 secure
Enter passphrase for /dev/sdb1:
It will ask for the password phrase
which you have already given in previous step. Input the same. Check the device
file creation under the /dev/mapper
[root@lvs1 ~]# ls -l /dev/mapper | grep secure
lrwxrwxrwx. 1 root root 7 Sep 19 06:43 secure -> ../dm-2
If need to get more information use the
below command:
[root@lvs1 ~]# dmsetup info /dev/mapper/secure
Name: secure
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 0
Event number: 0
Major, minor: 253, 2
Number of targets: 1
UUID:
CRYPT-LUKS1-c09e94898c344694947dd2b24147fcac-secure
Create
filesystem:
For creating the filesystem use the
below command:
[root@lvs1 ~]# mkfs.ext3 /dev/mapper/secure
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
27664 inodes, 110372 blocks
5518 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67371008
14 block groups
8192 blocks per group, 8192 fragments per group
1976 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting
information: done
This filesystem will be automatically checked
every 37 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
Editing
the /etc/crypttab:
The /etc/crypptab file describes
encrypted block devices that are set up during system boot.
Empty lines and lines starting with the
# character are ignored. Each of the remaining lines describes one encrypted
block device, fields on the line are delimited by white space. The first two
fields are mandatory, the remaining two are optional.
The first field contains the name of
the resulting encrypted block device; the device is set up at /dev/mapper/name.
The second field contains a path to the underlying block device. If the block
device contains a LUKS signature, it is opened as a LUKS encrypted partition;
otherwise it is assumed to be a raw dm-crypt partition.
The third field specifies the
encryption password. If the field is not present or the password is set to
none, the password has to be manually entered during system boot. Otherwise the
field is interpreted as a path to a file containing the encryption password.
For swap encryption /dev/urandom can be used as the password file; using
/dev/random may prevent boot completion if the system does not have enough
entropy to generate a truly random encryption key.
In order for the system to set up a
mapping for the device, an entry must be present in the /etc/crypttab file. If
the file doesn't exist, create it and change the owner and group to root (
root:root) and change the mode to 0744. Add a line to the file with the
following format:
<name>
<device> none / <path/to/the/key-file/if/any>
In our case we are editing as below:
[root@lvs1 ~]# vi /etc/crpttab
secure UUID=c09e9489-8c34-4694-947d-d2b24147fcac
Note: You
may use the blkid command to get the device ID for the device. Eg: blkid
/dev/sdb1
Manually
mounting the partition:
[root@lvs1 ~]# mkdir /secure
[root@lvs1 ~]# mount /dev/mapper/secure /secure/
[root@lvs1 ~]# mount
/dev/mapper/VolGroup-lv_root on / type ext4
(rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts
(rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs
(rw,rootcontext="system_u:object_r:tmpfs_t:s0")
/dev/sda1 on /boot type ext4 (rw)
/dev/mapper/secret on /secret
type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type
binfmt_misc (rw)
Giving
entry into the fstab:
Append the below entry into your
existing fstab:
/dev/mapper/secret /secret ext4 defaults 0 0
During booting it may give you the
screen for inputting the password.
Provide
the password to mount the partition at the boot time. We are done with our
encryption.
***********************
