15 managing disk - understanding encrypted LUKS partitions / dmsetup status / swapon -s



1. on device level you use fdisk to create a partition
2. once you created a partition, you use cryptsetup luksFormat\ to create encryption layer
3. after creation of encryption layer, you need to open a device cryptsetup luksOpen\ 
3.1. it creates a devices /dev/mapper/secret and brings to luks level
4. mkfs should be done on /dev/mapper/secretedevicename instead of on /dev/sdb1
5. mount /dev/mapper/secret and put your files there

check if there are any encrypted LUKS partitions

[root@svn ~]# blkid
/dev/sda1: UUID="6e3708b2-09ea-43f3-b0f0-9b43a157b3b1" TYPE="xfs" 
/dev/sda2: UUID="98h644-2gqM-2SsL-q0lA-qUEE-Ivz8-TUZULc" TYPE="LVM2_member" 
/dev/sdb1: LABEL="myfs" UUID="05dbcff3-e639-40cb-bbe7-0da595186f1a" TYPE="xfs" 
/dev/sr0: UUID="2016-12-05-13-52-39-00" LABEL="CentOS 7 x86_64" TYPE="iso9660" PTTYPE="dos" 
/dev/mapper/cl-root: UUID="da05cdf9-1418-4e5a-80d7-7757ab1b9a9d" TYPE="xfs" 
/dev/mapper/cl-swap: UUID="8ac067b9-d1e7-4180-9a2f-2a3a929362f4" TYPE="swap" 
[root@svn ~]# dmsetup status
cl-swap: 0 4194304 linear 
cl-root: 0 35643392 linear 
--------------
ubuntu-home: 0 195305472 linear 
ubuntu-swap_1: 0 8364032 linear 
sda5_crypt: 0 624637944 crypt 
ubuntu-root: 0 48824320 linear
The line marked "crypt" shows that sda5 has been encrypted. You can see which filesystems are on that via the lvm tools.
#check real device name of swap
[root@svn ~]# swapon -s
Filename Type Size Used Priority
/dev/dm-1                               partition 2097148 3124 -1
[root@svn ~]# 

If the partition is not encrypted, and assuming that you are NOT trying to encrypt the / partition, you have to:
  • Make a backup of the data on that partition
  • Initialize the partition as encrypted
    $ cryptsetup luksFormat /dev/sdb1
    
BEWARE: this command will wipe all the contents of the partition!!! It will ask you for a passphrase to open the volume; now if you try to run blkid, the output should be TYPE="crypto_LUKS"
  • Open the encrypted partition to use it
    $ cryptsetup luksOpen /dev/sdb1 secret
    
where "secret" is the name of the volume we are opening
  • Format the new "secret" volume
    $ mkfs.ext4 /dev/mapper/secret
    
  • Mount it providing the passphrase created before
    $ mount /dev/mapper/secret /whereyouwant
    
    Now you should be able to use the encrypted partition!
Optionally, if you want to mount it at reboot, you should edit /etc/crypttab and insert a line similar to this (it will request the password at boot):
secret /dev/sdb1 none
Where secret is the name of the volume we created before.
Or something like this, if you want to put your password in some plain text file:
secret /dev/sdb1 /whereyouwant-sdb1-luks-pwdfile
Just keep in mind for this, you also have to add the key:
$ cryptsetup luksAddKey /dev/sdb1 /whereyouwant-sdb1-luks-pwdfile
And edit the /etc/fstab and insert a line similar to this:
/dev/mapper/secret /whereyouwant ext4 defaults 1 2


Comments

Popular posts from this blog

HAproxy logging

teamcity Automatic Agent Start under Linux

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all