Monday 6 June 2011

Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot

In the past two posts, I have explained how to create a primary or logical partition or a logical volume, so you'll need to create one of them and fill it with random data for security reasons, note that this could take quite a while to complete. Since I already have a few logical volumes available, I'll use them. This has the upside of not taking very long as they are fairly small. Let's fill it with random data then:

dd if=/dev/urandom of=/dev/volname/lvol3 bs=1M

Once this is completed, you can create your LUKS partition with the following command:

cryptsetup luksFormat /dev/volname/lvol3 -- you'll get the following output. Just follow the instructions

WARNING!
========
This will overwrite data on /dev/volname/lvol3 irrevocably.

Are you sure? (Type uppercase yes): YES
WARNING!
========
This will overwrite data on /dev/volname/lvol3 irrevocably.
Enter LUKS passphrase:
Verify passphrase:
Make sure that you remember your passphrase, you'll need it soon enough. Now, create the mapping to the encrypted device, logical volume in this case, by issuing the following command:

cryptsetup -vv luksOpen /dev/volname/lvol3 lukslv

You now have an encrypted logical volume called lukslv.

Let's give this badboy a file system:

mkfs.ext4 /dev/mapper/lukslv -L LUKS

Note how I have give it a label (-L LUKS), this is not necessary but can be helpful.

Next stop, /etc/crypttab.

echo "lukslv /dev/volname/lvol3 none" >> /etc/crypttab

will set up this encrypted logical volume at boot time.

You can now add the device to the /etc/fstab file so that it is mounted on boot up.

echo "/dev/mapper/lukslv /encdir ext4 defaults 1 2" >> /etc/fstab

I have created a directory called /encdir to test this.

If you still remember your passphrase, you can reboot now.

init 6

You'll get this prompt when booting up, just enter your passphrase and you are good to go:



2 comments:

  1. Is this a true logical volume since it wasn't created from a volume group?

    ReplyDelete
    Replies
    1. it was created from a volume group, /dev/volname/lvol3 is a volume group, creation details are here http://manyrootsofallevilrants.blogspot.co.uk/2011/06/create-and-remove-physical-volumes.html

      Delete