LUKS is the reference implementation for Linux and is based on an enhanced version of cryptsetup, using dm-crypt as the disk encryption backend. Under Microsoft Windows, LUKS-encrypted disks can be used with LibreCrypt (wiki). Disk encryption is always a good idea but sometimes onerous. We will try to make it a little bit simpler.
Directory services are already running on the server, time to add disk storage. We have an encrypted system disk and multiple data disks. The idea is: after unlocking system disk, operating system unlocks and mounts others encrypted devices for us. Let’s start.
1. find your disk
fdisk -l
2. format and encrypt it – this operation will overwrite the data!
cryptsetup luksFormat /dev/sdb
WARNING! ======== This will overwrite data on /dev/sdb irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase:
3. open and map the partition
cryptsetup luksOpen /dev/sdb storage
4. generate and store the key for automount
dd if=/dev/urandom of=/root/keySDB bs=2048 count=4
4+0 records in 4+0 records out 4096 bytes (4.1 kB) copied, 0.000295845 s, 13.8 MB/s
5. set privileges
chmod 0400 /root/keySDB
6. associate the key file with encrypted device
cryptsetup luksAddKey /dev/sdb /root/keySDB
7. create the filesystem – this operation will overwrite the data!
mkfs.ext4 /dev/mapper/storage
8. create the mountpoint
mkdir /storage
9. add information about encrypted device
vi /etc/fstab
/dev/mapper/storage /storage ext4 defaults 1 2
10. automount
vi /etc/crypttab
storage /dev/sdb /root/keySDB luks
11. mount
mount -a
Documentation:
RHEL Encryption