Setting up and managing encrypted partitions
8:18 PM
Encryption of data on volumes (whole disks
or partitions) is nothing new. Past versions of Linux required the
administrator and users to jump through hoops to implement. With Red Hat
5, encrypting volumes is simple and straightforeward. The cryptsetup
command performs all the required tasks of initializing a encrypted
volume, managing the keys necessary to access the volume, and opening
& closing encrypted volumes for use.
When initializing a volume, you specify the backing volume device file. This can be a whole disk (eg. /dev/sda), a disk partition (eg. /dev/hda5) or a LVM volume (eg. /dev/VolGroup01/lvol02.) During this phase, you will be prompted to enter a password unless you provided a key file on the command line. You should follow the guidelines for good password selection (at least 10 characters, composed of mixed-case letters, numbers and special characters like $%*@(:.) The following example initializes the /dev/hdb1 partition as a LUKS-enabled encrypted volume. Since a key file was not specified, it prompts for a password.
Initializing a volume will leave that volume in an open state.
Once a volume is no longer in use, it should be closed. Before
closing the volume, all services should be stopped that use files stored
on the volume and the file system should be unmounted. After that, use
the luksClose option to cryptsetup to close the
volume, which removes the key from the kernel structures. In the
following example, the /dev/mapper/CRYPT volume is mounted to /mnt/one:
Another option is the luksDump, which displays the LUKS header:
LUKS headers have 8 slots to hold keys. During initialization, slot 0
is used. After initialization, additional keys can be added with the luksAddKey option to cryptsetup. When adding a key, you must use an existing key to unlock the volume header, as this example shows:
The new key has now been added and doing a luksDump on the volume shows two key slots occupied:
Background
Encrypted volumes build upon the device-mapper package in Linux. A partition, disk or LVM volume is first initialized. This initialization involves writing a special header at the beginning of the volume and assigning a key that is used to encrypt and decrypt the data. Once initialized, the volume is opened. Opening a volume involves specifying the volume and a name device-mapper system should use when mapping the volume to a device file. The key used to encrypt and decrypt the data is used during the opening process. Once a volume is opened and assigned a device file, it can be used like any other volume (formatted and mounted for use.)Requirements & Installation
The system must be running Red Hat 5. The following packages must be installed:- libgpg-error
- libgcrypt
- device-mapper
- cryptsetup-luks
Initializing Volumes
Initializing a volume prepares it to hold encrypted data. This process is destructive to the underlying volume meaning any existing data will be destroyed. During initialization, a key needs to be provided. This can be a password typed in by the user initializing the volume or it can be a non-zero length file containing arbitrary data. Regardless of which is used, it must be recorded. Loss of the password or key file will result in being unable to decrypt the data. To guard against key loss, multiple keys can be used if the volume is initialized with LUKS key management.When initializing a volume, you specify the backing volume device file. This can be a whole disk (eg. /dev/sda), a disk partition (eg. /dev/hda5) or a LVM volume (eg. /dev/VolGroup01/lvol02.) During this phase, you will be prompted to enter a password unless you provided a key file on the command line. You should follow the guidelines for good password selection (at least 10 characters, composed of mixed-case letters, numbers and special characters like $%*@(:.) The following example initializes the /dev/hdb1 partition as a LUKS-enabled encrypted volume. Since a key file was not specified, it prompts for a password.
[root@mars ~]# cryptsetup luksFormat /dev/hdb1 WARNING! ======== This will overwrite data on /dev/hdb1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
Opening & Closing Volumes
Until an encrypted volume is opened, it cannot be used. The same cryptsetup command is used to open volumes. You provide the encrypted volume device file and supply a name to be used as the device-mapper device file name. If the volume was encrypted with a key file, you can specify it on the command line, otherwise, it will prompt you to enter a password. In the following example, cryptsetup opens the /dev/hdb1 encrypted volume and assigns the opened volume to the name CRYPT, which is manifested as the /dev/mapper/CRYPT device file:[root@mars ~]# cryptsetup luksOpen /dev/hdb1 CRYPT Enter LUKS passphrase: key slot 0 unlocked. Command successful. root@mars ~]# ls -l /dev/mapper/ total 0 crw------- 1 root root 10, 63 Sep 10 05:19 control brw-rw---- 1 root disk 253, 0 Sep 17 13:29 CRYPT
[root@mars ~]# umount /mnt/one [root@mars ~]# cryptsetup luksClose /dev/mapper/CRYPT
Mounting and Unmounting Volumes
If you successfully opened an encrypted volume, you'll have a new device file in /dev/mapper that you can use like any other storage. You can create any file system on it, mount it and use it like any other, as the following examples show:[root@mars ~]# mke2fs -j -L Encrypted /dev/mapper/CRYPT mke2fs 1.39 (29-May-2006) Filesystem label=Encrypted OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 1664640 inodes, 3323310 blocks 166165 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=3405774848 102 block groups 32768 blocks per group, 32768 fragments per group 16320 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208 Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 39 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. [root@mars ~]# mount /dev/mapper/CRYPT /mnt/one [root@mars ~]# cd /mnt/one [root@mars one]# ls -la total 28 drwxr-xr-x 3 root root 4096 Sep 16 07:04 . drwxr-xr-x 4 root root 4096 Aug 28 06:35 .. drwx------ 2 root root 16384 Sep 16 07:04 lost+found
Encrypted Volume Management
Encrypted volumes require no special handling other than opening the volume before use and closing the volume after it has been unmounted. The cryptsetup command has some additional options that may prove useful when working with encrypted volumes. The first is the isLuks option:[root@mars ~]# cryptsetup isLuks /dev/hdb1 [root@mars ~]# echo $? 0 [root@mars ~]# cryptsetup isLuks /dev/hda1 /dev/hda1 is not a LUKS partition [root@mars ~]# echo $? 234
[root@mars ~]# cryptsetup luksDump /dev/hdb1
LUKS header information for /dev/hdb1
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
MK digest: ab 98 5a 8d 5a ec 2b eb 77 b7 38 f3 b0 19 a5 48 ac 69 0d 55
MK salt: b4 22 20 de c8 38 6a 7c 1b 97 11 35 29 48 f4 72
fb 34 45 7f ea f6 0b 22 28 67 41 2a 44 b7 73 03
MK iterations: 10
UUID: c66b9ec7-149a-45bf-b4b8-d0592908ad24
Key Slot 0: ENABLED
Iterations: 53092
Salt: 05 de 62 70 c8 50 2a cb 1c f6 88 b1 8d 93 4c 43
f5 95 80 50 9a d1 cd e7 55 cd 20 68 29 fa 76 82
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Key Management
There are two types of encrypted volumes supported by the cryptsetup command, LUKS and non-LUKS. The primary difference is LUKS allows for multiple keys to be used to encrypt and decrypt the data while the non-LUKS uses a single key which, if lost, means you cannot recover the data. It is lost forever unless it was backed up while mounted.
Security Notice
Under NO circumstances should a password or key file
ever be stored on the server with the encrypted volume. This would be
like locking your car, then leaving the keys on the hood of the car.
[root@mars ~]# cryptsetup luksAddKey /dev/hdb1 Enter any LUKS passphrase: Verify passphrase: key slot 0 unlocked. Enter new passphrase for key slot: Verify passphrase: Command successful.
[root@mars ~]# cryptsetup luksDump /dev/hdb1
LUKS header information for /dev/hdb1
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
MK digest: ab 98 5a 8d 5a ec 2b eb 77 b7 38 f3 b0 19 a5 48 ac 69 0d 55
MK salt: b4 22 20 de c8 38 6a 7c 1b 97 11 35 29 48 f4 72
fb 34 45 7f ea f6 0b 22 28 67 41 2a 44 b7 73 03
MK iterations: 10
UUID: c66b9ec7-149a-45bf-b4b8-d0592908ad24
Key Slot 0: ENABLED
Iterations: 53092
Salt: 05 de 62 70 c8 50 2a cb 1c f6 88 b1 8d 93 4c 43
f5 95 80 50 9a d1 cd e7 55 cd 20 68 29 fa 76 82
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 53076
Salt: 19 81 e7 87 05 05 65 1b 73 39 ed 36 ff fe f1 bb
62 cd e4 74 8d 33 d4 88 f0 a4 7e ad 3c fd e4 d9
Key material offset: 136
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
0 comments