RHEL7: Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot.
Last updated on (39,794 views) – CertDepot — 4 Comments ↓
Install the LUKS package (if it’s not already installed):
# yum install -y cryptsetup
Activate LUKS module:
# modprobe dm_crypt
Check the module is running:
# lsmod | grep dm_crypt dm_crypt 12894 0 dm_mod 82839 9 dm_crypt,dm_mirror,dm_log
Create a logical volume (here called lv_vol with a size of 100MB in the vg volume group):
# lvcreate --size 100M --name lv_vol vg
Convert the new logical volume to the LUKS format:
# cryptsetup luksFormat /dev/vg/lv_vol WARNING! ======== This will overwrite data on /dev/vg/lv_vol irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase:MyPassphraseVerify passphrase:MyPassphrase
Open and give a name to the LUKS logical volume (here vol):
# cryptsetup luksOpen /dev/vg/lv_vol vol Enter passphrase for /dev/vg/lv_vol:MyPassphrase
Create an EXT4 file system on the LUKS logical volume:
# mkfs.ext4 /dev/mapper/vol
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
25168 inodes, 100352 blocks
5017 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=33685504
13 block groups
8192 blocks per group, 8192 fragments per group
1936 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
Create the /etc/crypttab file and add the following line:
vol /dev/vg/lv_vol /root/luks.key
Note: if you put ‘none‘ instead of ‘/root/luks.key‘, you will be asked for the passphrase at each boot at the console. Since RHEL 7.5, there is now another solution called Network-Bound Disk Encryption (see here and here for details).
Create the /root/luks.key file for example to store the passphrase:
MyPassphrase
Add the passphrase to the LUKS logical volume:
# cryptsetup luksAddKey /dev/vg/lv_vol /root/luks.key Enter any passphrase:MyPassphrase
Edit the /etc/fstab file and add the following line (be careful when editing the /etc/fstab file or configure a virtual console):
/dev/mapper/vol /vol ext4 defaults 1 2
Note: A best practice is to execute the mount -a command, each time you change something in the /etc/fstab file to detect any boot problem before it occurs.
Create the mount point:
# mkdir /vol
Mount the LUKS logical volume:
# mount /vol
Note: To remove a LUKS file system, go to the page dealing with LUKS usage.