Encrypting drives using LUKS
As a system administrator, you can encrypt a block device. This section gives a brief introduction to block encryption, describes Linux Unified Key Setup (LUKS), and lists the steps to create an encrypted block device.
Block device encryption protects the data on a block device by encrypting it. To access the device’s decrypted contents, a user must provide a passphrase or key as authentication. This provides additional security beyond existing operating system security mechanisms as it protects the device’s contents even if it has been physically removed from the system.
Linux Unified Key Setup (LUKS) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a
passphrase/key management policy.
LUKS uses the kernel device mapper subsystem with the
dm-crypt module. This arrangement provides a low-level mapping that handles encryption and decryption of the device data. You can use the
cryptsetup utility to perform user-level operations such as creating and accessing encrypted devices.
- What LUKS does
LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop disk drives.
The underlying contents of the encrypted block device are arbitrary. This makes it useful for encrypting
swapdevices. This can also be useful with certain databases that use specially formatted block devices for data storage.
LUKS uses the existing device mapper kernel subsystem.
LUKS provides passphrase strengthening which protects against dictionary attacks.
LUKS devices contain multiple key slots, allowing users to add backup keys or passphrases.
- What LUKS does not do
LUKS is not well-suited for applications requiring more than eight users to have distinct access keys to the same device.
LUKS is not well-suited for applications requiring file-level encryption.
This procedure describes the steps to create and configure encrypted block devices after installation.
# dnf install cryptsetup-luks
Create the block devices you want to encrypt using
Optionally, fill the device, for example,
/dev/sda3with random data before encrypting it as this increases the strength of encryption.
Filling the device with random data increases the time necessary for encryption.
The commands below destroy any existing data on the device.
To fill the device with high-quality random data:
dd if=/dev/urandom of=<device>
This takes several minutes per gigabyte on most systems.
To fill the device with lower-quality random data:
badblocks -c 10240 -s -w -t random -v <device>
This is quicker compared to the high-quality random data method.
Format the device:
# cryptsetup luksFormat <device>
WARNING! ======== This will overwrite data on <device> (for example, /dev/xvdc) irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
This command initializes the volume, and sets an initial key or passphrase.
The passphrase is not recoverable so do not forget it.
To verify the formatting:
# cryptsetup isLuks <device> && echo Success
To see a summary of the encryption information for the device:
# cryptsetup luksDump <device>
To access a decrypted content on a device, you need to create a mapping using the kernel
LUKS provides a UUID (Universally Unique Identifier) for each device. This UUID is guranteed to remain the same as long as the LUKS header remains intact. To find a LUKS UUID for the device, run the following command:
# cryptsetup luksUUID <device>
An example of a reliable, informative and unique mapping name would be
<uuid> is replaced with the LUKS UUID for the device (for example, luks-50ec957a-5b5a-47ee-85e6-f8085bbc97a8).
Create a mapping to access the decrypted contents on the device:
# cryptsetup luksOpen <device> <name>
You are prompted to enter the passphrase for the device. Once you have authenticated, you can see the mapping
/dev/mapper/<name>which represents the decrypted device. You can read from and write to this device like you would any other unencrypted block device.
To see the status of the mapping:
# cryptsetup -v status <name>
/dev/mapper/<name> is active. type: LUKS1 cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/xvdc offset: 4096 sectors size: 419426304 sectors mode: read/write Command successful.
After Step 3: Creating mapping to allow access to a decrypted content, you can now use the mapped device node
/dev/mapper/<name> like any other block device.
To create an
ext2filesystem on the mapped device:
# mke2fs /dev/mapper/<name>
To mount this file system:
# mkdir /mnt/test/ # mount /dev/mapper/<name> /mnt/test
In order for a system to setup mapping to a device, add a corresponding entry in the
If your system does not have the
/etc/crypttabfile, create a new file and change the owner and group to
# touch /etc/crypttab # chmod 0744
To identify the correct device in case the device name changes, add:
<name> <device> none
<device>field should be given in the form
<luks_uuid>is the LUKS UUID.
To ensure a persistent mapping between the device and the mount point, add the entry in the