Encrypt Drives using LUKS on Oracle Linux

Send lab feedback

Encrypt Drives using LUKS on Oracle Linux


Oracle Linux includes device mapper crypt (dm-crypt) and the Linux Unified Key Setup (LUKS) to handle encryption on block devices.

In this lab, we'll focus on the front-end tools to encrypt a device using LUKS, which utilizes the dm-crypt module from the device mapper support included with the Linux Kernel.


  • Install cryptsetup
  • Create an encrypted volume
  • Mount an encrypted volume


A system with an available disk and a fully patched installation of Oracle Linux.

Setup Lab Environment

Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.

  1. If not already connected, open a terminal and connect via ssh to the ol-node01 instance.

    ssh oracle@<ip_address_of_instance>
  2. Verify the block volumes exist.

    lsblk -f

    The output for the free lab environment shows two block devices: sda, which contains the base OS, and sdb, which this lab uses. Using the -f option displays the file system type (FSTYPE) and the blocks universally unique identifier (UUID).

Install Encryption Packages

  1. If not already available on the system, install the cryptsetup tool.

    Check if cryptsetup is installed.

    sudo dnf list --installed cryptsetup

    If not installed, install cryptsetup.

    sudo dnf -y install cryptsetup

    Note: The free lab environment already has the cryptsetup tool installed.

Encrypt the Volume with LUKS

LUKS and dm-crypt work on block devices, RAID, LVM physical volumes, and even swap. Once encrypted, data on these devices are accessible at boot or mount time only with proper credentials.

The free lab environment provides a pre-partitioned disk /dev/sdb1 for this step.

  1. Encrypt the disk.

    sudo cryptsetup -y -v luksFormat /dev/sdb1

    Enter YES to proceed and provide the passphrase twice. The passphrase must contain:

    • minimum of 8 characters
    • 1 digit
    • 1 uppercase letter
    • 1 special character
    • non-dictionary based word

    Important: Be sure to remember the password typed as it will be used later.

    Example Output:

    [oracle@ol-node01 ~]$ sudo cryptsetup -y -v luksFormat /dev/sdb1
    This will overwrite data on /dev/sdb1 irrevocably.
    Are you sure? (Type 'yes' in capital letters): YES
    Enter passphrase for /dev/sdb1: 
    Verify passphrase: 
    Key slot 0 created.
    Command successful.
  2. Open the encrypted volume.

    This step requires a target that can be named anything. We'll use mysecrets.

    sudo cryptsetup -v luksOpen /dev/sdb1 mysecrets

    Enter the same passphrase created in the previous step when requested.

    Example Output:

    [oracle@ol-node01 ~]$ sudo cryptsetup -v luksOpen /dev/sdb1 mysecrets
    Enter passphrase for /dev/sdb1: 
    Key slot 0 unlocked.
    Command successful.
  3. Check the block devices again.

    lsblk -f

    The device /dev/sdb1 now displays the FSTYPE as crypto_LUKS and shows the encrypted devices volume's mapping mysecrets.

Format the Encrypted Volume

Before adding data to the encrypted volume, it needs to be formatted. You can choose different file systems such as xfs, ext3, ext4, etc.

  1. Create a filesystem.

    sudo mkfs.xfs /dev/mapper/mysecrets

Mount the Encrypted Volume

  1. Create a mount point.

    sudo mkdir -p /u01/my_secret_storage
  2. Mount the volume.

    sudo mount -v /dev/mapper/mysecrets /u01/my_secret_storage

    The output shows an SELinux warning.

    Example Output:

    [oracle@ol-node01 ~]$ sudo mount -v /dev/mapper/mysecrets /u01/my_secret_storage/
    mount: /u01/my_secret_storage does not contain SELinux labels.
           You just mounted an file system that supports labels which does not
           contain labels, onto an SELinux box. It is likely that confined
           applications will generate AVC messages and not be allowed access to
           this file system.  For more details see restorecon(8) and mount(8).
    mount: /dev/mapper/mysecrets mounted on /u01/my_secret_storage.

    This requires a relabel of the mount point's SELinux security context.

    sudo restorecon -vvRF /u01/my_secret_storage

    Run the mount command again.

    sudo mount -v -o remount /u01/my_secret_storage
  3. Display the mounted volume.


    Example Output:

    [oracle@ol-node01 ~]$ lsblk
    sda                  8:0    0 46.6G  0 disk  
    |-sda1               8:1    0  100M  0 part  /boot/efi
    |-sda2               8:2    0    1G  0 part  /boot
    `-sda3               8:3    0 45.5G  0 part  
      |-ocivolume-root 252:0    0 35.5G  0 lvm   /
      `-ocivolume-oled 252:1    0   10G  0 lvm   /var/oled
    sdb                  8:16   0   50G  0 disk  
    `-sdb1               8:17   0    2G  0 part  
      `-mysecrets      252:2    0    2G  0 crypt /u01/my_secret_storage

Display LUKS Volume Details

View the LUKS header, data segment, key slots, and version information.

  1. Dump LUKS details.

    sudo cryptsetup luksDump /dev/sdb1

    Example Output:

    LUKS header information
    Version:       	2
    Epoch:         	3
    Metadata area: 	16384 [bytes]
    Keyslots area: 	16744448 [bytes]
    UUID:          	4ccea398-5864-45a9-b274-173c8ebc3356
    Label:         	(no label)
    Subsystem:     	(no subsystem)
    Flags:       	(no flags)
    Data segments:
      0: crypt
    	offset: 16777216 [bytes]
    	length: (whole device)
    	cipher: aes-xts-plain64
    	sector: 512 [bytes]
      0: luks2
    	Key:        512 bits
    	Priority:   normal
    	Cipher:     aes-xts-plain64
    	Cipher key: 512 bits
    	PBKDF:      argon2i
    	Time cost:  10
    	Memory:     1048576
    	Threads:    4
    	Salt:       ee d2 c7 5b 05 43 0f 0a 12 60 da b5 87 19 4a 6f 
    	            06 57 a2 31 b1 dd bb 60 74 53 95 b2 ca 2f ad 4b 
    	AF stripes: 4000
    	AF hash:    sha256
    	Area offset:32768 [bytes]
    	Area length:258048 [bytes]
    	Digest ID:  0
      0: pbkdf2
    	Hash:       sha256
    	Iterations: 243628
    	Salt:       89 6c 8b aa 37 af 58 e9 26 49 c5 e5 db 2d 54 ea 
    	            f8 7a c2 89 0e ab ed 48 74 a5 23 d7 b0 e6 9c 87 
    	Digest:     4a 2b 25 76 c5 85 1a 6c a9 28 0c ee d0 c7 76 eb 
    	            e1 4c ee 9c 5b 9a e2 d0 95 6e 1f 6e bb 1b 03 d1 

For additional information see the cryptsetup(8) manual page, Oracle Documentation or the upstream FAQ .

For More Information

See other related resources: