Encrypt Drives using LUKS on Oracle Linux
Introduction
Oracle Linux includes device mapper crypt (dm-crypt
) and the Linux Unified Key Setup (LUKS) to handle encryption on block devices.
In this lab, we'll focus on the front-end tools to encrypt a device using LUKS, which utilizes the dm-crypt
module from the device mapper support included with the Linux Kernel.
Objectives
- Install
cryptsetup
- Create an encrypted volume
- Mount an encrypted volume
Requirements
A system with an available disk and a fully patched installation of Oracle Linux.
Setup Lab Environment
Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.
If not already connected, open a terminal and connect via ssh to the ol-node01 instance.
ssh oracle@<ip_address_of_instance>
Verify the block volumes exist.
lsblk -f
The output for the free lab environment shows two block devices:
sda
, which contains the base OS, andsdb
, which this lab uses. Using the-f
option displays the file system type (FSTYPE) and the blocks universally unique identifier (UUID).
Install Encryption Packages
If not already available on the system, install the
cryptsetup
tool.Check if
cryptsetup
is installed.sudo dnf list --installed cryptsetup
If not installed, install
cryptsetup
.sudo dnf -y install cryptsetup
Note: The free lab environment already has the
cryptsetup
tool installed.
Encrypt the Volume with LUKS
LUKS and dm-crypt
work on block devices, RAID, LVM physical volumes, and even swap. Once encrypted, data on these devices are accessible at boot or mount time only with proper credentials.
The free lab environment provides a pre-partitioned disk /dev/sdb1
for this step.
Encrypt the disk.
sudo cryptsetup -y -v luksFormat /dev/sdb1
Enter
YES
to proceed and provide the passphrase twice. The passphrase must contain:- minimum of 8 characters
- 1 digit
- 1 uppercase letter
- 1 special character
- non-dictionary based word
Important: Be sure to remember the password typed as it will be used later.
Example Output:
[oracle@ol-node01 ~]$ sudo cryptsetup -y -v luksFormat /dev/sdb1 WARNING! ======== This will overwrite data on /dev/sdb1 irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /dev/sdb1: Verify passphrase: Key slot 0 created. Command successful.
Open the encrypted volume.
This step requires a target that can be named anything. We'll use
mysecrets
.sudo cryptsetup -v luksOpen /dev/sdb1 mysecrets
Enter the same passphrase created in the previous step when requested.
Example Output:
[oracle@ol-node01 ~]$ sudo cryptsetup -v luksOpen /dev/sdb1 mysecrets Enter passphrase for /dev/sdb1: Key slot 0 unlocked. Command successful.
Check the block devices again.
lsblk -f
The device
/dev/sdb1
now displays the FSTYPE as crypto_LUKS and shows the encrypted devices volume's mappingmysecrets
.
Format the Encrypted Volume
Before adding data to the encrypted volume, it needs to be formatted. You can choose different file systems such as xfs, ext3, ext4, etc.
Create a filesystem.
sudo mkfs.xfs /dev/mapper/mysecrets
Mount the Encrypted Volume
Create a mount point.
sudo mkdir -p /u01/my_secret_storage
Mount the volume.
sudo mount -v /dev/mapper/mysecrets /u01/my_secret_storage
The output shows an SELinux warning.
Example Output:
[oracle@ol-node01 ~]$ sudo mount -v /dev/mapper/mysecrets /u01/my_secret_storage/ mount: /u01/my_secret_storage does not contain SELinux labels. You just mounted an file system that supports labels which does not contain labels, onto an SELinux box. It is likely that confined applications will generate AVC messages and not be allowed access to this file system. For more details see restorecon(8) and mount(8). mount: /dev/mapper/mysecrets mounted on /u01/my_secret_storage.
This requires a relabel of the mount point's SELinux security context.
sudo restorecon -vvRF /u01/my_secret_storage
Run the
mount
command again.sudo mount -v -o remount /u01/my_secret_storage
Display the mounted volume.
lsblk
Example Output:
[oracle@ol-node01 ~]$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 46.6G 0 disk |-sda1 8:1 0 100M 0 part /boot/efi |-sda2 8:2 0 1G 0 part /boot `-sda3 8:3 0 45.5G 0 part |-ocivolume-root 252:0 0 35.5G 0 lvm / `-ocivolume-oled 252:1 0 10G 0 lvm /var/oled sdb 8:16 0 50G 0 disk `-sdb1 8:17 0 2G 0 part `-mysecrets 252:2 0 2G 0 crypt /u01/my_secret_storage
Display LUKS Volume Details
View the LUKS header, data segment, key slots, and version information.
Dump LUKS details.
sudo cryptsetup luksDump /dev/sdb1
Example Output:
LUKS header information Version: 2 Epoch: 3 Metadata area: 16384 [bytes] Keyslots area: 16744448 [bytes] UUID: 4ccea398-5864-45a9-b274-173c8ebc3356 Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: 16777216 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 512 [bytes] Keyslots: 0: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: argon2i Time cost: 10 Memory: 1048576 Threads: 4 Salt: ee d2 c7 5b 05 43 0f 0a 12 60 da b5 87 19 4a 6f 06 57 a2 31 b1 dd bb 60 74 53 95 b2 ca 2f ad 4b AF stripes: 4000 AF hash: sha256 Area offset:32768 [bytes] Area length:258048 [bytes] Digest ID: 0 Tokens: Digests: 0: pbkdf2 Hash: sha256 Iterations: 243628 Salt: 89 6c 8b aa 37 af 58 e9 26 49 c5 e5 db 2d 54 ea f8 7a c2 89 0e ab ed 48 74 a5 23 d7 b0 e6 9c 87 Digest: 4a 2b 25 76 c5 85 1a 6c a9 28 0c ee d0 c7 76 eb e1 4c ee 9c 5b 9a e2 d0 95 6e 1f 6e bb 1b 03 d1
For additional information see the cryptsetup(8)
manual page, Oracle Documentation or the upstream FAQ .
For More Information
See other related resources: