Encrypt Drives Using LUKS on Oracle Linux

2
0
Send lab feedback

Encrypt Drives Using LUKS on Oracle Linux

Introduction

Oracle Linux includes a device mapper crypt (dm-crypt) and the Linux Unified Key Setup (LUKS) to handle encryption on block devices.

In this tutorial, we'll focus on the front-end tools to encrypt a device using LUKS, which utilizes the dm-crypt module from the device mapper support included with the Linux Kernel.

Objectives

In this tutorial, you will learn how to:

  • Install cryptsetup
  • Create an encrypted volume
  • Mount an encrypted volume

Prerequisites

  • Minimum of a single Oracle Linux system

  • Each system should have Oracle Linux installed and configured with:

    • A non-root user account with sudo access
    • Access to the Internet
    • A block device attached to the system

Deploy Oracle Linux

Note: If running in your own tenancy, read the linux-virt-labs GitHub project README.md and complete the prerequisites before deploying the lab environment.

  1. Open a terminal on the Luna Desktop.

  2. Clone the linux-virt-labs GitHub project.

    git clone https://github.com/oracle-devrel/linux-virt-labs.git

  3. Change into the working directory.

    cd linux-virt-labs/ol

  4. Install the required collections.

    ansible-galaxy collection install -r requirements.yml

  5. Deploy the lab environment.

    ansible-playbook create_instance.yml -e localhost_python_interpreter="/usr/bin/python3.6" -e add_block_storage=true -e block_count=1

    The free lab environment requires the extra variable local_python_interpreter, which sets ansible_python_interpreter for plays running on localhost. This variable is needed because the environment installs the RPM package for the Oracle Cloud Infrastructure SDK for Python, located under the python3.6 modules.

    The default deployment shape uses the AMD CPU and Oracle Linux 8. To use an Intel CPU or Oracle Linux 9, add -e instance_shape="VM.Standard3.Flex" or -e os_version="9" to the deployment command.

    Important: Wait for the playbook to run successfully and reach the pause task. At this stage of the playbook, the installation of Oracle Linux is complete, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys and any other deployment information needed while running the lab.

Verify the Block Volumes Exist

  1. Open a terminal and connect via SSH to the ol-node-01 instance.

    ssh oracle@<ip_address_of_instance>

  2. Verify the block volumes are available on the system.

    lsblk

    The command output shows two block devices: sda and sdb

  3. Create a 2G partition on sdb.

    sudo sfdisk /dev/sdb << EOF
2048,4194304
EOF

    Warning: The sfdisk command creates a new partition on sdb while removing any existing partitions. Ensure you back up the drive if it contains any data you want to keep.

Install Encryption Packages

  1. Install the cryptsetup tool.

    Check if cryptsetup is installed.

    sudo dnf list --installed cryptsetup

    If not installed, install cryptsetup.

    sudo dnf -y install cryptsetup

Encrypt the Volume with LUKS

LUKS and dm-crypt work on block devices, RAID, LVM physical volumes, and even swap space. Once encrypted, data on these devices are only accessible at boot or mount time when using proper credentials.

  1. Encrypt the disk.

    sudo cryptsetup -y -v luksFormat /dev/sdb1

    Enter YES to proceed and provide the passphrase twice. The passphrase must contain:

    • minimum of 8 characters
    • 1 digit
    • 1 uppercase letter
    • 1 special character
    • non-dictionary based word

    Important: Be sure to remember the password typed as you'll use it later.

    Example Output:

    [oracle@ol-node01 ~]$ sudo cryptsetup -y -v luksFormat /dev/sdb1
  
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
  
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sdb1: 
Verify passphrase: 
Key slot 0 created.
Command successful.

  2. Open the encrypted volume.

    This step requires a target that can be named anything. We'll use mysecrets.

    sudo cryptsetup -v luksOpen /dev/sdb1 mysecrets

    Enter the same passphrase created in the previous step when requested.

    Example Output:

    [oracle@ol-node01 ~]$ sudo cryptsetup -v luksOpen /dev/sdb1 mysecrets
Enter passphrase for /dev/sdb1: 
Key slot 0 unlocked.
Command successful.

  3. Recheck the block devices.

    lsblk -f

    The device /dev/sdb1 now displays the FSTYPE as crypto_LUKS and shows the encrypted device volume's mapping mysecrets.

Format the Encrypted Volume

Before adding data to the encrypted volume, it needs to be formatted. You can choose different file systems such as xfs, ext3, ext4, etc.

  1. Create a filesystem.

    sudo mkfs.xfs /dev/mapper/mysecrets

Mount the Encrypted Volume

  1. Create a mount point.

    sudo mkdir -p /u01/my_secret_storage

  2. Mount the volume.

    sudo mount -v /dev/mapper/mysecrets /u01/my_secret_storage

    The output shows an SELinux warning.

    Example Output:

    [oracle@ol-node01 ~]$ sudo mount -v /dev/mapper/mysecrets /u01/my_secret_storage/
mount: /u01/my_secret_storage does not contain SELinux labels.
       You just mounted an file system that supports labels which does not
       contain labels, onto an SELinux box. It is likely that confined
       applications will generate AVC messages and not be allowed access to
       this file system. For more details see restorecon(8) and mount(8).
mount: /dev/mapper/mysecrets mounted on /u01/my_secret_storage.

    This action requires a relabel of the mount point's SELinux security context.

    sudo restorecon -vvRF /u01/my_secret_storage

    Run the mount command again.

    sudo mount -v -o remount /u01/my_secret_storage

  3. Display the mounted volume.

    lsblk

    Example Output:

    [oracle@ol-node01 ~]$ lsblk
NAME               MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda                  8:0    0 46.6G  0 disk  
|-sda1               8:1    0  100M  0 part  /boot/efi
|-sda2               8:2    0    1G  0 part  /boot
`-sda3               8:3    0 45.5G  0 part  
  |-ocivolume-root 252:0    0 35.5G  0 lvm   /
  `-ocivolume-oled 252:1    0   10G  0 lvm   /var/oled
sdb                  8:16   0   50G  0 disk  
`-sdb1               8:17   0    2G  0 part  
  `-mysecrets      252:2    0    2G  0 crypt /u01/my_secret_storage

Display LUKS Volume Details

View the LUKS header, data segment, key slots, and version information.

  1. Dump LUKS details.

    sudo cryptsetup luksDump /dev/sdb1

    Example Output:

    LUKS header information
Version:       	2
Epoch:         	3
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	4ccea398-5864-45a9-b274-173c8ebc3356
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)
  
Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]
  
Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2i
	Time cost:  10
	Memory:     1048576
	Threads:    4
	Salt:       ee d2 c7 5b 05 43 0f 0a 12 60 da b5 87 19 4a 6f 
	            06 57 a2 31 b1 dd bb 60 74 53 95 b2 ca 2f ad 4b 
	AF stripes: 4000
	AF hash:    sha256
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 243628
	Salt:       89 6c 8b aa 37 af 58 e9 26 49 c5 e5 db 2d 54 ea 
	            f8 7a c2 89 0e ab ed 48 74 a5 23 d7 b0 e6 9c 87 
	Digest:     4a 2b 25 76 c5 85 1a 6c a9 28 0c ee d0 c7 76 eb 
	            e1 4c ee 9c 5b 9a e2 d0 95 6e 1f 6e bb 1b 03 d1

    For additional information see the cryptsetup(8) manual page, Oracle Documentation or the upstream FAQ .

Next Steps

You should now be able to encrypt a disk partition and mount it on your system. Check out our other storage management content on the Oracle Linux Training Station.

SSR