How to Create LUKS encrypted partition in Centos 7 / RHEL 7 Linux

In this post, i will tell how to encrypt data stored on your Linux machine partitions using cryptsetup utility.

Firstly, Install the cryptsetup binary (LUKS) package using yum on your Centos 7 or RHEL 7 Linux machine.


[root@techbuzz ~]# yum install -y cryptsetup


Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Skipping unreadable repository '/etc/yum.repos.d/rhel7_errata.repo'
Package cryptsetup-1.7.2-1.el7.x86_64 already installed and latest version
Nothing to do
[root@techbuzz ~]#


Activate LUKS module by running  modprove dm_crypt and after that check that module is loaded in the kernel.

[root@techbuzz ~]#  modprobe dm_crypt

[root@techbuzz ~]# lsmod | grep dm_crypt

dm_crypt               27403  0
dm_mod                114430  25 dm_log,dm_persistent_data,dm_mirror,dm_bufio,dm_crypt,dm_thin_pool
[root@techbuzz ~]#


Run below command to check free space in Volume group 

[root@techbuzz ~]# vgs

  VG   #PV #LV #SN Attr   VSize  VFree
  rhel   1   5   0 wz--n- 99.51g 3.82g


Create a Logical Volume of 100 mb using below command 

[root@techbuzz ~]# lvcreate --size 100M --name lv_vol rhel

Sample outputs:


  Logical volume "lv_vol" created.
[root@techbuzz ~]# lvs | grep lv_vol
  lv_vol    rhel -wi-a----- 100.00m
[root@techbuzz ~]#


Run below command to convert the newly created Logical volume into LUKS format. Enter the passphrase that should not be weak one and must contain Upper case / alphanumeric characters.

[root@techbuzz ~]# cryptsetup luksFormat /dev/rhel/lv_vol
Sample outputs:

WARNING!
========
This will overwrite data on /dev/rhel/lv_vol irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:


Open and give the LUKS format LV name as volume. You can given any name you want.

[root@techbuzz ~]# cryptsetup luksOpen /dev/rhel/lv_vol volume
Enter passphrase for /dev/rhel/lv_vol:
[root@techbuzz ~]#


Create any File system you want ext4 or xfs here using mkfs command.

[root@techbuzz ~]#  mkfs.xfs /dev/mapper/volume
Sample outputs:
meta-data=/dev/mapper/volume     isize=512    agcount=4, agsize=6272 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=0, sparse=0
data     =                       bsize=4096   blocks=25088, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=1
log      =internal log           bsize=4096   blocks=855, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
[root@techbuzz ~]#

Create below file and add below entry in the same :

[root@techbuzz ~]# vi /etc/crypttab

VOLUME_NAME  /dev/vg/lv_name /root/luks.key

[root@techbuzz ~]# cat /etc/crypttab
volume /dev/rhel/lv_vol /root/luks.key
[root@techbuzz ~]#


Create the /root/luks.key file and store the passphrase.

[root@techbuzz ~]# vi /root/luks.key

[root@techbuzz ~]# cryptsetup luksAddKey /dev/rhel/lv_vol /root/luks.key

Enter any existing passphrase:


Modify the /etc/fstab as below. last two options in fstab are for backup dumps and file system check at the time of boot.

/dev/mapper/volume     /vol     xfs    defaults   0  0

[root@techbuzz ~]# mkdir -p /vol
[root@techbuzz ~]# mount /vol


[root@techbuzz ~]# df -h /vol
Filesystem          Size  Used Avail Use% Mounted on
/dev/mapper/volume   95M  5.1M   90M   6% /vol
[root@techbuzz ~]#