[id='creating-encrypted-block-devices_{context}'] = Creating encrypted block devices This procedure describes the steps to create and configure encrypted block devices after installation. [id='proc_preparing_block_device_for_encrypting'] == Step 1: Preparing a block device * Install the `cryptsetup` package: + ---------- # dnf install cryptsetup-luks ---------- * Create the block devices you want to encrypt using `parted`, `pvcreate`, `lvcreate`, and `mdadm`. * Optionally, fill the device, for example, `/dev/sda3` with random data before encrypting it as this increases the strength of encryption. + [NOTE] ======== Filling the device with random data increases the time necessary for encryption. ======== + [WARNING] ========= The commands below destroy any existing data on the device. ========= ** To fill the device with high-quality random data: + ------- dd if=/dev/urandom of= ------- + This takes several minutes per gigabyte on most systems. + ** To fill the device with lower-quality random data: + -------- badblocks -c 10240 -s -w -t random -v -------- + This is quicker compared to the high-quality random data method. [id='proc_format-device-as-dmcrypt-encrypted-device'] == Step 2: Formatting an encrypted device . Format the device: + --------- # cryptsetup luksFormat --------- + Sample output: + -------- WARNING! ======== This will overwrite data on (for example, /dev/xvdc) irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful. -------- This command initializes the volume, and sets an initial key or passphrase. + [NOTE] ========== The passphrase is not recoverable so do not forget it. ========== . To verify the formatting: + ----- # cryptsetup isLuks && echo Success ----- . To see a summary of the encryption information for the device: + --------- # cryptsetup luksDump --------- [id='proc_create-mapping-to-allow-access-to-decrypted-contents'] == Step 3: Creating mapping to allow access to a decrypted content To access a decrypted content on a device, you need to create a mapping using the kernel `device-mapper`. LUKS provides a UUID (Universally Unique Identifier) for each device. This UUID is guranteed to remain the same as long as the LUKS header remains intact. To find a LUKS UUID for the device, run the following command: -------- # cryptsetup luksUUID -------- An example of a reliable, informative and unique mapping name would be `luks-`, where `` is replaced with the LUKS UUID for the device (for example, luks-50ec957a-5b5a-47ee-85e6-f8085bbc97a8). . Create a mapping to access the decrypted contents on the device: + -------- # cryptsetup luksOpen -------- + You are prompted to enter the passphrase for the device. Once you have authenticated, you can see the mapping `/dev/mapper/` which represents the decrypted device. You can read from and write to this device like you would any other unencrypted block device. . To see the status of the mapping: + ------ # cryptsetup -v status ------ + Sample output: + -------- /dev/mapper/ is active. type: LUKS1 cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/xvdc offset: 4096 sectors size: 419426304 sectors mode: read/write Command successful. -------- [id='proc_create-filesystems-on-mapped-device'] == Step 4: Creating filesystems on a mapped device After <>, you can now use the mapped device node `/dev/mapper/` like any other block device. . To create an `ext2` filesystem on the mapped device: + ------- # mke2fs /dev/mapper/ ------- . To mount this file system: + -------- # mkdir /mnt/test/ # mount /dev/mapper/ /mnt/test -------- [id='proc_add-mapping-information-to-etc-fstab'] == Step 5: Adding the mapping information to `/etc/fstab` In order for a system to setup mapping to a device, add a corresponding entry in the `/etc/crypttab` file. . If your system does not have the `/etc/crypttab` file, create a new file and change the owner and group to `root` (`root:root`): + ---------- # touch /etc/crypttab # chmod 0744 ---------- . To identify the correct device in case the device name changes, add: + --------- none --------- + Here, the `` field should be given in the form `UUID=`, where `` is the LUKS UUID. [id='proc_add-entry-to-etc-fstab'] == Step 6: Adding an entry to `/etc/fstab` To ensure a persistent mapping between the device and the mount point, add the entry in the `/etc/fstab` file: ------ /dev/mapper/ ------ == Additional resources * https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions[LUKS Project Wiki: Frequently Asked Questions] * http://man7.org/linux/man-pages/man8/cryptsetup.8.html[cryptsetup(8) man page] * http://man7.org/linux/man-pages/man8/dmsetup.8.html[dmsetup(8) man page]