Cryptsetup Operations

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Overview

cryptsetup is the userspace utility used to manage the dm-crypt encryption functionality.

Installation

yum install cryptsetup

Creating an Encrypting a Block Device with cryptsetup/LUKS

Overview

This section describes how to create a passphrase-protected LUKS-encrypted block device, expose it under /dev/mapper under an arbitrary name, then build an XFS file system on it, and then mount it.

Procedure

Format the Block Device

Format the block device with LUKS and assign it a passphrase (it is also possible to use a key file). The command will ask for a passphrase at the console: 

cryptsetup luksFormat -y -v /dev/sdb

Test password: b4H4x9_3hdHEd

After 'luksFormat' operation, the block device is now type "crypto_LUKS", as blkid shows: 

# blkid
...
/dev/sdb: UUID="8a5fa3ae-d997-4c3a-a6f6-ab7ac9007ef8" TYPE="crypto_LUKS"

Open the Encrypted Device

Open the crypto_LUKS device with: 

cryptsetup open <luks-device> <mapping-name>

where <mapping-name> is the name of the device that will be created under /dev/mapper: 

cryptsetup open /dev/sdb rackstationb

Upon providing the correct passphrase, the encrypted device will be mounted as /dev/mapper/rackstationb: 

cd /dev/mapper/
ls -al rackstationb
lrwxrwxrwx. 1 root root 7 Dec 24 00:36 rackstationb -> ../dm-2

Create the Filesystem

Once the encrypted device is available under /dev/mapper, a filesystem can be built on it: 

mkfs.xfs /dev/mapper/rackstationb

Mount the Filesystem

The filesystem can then be mounted and used: 

mount /dev/mapper/rackstationb /rackstationb

Closing a LUKS Device

umount /dev/mapper/<mapping-name>
cryptsetup close /dev/mapper/<mapping-name>

Mounting a LUKS Device at Boot

Overview

This section describes how to configure a system to mount a LUKS-encrypted block device at boot. The configuration will require the passphrase to be provided at boot time, when the encrypted device is opened, at the console.

Configure the Encrypted Block Device in /etc/crypttab

Specify the name of the encrypted device as it will be exposed under /dev/mapper, then the path to the underlying block device, a "-", which prompts the system to ask for passphrase at the console during the open phase, and an infinite timeout. If the device is not specified here, it will have to be opened manually. 

#
# Encrypted block devices configuration;  if you don't want the password challenge 
# to interrupt the boot process, do not mount here; mount manually after boot.
#

rackstationb /dev/sdb - timeout=0

For more details about the /etc/crypttab syntax, see:

/etc/crypttab

Mount the Filesystem at Boot

Configure /etc/fstab: 

...
#
# If you don't want the password challenge to interrupt the boot process, do not mount here; mount manually after boot
#
/dev/mapper/rackstationb /rackstationb            xfs     defaults        0 0
Retrieved from "https://kb.novaordis.com/index.php?title=Cryptsetup_Operations&oldid=68710"