Cryptsetup Operations: Difference between revisions
Line 65: | Line 65: | ||
==Configure the Encrypted Block Device in /etc/crypttab== | ==Configure the Encrypted Block Device in /etc/crypttab== | ||
Specify the name of the encrypted device as it will be exposed under /dev/mapper, then the path to the underlying block device, a "-", which prompts the system to ask for passphrase at the console, and then an infinite timeout: | |||
# | |||
# encrypted block devices configuration | |||
# | |||
rackstationb /dev/sdb - timeout=0 | |||
For more details about the /etc/crypttab syntax, see: {{Internal|/etc/crypttab|/etc/crypttab}} | For more details about the /etc/crypttab syntax, see: {{Internal|/etc/crypttab|/etc/crypttab}} | ||
==Mount the Filesystem at Boot== | |||
Configure /etc/fstab: | |||
... | |||
/dev/mapper/rackstationb /rackstationb xfs defaults 0 0 |
Revision as of 09:58, 24 December 2018
Internal
Overview
cryptsetup is the userspace utility used to manage the dm-crypt encryption functionality.
Installation
yum install cryptsetup
Creating an Encrypting a Block Device with cryptsetup/LUKS
Overview
This section describes how to create a passphrase-protected LUKS-encrypted block device, expose it under /dev/mapper under an arbitrary name, then build an XFS file system on it, and then mount it.
Procedure
Format the block device with LUKS and assign it a passphrase (it is also possible to use a key file). The command will ask for a passphrase at the console:
cryptsetup luksFormat -y -v /dev/sdb
Test password: b4H4x9_3hdHEd
After 'luksFormat' operation, the block device is now type "", as blkid shows:
# blkid ... /dev/sdb: UUID="8a5fa3ae-d997-4c3a-a6f6-ab7ac9007ef8" TYPE="crypto_LUKS"
Open the crypto_LUKS device with:
cryptsetup open <luks-device> <mapping-name>
where <mapping-name> is the name of the device that will be created under /dev/mapper:
cryptsetup open /dev/sdb rackstationb
Upon providing the correct passphrase, the encrypted device will be mounted as /dev/mapper/rackstationb:
cd /dev/mapper/ ls -al rackstationb lrwxrwxrwx. 1 root root 7 Dec 24 00:36 rackstationb -> ../dm-2
Once the encrypted device is available under /dev/mapper, a filesystem can be built on it:
mkfs.xfs /dev/mapper/rackstationb
The filesystem can then be mounted and used:
mount /dev/mapper/rackstationb /rackstationb
Closing a LUKS Device
umount /dev/mapper/<mapping-name> cryptsetup close /dev/mapper/<mapping-name>
Mounting a LUKS Device at Boot
Overview
This section describes how to configure a system to mount a LUKS-encrypted block device at boot. The configuration will require the passphrase to be provided at boot time, at the console.
Configure the Encrypted Block Device in /etc/crypttab
Specify the name of the encrypted device as it will be exposed under /dev/mapper, then the path to the underlying block device, a "-", which prompts the system to ask for passphrase at the console, and then an infinite timeout:
# # encrypted block devices configuration # rackstationb /dev/sdb - timeout=0
For more details about the /etc/crypttab syntax, see:
Mount the Filesystem at Boot
Configure /etc/fstab:
... /dev/mapper/rackstationb /rackstationb xfs defaults 0 0