Cryptsetup Operations: Difference between revisions
Line 62: | Line 62: | ||
==Overview== | ==Overview== | ||
This section describes how to configure a system to mount a LUKS-encrypted block device at boot. The configuration will require the passphrase to be provided at boot time, at the console. | This section describes how to configure a system to mount a LUKS-encrypted block device at boot. The configuration will require the passphrase to be provided at boot time, when the encrypted device is opened, at the console. | ||
==Configure the Encrypted Block Device in /etc/crypttab== | ==Configure the Encrypted Block Device in /etc/crypttab== |
Revision as of 17:17, 4 February 2019
Internal
Overview
cryptsetup is the userspace utility used to manage the dm-crypt encryption functionality.
Installation
yum install cryptsetup
Creating an Encrypting a Block Device with cryptsetup/LUKS
Overview
This section describes how to create a passphrase-protected LUKS-encrypted block device, expose it under /dev/mapper under an arbitrary name, then build an XFS file system on it, and then mount it.
Procedure
Format the block device with LUKS and assign it a passphrase (it is also possible to use a key file). The command will ask for a passphrase at the console:
cryptsetup luksFormat -y -v /dev/sdb
Test password: b4H4x9_3hdHEd
After 'luksFormat' operation, the block device is now type "", as blkid shows:
# blkid ... /dev/sdb: UUID="8a5fa3ae-d997-4c3a-a6f6-ab7ac9007ef8" TYPE="crypto_LUKS"
Open the crypto_LUKS device with:
cryptsetup open <luks-device> <mapping-name>
where <mapping-name> is the name of the device that will be created under /dev/mapper:
cryptsetup open /dev/sdb rackstationb
Upon providing the correct passphrase, the encrypted device will be mounted as /dev/mapper/rackstationb:
cd /dev/mapper/ ls -al rackstationb lrwxrwxrwx. 1 root root 7 Dec 24 00:36 rackstationb -> ../dm-2
Once the encrypted device is available under /dev/mapper, a filesystem can be built on it:
mkfs.xfs /dev/mapper/rackstationb
The filesystem can then be mounted and used:
mount /dev/mapper/rackstationb /rackstationb
Closing a LUKS Device
umount /dev/mapper/<mapping-name> cryptsetup close /dev/mapper/<mapping-name>
Mounting a LUKS Device at Boot
Overview
This section describes how to configure a system to mount a LUKS-encrypted block device at boot. The configuration will require the passphrase to be provided at boot time, when the encrypted device is opened, at the console.
Configure the Encrypted Block Device in /etc/crypttab
Specify the name of the encrypted device as it will be exposed under /dev/mapper, then the path to the underlying block device, a "-", which prompts the system to ask for passphrase at the console when the device is mounted, and then an infinite timeout:
# # Encrypted block devices configuration # rackstationb /dev/sdb - timeout=0
For more details about the /etc/crypttab syntax, see:
Mount the Filesystem at Boot
Configure /etc/fstab:
... /dev/mapper/rackstationb /rackstationb xfs defaults 0 0