Cryptsetup Operations: Difference between revisions
| (24 intermediate revisions by the same user not shown) | |||
| Line 11: | Line 11: | ||
yum install cryptsetup | yum install cryptsetup | ||
=Encrypting a Block Device with cryptsetup/LUKS= | =Creating an Encrypting a Block Device with cryptsetup/LUKS= | ||
Format the block device with [[Dm-crypt#LUKS|LUKS]] and assign it a [[Dm-crypt#Passphrase|passphrase]] (it is also possible to use a [[Dm-crypt#Key_File|key file]]). | ==Overview== | ||
This section describes how to create a passphrase-protected LUKS-encrypted block device, expose it under /dev/mapper under an arbitrary name, then build an XFS file system on it, and then mount it. | |||
==Procedure== | |||
===Format the Block Device=== | |||
Format the block device with [[Dm-crypt#LUKS|LUKS]] and assign it a [[Dm-crypt#Passphrase|passphrase]] (it is also possible to use a [[Dm-crypt#Key_File|key file]]). The command will ask for a passphrase at the console: | |||
cryptsetup luksFormat -y -v /dev/sdb | cryptsetup luksFormat -y -v /dev/sdb | ||
| Line 19: | Line 27: | ||
Test password: b4H4x9_3hdHEd | Test password: b4H4x9_3hdHEd | ||
After 'luksFormat' operation, the block device is now type "", as [[blkid]] shows: | After 'luksFormat' operation, the block device is now type "crypto_LUKS", as [[blkid]] shows: | ||
# blkid | # blkid | ||
... | ... | ||
/dev/sdb: UUID="8a5fa3ae-d997-4c3a-a6f6-ab7ac9007ef8" TYPE="crypto_LUKS" | /dev/sdb: UUID="8a5fa3ae-d997-4c3a-a6f6-ab7ac9007ef8" TYPE="crypto_LUKS" | ||
===Open the Encrypted Device=== | |||
Open the crypto_LUKS device with: | Open the crypto_LUKS device with: | ||
| Line 29: | Line 39: | ||
cryptsetup open <''luks-device''> <''mapping-name''> | cryptsetup open <''luks-device''> <''mapping-name''> | ||
where <''mapping-name''> is the name of the device that will be created under /dev/mapper | where <''mapping-name''> is the name of the device that will be created under /dev/mapper: | ||
cryptsetup open /dev/sdb rackstationb | cryptsetup open /dev/sdb rackstationb | ||
Upon providing the correct passphrase, the encrypted device will be mounted as <tt>[[Dm-crypt#.2Fdev.2Fmapper|/dev/mapper]]/rackstationb</tt>: | |||
cd /dev/mapper/ | |||
ls -al rackstationb | |||
lrwxrwxrwx. 1 root root 7 Dec 24 00:36 rackstationb -> ../dm-2 | |||
===Create the Filesystem=== | |||
Once the encrypted device is available under <tt>/dev/mapper</tt>, a filesystem can be built on it: | |||
mkfs.xfs /dev/mapper/rackstationb | |||
===Mount the Filesystem=== | |||
The filesystem can then be mounted and used: | |||
mount /dev/mapper/rackstationb /rackstationb | |||
=Closing a LUKS Device= | |||
umount /dev/mapper/<''mapping-name''> | |||
cryptsetup close /dev/mapper/<''mapping-name''> | |||
=Mounting a LUKS Device at Boot= | |||
==Overview== | |||
This section describes how to configure a system to mount a LUKS-encrypted block device at boot. The configuration will require the passphrase to be provided at boot time, when the encrypted device is [[#Open_the_Encrypted_Device|opened]], at the console. | |||
==Configure the Encrypted Block Device in /etc/crypttab== | |||
Specify the name of the encrypted device as it will be exposed under /dev/mapper, then the path to the underlying block device, a "-", which prompts the system to ask for passphrase at the console during the [[#Open_the_Encrypted_Device|open phase]], and an infinite timeout. If the device is not specified here, it will have to be opened manually. | |||
# | |||
# Encrypted block devices configuration; if you don't want the password challenge | |||
# to interrupt the boot process, do not mount here; mount manually after boot. | |||
# | |||
rackstationb /dev/sdb - timeout=0 | |||
For more details about the /etc/crypttab syntax, see: {{Internal|/etc/crypttab|/etc/crypttab}} | |||
==Mount the Filesystem at Boot== | |||
Configure /etc/fstab: | |||
... | |||
# | |||
# If you don't want the password challenge to interrupt the boot process, do not mount here; mount manually after boot | |||
# | |||
/dev/mapper/rackstationb /rackstationb xfs defaults 0 0 | |||
Latest revision as of 03:02, 7 September 2020
Internal
Overview
cryptsetup is the userspace utility used to manage the dm-crypt encryption functionality.
Installation
yum install cryptsetup
Creating an Encrypting a Block Device with cryptsetup/LUKS
Overview
This section describes how to create a passphrase-protected LUKS-encrypted block device, expose it under /dev/mapper under an arbitrary name, then build an XFS file system on it, and then mount it.
Procedure
Format the Block Device
Format the block device with LUKS and assign it a passphrase (it is also possible to use a key file). The command will ask for a passphrase at the console:
cryptsetup luksFormat -y -v /dev/sdb
Test password: b4H4x9_3hdHEd
After 'luksFormat' operation, the block device is now type "crypto_LUKS", as blkid shows:
# blkid ... /dev/sdb: UUID="8a5fa3ae-d997-4c3a-a6f6-ab7ac9007ef8" TYPE="crypto_LUKS"
Open the Encrypted Device
Open the crypto_LUKS device with:
cryptsetup open <luks-device> <mapping-name>
where <mapping-name> is the name of the device that will be created under /dev/mapper:
cryptsetup open /dev/sdb rackstationb
Upon providing the correct passphrase, the encrypted device will be mounted as /dev/mapper/rackstationb:
cd /dev/mapper/ ls -al rackstationb lrwxrwxrwx. 1 root root 7 Dec 24 00:36 rackstationb -> ../dm-2
Create the Filesystem
Once the encrypted device is available under /dev/mapper, a filesystem can be built on it:
mkfs.xfs /dev/mapper/rackstationb
Mount the Filesystem
The filesystem can then be mounted and used:
mount /dev/mapper/rackstationb /rackstationb
Closing a LUKS Device
umount /dev/mapper/<mapping-name> cryptsetup close /dev/mapper/<mapping-name>
Mounting a LUKS Device at Boot
Overview
This section describes how to configure a system to mount a LUKS-encrypted block device at boot. The configuration will require the passphrase to be provided at boot time, when the encrypted device is opened, at the console.
Configure the Encrypted Block Device in /etc/crypttab
Specify the name of the encrypted device as it will be exposed under /dev/mapper, then the path to the underlying block device, a "-", which prompts the system to ask for passphrase at the console during the open phase, and an infinite timeout. If the device is not specified here, it will have to be opened manually.
# # Encrypted block devices configuration; if you don't want the password challenge # to interrupt the boot process, do not mount here; mount manually after boot. #
rackstationb /dev/sdb - timeout=0
For more details about the /etc/crypttab syntax, see:
Mount the Filesystem at Boot
Configure /etc/fstab:
... # # If you don't want the password challenge to interrupt the boot process, do not mount here; mount manually after boot # /dev/mapper/rackstationb /rackstationb xfs defaults 0 0