If you are planning to encrypt your disk, encrypting disks will wipe clean the disk. Make sure that there is no data on the disk you are planning to encrypt. This post is based on my use case. I just want to make that clear.
Why encrypt the disks? There are too many reasons why. You can fire-up your favorite search engine and look it up. For me, I like to encrypt my disks just in case someone was to break-in my home and take my server with them. It gives me peace of mind. I also do this to our desktops and laptops.
The software I am going to be using is Linux Unified Key Setup (LUKS). LUKS comes in cryptsetup package that can be installed on any Linux distribution. To install LUKS on CentOS or Debian.
# CentOS, RHEL, Fedora dnf install cryptsetup # Debian apt install cryptsetup
I have two types of storage. The primary one is the internal disks and the other is the removable disks such as USB storage. For the internal disk, I will be encrypting the partition. For the removable storage, I will be encrypting the device itself. There are several things to be done to encrypt the disk.
- Locate/identify the target disk
- Create a partition
- Encrypt the partition
- Open the encrypted partition
- Create a filesystem
- Backing up the LUKS Header
- Mount the disk
We can also auto-open and mount the encrypted disk. There are several ways to accomplish this, but I was using the Clevis/Tang setup because this seems to be the simplest and easiest method I could find. Check this post on how I am utilizing Clevis and Tang method.
Locating the target disk
There are several ways to locate the target disk especially if you have multiple disks already installed. In this post, I will be using lsblk. The disks I am going to encrypt is the disk with the serial number of WD-WMAJHROEL72C and the USB flash drive with the serial number of 07018JKLDO873X15.
- -d – do not print holder devices
- -o – specifies the output to print.
- Try
lsblk --helpto see other options
- Try
[root@darktower ~]# lsblk -d -o name,size,serial,type,tran NAME SIZE SERIAL TYPE TRAN sda 111.8G DBKLSK3M1414E disk usb sdb 9.1T JEJUL35N disk sas sdc 9.1T JEHOP0U3 disk sas sdd 10.9T X19RH1DL disk sas sde 10.9T X9OL25LA disk sas sdf 698.7G WD-WMAJHROEL72C disk sas sdg 3.7T WD-WCC4E5LPW21H disk sas sdh 9.1T JEHMNKIU disk sas sdi 14.5G 07018JKLDO873X15 disk usb
Create a partition
The output above shows based on the serial number WD-WMAJHROEL72C device is sdf and based on the transport type, the device is the sdi. To create a partition for the target HDD, I’m going to be using fdisk. I am only going to make a 1 primary partition for this disk.
The following are the options
- n – add new partition
- p – primary partition
- 1 – create 1 partition
- w – write the changes
[root@darktower ~]# fdisk /dev/sdf
Welcome to fdisk (util-linux 2.32.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0xc3c4515a.
Command (m for help): n
Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p):
Using default response p.
Partition number (1-4, default 1):
First sector (2048-1465149167, default 2048):
Last sector, +sectors or +size{K,M,G,T,P} (2048-1465149167, default 1465149167):
Created a new partition 1 of type 'Linux' and of size 698.7 GiB.
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
LUKS
One the a partition has been created, we can encrypt the partition using LUKS. Fcor the portable device /dev/sdi, I will be encrypting the device itself.
Encrypt the partition and the portable storage device
I am going to start with the HDD with a single partition then the portable device.
#To encrypt the HDD # device is the device e.g. sdf # X is the partition number #cryptsetup -y -v luksFormat --type luks2 /dev/<deviceX> [root@darktower ~]# cryptsetup -y -v luksFormat /dev/sdf1 WARNING! ======== This will overwrite data on /dev/sdf1 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase for /dev/sdf1: <enter-your-passphrase> Verify passphrase: <re-enter-your-passphrase> Key slot 0 created. Command successful. [root@darktower ~]# # To encrypt the portable device [root@darktower ~]# cryptsetup -y -v luksFormat /dev/sdi WARNING: Device /dev/sdi already contains a 'iso9660' superblock signature. WARNING: Device /dev/sdi already contains a 'dos' partition signature. WARNING! ======== This will overwrite data on /dev/sdi irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase for /dev/sdi: <enter-your-passphrase> Verify passphrase: <re-enter-your-passphrase> Existing 'iso9660' superblock signature (offset: 32769 bytes) on device /dev/sdi will be wiped. Existing 'dos' partition signature (offset: 510 bytes) on device /dev/sdi will be wiped. Key slot 0 created. Command successful. [root@darktower ~]#
Open the LUKS Partition
To create a filesystem to these encrypted HDD partition and encrypted portable device, we need to open them first.
# Opening the encrypted HDD partition [root@darktower ~]# cryptsetup luksOpen /dev/sdf1 luks_disk11 Enter passphrase for /dev/sdf1: [root@darktower ~]# # Opening the encrypted flash drive [root@darktower ~]# cryptsetup luksOpen /dev/sdi luks_flash_drive Enter passphrase for /dev/sdi: [root@darktower ~]#
Create a filesystem
Once the disk has been opened, we need to create a filesystem so that we can use the disk and add it to the array. The filesystem I am going to be using is XFS for my disk.
# -L is a label for easy identification and it can be used for mounting
[root@darktower ~]# mkfs.xfs -L DISK11 /dev/mapper/luks_disk11
meta-data=/dev/mapper/luks_disk11 isize=512 agcount=4, agsize=45784824 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=0
= reflink=1
data = bsize=4096 blocks=183139294, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1
log =internal log bsize=4096 blocks=89423, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
[root@darktower ~]#
For the portable device, we need to create a partition before we can create a filesystem.
- The t option is to specify the partition type
- The 7 option is the HPFS/NTFS/exFAT partition type
# Create a partition [root@darktower ~]# mkfs.msdos /dev/mapper/luks_flash_drive mkfs.fat 4.1 (2017-01-24)
LUKS Header backup and restore
Backing up the header
Make sure to save this backups outside of the server. According to arch wiki:
If the header of a LUKS encrypted partition gets destroyed, you will not be able to decrypt your data. It is just as much of a dilemma as forgetting the passphrase or damaging a key-file used to unlock the partition. Damage may occur by your own fault while re-partitioning the disk later or by third-party programs misinterpreting the partition table. Therefore, having a backup of the header and storing it on another disk might be a good idea.
https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption#Backup_and_restore
# Syntax format cryptsetup luksHeaderBackup /dev/deviceX --header-backup-file <name>.bin e.g. cryptsetup luksHeaderBackup /dev/sdf1 --header-backup-file disk11_123456.bin
Restoring the backup header
In case that something really did happened that you are required to restore the LUKS header, this is how you would restore the header.
# Syntax format cryptsetup luksHeaderRestore /dev/deviceX --header-backup-file <name>.bin e.g. cryptsetup luksHeaderRestore /dev/sdf1 --header-backup-file disk11_123456.bin
Mount the disk
Once we got disk and portable device prepped, we need to mount them to the system so that we can use them. I like to mount the devices under /mnt, so I will be creating a directory for mount point.
# Create a directory for the HDD and for the portable device mkdir /mnt/disk11 mkdir /mnt/flashdrive
Once the directories are created, we can now mount the devices.
# Mount the HDD mount /dev/mapper/luks_disk11 /mnt/disk11 # Mount the flash drive mount /dev/mapper/luks_flashdrive /mnt/flashdrive
This is it. At this point, you should be able to use the HDD and the portable drive. The process looks hard, but it is a really simple process once you get used to it.