16.5 Creating Encrypted Block Devices

The device mapper supports the creation of encrypted block devices using the dm-crypt device driver. You can access data on encrypted devices at boot time only if you enter the correct password. As the underlying block device is encrypted and not the file system, you can use dm-crypt to encrypt disk partitions, RAID volumes, and LVM physical volumes, regardless of their contents.

When you install Oracle Linux, you have the option of configure encryption on system volumes other than the partition from which the system boots. If you want to protect the bootable partition, consider using any password protection mechanism that is built into the BIOS or setting up a GRUB password.

You use the cryptsetup utility to set up Linux Unified Key Setup (LUKS) encryption on the device and to manage authentication.

To set up the mapped device for an encrypted volume:

  1. Initialize a LUKS partition on the device and set up the initial key, for example:

    # cryptsetup luksFormat /dev/sdd
    WARNING!
    ========
    This will overwrite data on /dev/sdd irrevocably.
    Are you sure? (Type uppercase yes): YES
    Enter LUKS passphrase: passphrase
    Verify passphrase: passphrase
  2. Open the device and create the device mapping:

    # cryptsetup luksOpen /dev/sdd cryptfs
    Enter passphrase for /dev/sdd: passphrase

    In this example, the encrypted volume is accessible as /dev/mapper/cryptsfs.

  3. Create an entry for the encrypted volume in /etc/crypttab, for example:

    # <target name>  <source device>  <key file>  <options>
    cryptfs          /dev/sdd         none        luks

    This entry causes the operating system to prompt you to enter the passphrase at boot time.

Having created an encrypted volume and its device mapping, you can configure and use it in the same way as you would a physical storage device. For example, you can configure it as an LVM physical volume, file system, swap partition, Automatic Storage Management (ASM) disk, or raw device. For example, you would create an entry in the /etc/fstab to mount the mapped device (/dev/mapper/cryptsfs), not the physical device (/dev/sdd).

To verify the status of an encrypted volume, use the following command:

# cryptsetup status cryptfs
/dev/mapper/cryptfs is active.
type: LUKS1
cipher:  aes-cbs-essiv:sha256
keysize: 256 bits
device:  /dev/xvdd1
offset:  4096 sectors
size:    6309386 sectors
mode:    read/write

Should you need to remove the device mapping, unmount any file system that the encrypted volume contains, and run the following command:

# cryptsetup luksClose /dev/mapper/cryptfs

For more information, see the crypsetup(8) and crypttab(5) manual pages.