1. Security Guide
  2. Encryption
  3. Disk Encryption in a Linux Environment

Disk Encryption in a Linux Environment

If you are using the Linux operating system, you can secure your data by configuring disk encryption to encrypt whole disks (including removable media), partitions, software RAID volumes, logical volumes, as well as your NoSQL files.

dm-crypt is the Linux kernel's device mapper crypto target which provides transparent disk encryption subsystem in the Linux kernel using the kernel crypto API.

Cryptsetup is the command line tool to interface with dm-crypt for creating, accessing and managing encrypted devices. The most commonly used encryption is Cryptsetup for the Linux Unified Key Setup (LUKS) extension, which stores all of the needed setup information for dm-crypt on the disk itself and abstracts partition and key management in an attempt to improve ease of use.

This topic demonstrates how to convert a normal disk to a dm-crypt enabled disk and vice versa using the command-line interface.

Assume that you have the following disks in your Linux system. The df -h command displays the amount of available disk space for each disk. 

$df -h
/dev/nvme0n1 2.9T 76G 2.7T 3% /ons/nvme0n1
/dev/nvme1n1 2.9T 76G 2.7T 3% /ons/nvme1n1
...

If you nominate disk /dev/nvme0n1 to store databases, then you should encrypt this disk to secure the data within it.

Normal disk to a dm-crypt enabled disk:

Execute the following commands to convert a normal disk to a dm-crypt enabled disk:

  1. Unmount the file system on the disk. 

    sudo umount -l /dev/nvme0n1 

  2. Generate the key to be used by luksFormat. 

    sudo dd if=/dev/urandom of=/home/opc/key0.key bs=1 count=4096

  3. Initialize a LUKS partition and set the initial key.

    sudo /usr/sbin/cryptsetup -q -s 512 \
luksFormat /dev/nvme0n1 /home/opc/key0.key

  4. Open the LUKS partition on disk/device and set up a mapping name.

    sudo /usr/sbin/cryptsetup --allow-discards \
luksOpen -d /home/opc/key0.key /dev/nvme0n1 dm-nvme0n1

  5. Create an ext4 file system on the disk. 

    sudo /sbin/mkfs.ext4 /dev/mapper/dm-nvme0n1

  6. Set parameters for the ext4 file system. 

    sudo /usr/sbin/tune2fs -e remount-ro /dev/mapper/dm-nvme0n1

  7. Mount the file system to a specified directory.

    sudo mount /dev/mapper/dm-nvme0n1 /ons/nvme0n1

dm-crypt enabled disk to normal disk:

If you want to convert the encrypted disk back to its normal state, execute the following steps:

  1. Unmount the file system on the disk.

    sudo umount -l /ons/nvme0n1

  2. Remove luks mapping.

    sudo /usr/sbin/cryptsetup luksClose /dev/mapper/dm-nvme0n1

  3. Create an ext4 file system on the disk. 

    sudo /sbin/mkfs.ext4 /dev/nvme0n1

  4. Mount the file system on a specified directory.

    sudo mount /dev/nvme0n1 /ons/nvme0n1

Note:

If you convert a normal disk to a dm-crypt enabled disk or convert a dm-crypt enabled disk to a normal disk, you cannot bring the disk back to its previous state without losing its data. This is because the mkfs.ext4 command will format the disk. Therefore, all the data stored in the disk will be lost.