1. Managing Storage and Storage Devices
  2. Creating Encrypted Block Devices

4 Creating Encrypted Block Devices

This chapter describes how to use encrypted block devices to secure stored data.

About Encrypted Block Devices

The device mapper supports the creation of encrypted block devices using the dm-crypt device driver. You can access data on encrypted devices at boot time only if you enter the correct password. As the underlying block device is encrypted and not the file system, you can use dm-crypt to encrypt disk partitions, RAID volumes, and LVM physical volumes, regardless of their contents.

When you install Oracle Linux, you have the option of configure encryption on system volumes other than the partition from which the system boots. If you want to protect the bootable partition, consider using any password protection mechanism that is built into the BIOS or setting up a GRUB password.

Setting Up LUKS Encryption

You use the cryptsetup utility to set up Linux Unified Key Setup (LUKS) encryption on the device and to manage authentication.

To set up the mapped device for an encrypted volume:

  1. Initialize a LUKS partition on the device and set up the initial key, for example: 

    sudo cryptsetup luksFormat /dev/sdd
    WARNING!
========
This will overwrite data on /dev/sdd irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: passphrase
Verify passphrase: passphrase

  2. Open the device and create the device mapping: 

    sudo cryptsetup luksOpen /dev/sdd cryptfs
    Enter passphrase for /dev/sdd: passphrase

    In this example, the encrypted volume is accessible as /dev/mapper/cryptfs.

  3. Create an entry for the encrypted volume in /etc/crypttab, for example: 

    # <target name>  <source device>  <key file>  <options>
cryptfs          /dev/sdd         none        luks

    This entry causes the operating system to prompt you to enter the passphrase at boot time.

After you have created an encrypted volume and its device mapping, you can then configure and use it in the same way that you would a physical storage device. For example, you can configure it as an LVM physical volume, file system, swap partition, Automatic Storage Management (ASM) disk, or raw device. For example, you would create an entry in the /etc/fstab to mount the mapped device (/dev/mapper/cryptfs), not the physical device (/dev/sdd).

To verify the status of an encrypted volume, use the following command: 

sudo cryptsetup status cryptfs
/dev/mapper/cryptfs is active.
type: LUKS1
cipher:  aes-cbs-essiv:sha256
keysize: 256 bits
device:  /dev/xvdd1
offset:  4096 sectors
size:    6309386 sectors
mode:    read/write

Should you need to remove the device mapping, unmount any file system that the encrypted volume contains, and run the following command: 

sudo cryptsetup luksClose /dev/mapper/cryptfs

For more information, see the cryptsetup(8) and crypttab(5) man pages.

Recommendations for SSD Configuration for Btrfs, ext4, and Swap

When partitioning an SSD, align primary and logical partitions on one-megabyte (1048576 bytes) boundaries. If partitions, file system blocks, or RAID stripes are incorrectly aligned and overlap the boundaries of the underlying storage's pages, which are usually either 4 KB or 8 KB in size, the device controller has to modify twice as many pages than if correct alignment is used.

For btrfs and ext4 file systems, specifying the discard option with mount sends discard (TRIM) commands to an underlying SSD whenever blocks are freed. This option can extend the working life of the device but it has a negative impact on performance, even for SSDs that support queued discards. The recommended alternative is to use the fstrim command to discard empty blocks that the file system is not using, especially before reinstalling the operating system or before creating a new file system on an SSD. Schedule fstrim to run when it will have minimal impact on system performance. You can also apply fstrim to a specific range of blocks rather than the whole file system.

Note:

Using a minimal journal size of 1024 file-system blocks for ext4 on an SSD improves performance. However, it is not recommended that you disable journalling altogether as it improves the robustness of the file system.

Btrfs automatically enables SSD optimization for a device if the value of /sys/block/device/queue/rotational is 0. If btrfs does not detect a device as being an SSD, you can enable SSD optimization by specifying the ssd option to mount.

Note:

By default, btrfs enables SSD optimization for Xen Virtual Devices (XVD) because the value of rotational for these devices is 0. To disable SSD optimization, specify the nossd option to mount.

Setting the ssd option does not imply that discard is also set.

If you configure swap files or partitions on an SSD, reduce the tendency of the kernel to perform anticipatory writes to swap, which is controlled by the value of the vm.swappiness kernel parameter and displayed as /proc/sys/vm/swappiness. The value of vm.swappiness can be in the range 0 to 100, where a higher value implies a greater propensity to write to swap. The default value is 60. The suggested value when swap has been configured on SSD is 1. You can use the following commands to change the value: 
sudo echo "vm.swappiness = 1" >> /etc/sysctl.conf
sudo sysctl -p

...
vm.swappiness = 1