5 Using Encrypted Block Devices

When you install Oracle Linux, you have the option to configure encryption on system volumes except the boot partition. To protect the bootable partition itself, consider using any password protection mechanism that's built into the BIOS or setting up a GRUB password.

About Encrypted Block Devices

The device mapper supports the encryption of block devices through the dm-crypt device driver. Data on these devices are accessible at boot time only with proper credentials. dm-crypt encrypts disk partitions, RAID volumes, and LVM physical volumes, regardless of their contents.

Creating Encrypted Volumes

The cryptsetup utility sets up Linux Unified Key Setup (LUKS) encryption on the device and to manage authentication.

LUKS is an encryption specification that implements a platform independent and standard on-disk format. The standard ensures interoperability and compatibility among different distributions and programs. The implementation also includes tools that would simplify the administration of the encrypted disks. If used, this feature requires a passphrase at boot time. The correct passphrase then unlocks the encryption key to enable volume decryption.

For more information about LUKS, see the https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md file.

To encrypt volumes with LUKS, follow these steps:

  1. Initialize a LUKS partition on the device and set up the initial key, for example:

    sudo cryptsetup luksFormat /dev/sdd

    The following warning is displayed:

    WARNING!
    ========
    This will overwrite data on /dev/sdd irrevocably.
    Are you sure? (Type uppercase yes): YES
    Enter LUKS passphrase: passphrase
    Verify passphrase: passphrase
  2. Open the device and create the device mapping, for example:

    sudo cryptsetup luksOpen /dev/sdd cryptfs

    You're prompted to enter the passphrase:

    Enter passphrase for /dev/sdd: passphrase

    The encrypted volume is accessible as /dev/mapper/cryptfs.

  3. Create an entry for the encrypted volume in /etc/crypttab, for example:

    # <target name>  <source device>  <key file>  <options>
    cryptfs          /dev/sdd         none        luks

    This entry causes the operating system to prompt you for the passphrase at boot time.

You use an encrypted volume in the same way as you would a physical storage device, for example, as an LVM physical volume, file system, swap partition, Automatic Storage Management (ASM) disk, or raw device. For example, to mount the encrypted volume automatically, you would create an entry in the /etc/fstab to mount the mapped device (/dev/mapper/cryptfs), not the physical device (/dev/sdd).

To verify the status of an encrypted volume:

sudo cryptsetup status cryptfs

The following output is displayed:

/dev/mapper/cryptfs is active.
type: LUKS1
cipher:  aes-cbs-essiv:sha256
keysize: 256 bits
device:  /dev/xvdd1
offset:  4096 sectors
size:    6309386 sectors
mode:    read/write

To remove the device mapping:

  1. Unmount any existing file system in the encrypted volume.

  2. Remove the mapped device from /dev/mapper.

    For example, for the encrypted volume cryptfs, use the following command:

    sudo cryptsetup luksClose /dev/mapper/cryptfs

For more information, see the cryptsetup(8) and crypttab(5) manual pages.