Quick instructions on how to encrypt partitions using Linux Unified Key Setup (LUKS).
Note that this isn't for the root partition, only post-installation additional partitions.
# RHEL5 yum install cryptsetup # RHEL6 yum install cryptsetup-luks
Example to encrypt the /dev/sda2 partition :
cryptsetup -c aes-cbc-essiv:sha256 -h sha256 --verify-passphrase --key-size 256 luksFormat /dev/sda2
- The default cypher is plain AES, it's better to use ESSIV for higher encryption level
- The default password hash is ripemd160, it's better to us sha256 instead
- The default key size is 128 bits, it's better to use 256 bits instead
Creating the LVM Physical Volume (PV) :
cryptsetup luksOpen /dev/sda2 secure pvcreate /dev/mapper/secure
Or creating the filesystem :
cryptsetup luksOpen /dev/sda2 secure mkfs.ext4 -m 1 -L secure /dev/mapper/secure
Manual mounting after boot :
cryptsetup luksOpen /dev/sda2 secure pvscan; vgchange -a y vg0 # if using LVM with a vg called vg0 # mount ...
Automatically mounting :
- Edit /etc/crypttab, the none means that the password will be prompted for on the console upon boot (see man 5 crypttab) :
secure /dev/sda2 none
- Edit /etc/fstab as needed. Example :
/dev/mapper/secure /secure ext4 defaults 0 0
Note: Only do this if it's easy to access the console after a reboot, since the boot sequence will be halted for the passphrase prompt way before the network is up (i.e. physical access, Serial on LAN with IPMI, etc.).