From Glee
Jump to: navigation, search

Quick instructions on how to encrypt partitions using Linux Unified Key Setup (LUKS).

Note that this isn't for the root partition, only post-installation additional partitions.


yum install cryptsetup
yum install cryptsetup-luks

Example to encrypt the /dev/sda2 partition :

cryptsetup -c aes-cbc-essiv:sha256 -h sha256 --verify-passphrase --key-size 256 luksFormat /dev/sda2
  • The default cypher is plain AES, it's better to use ESSIV for higher encryption level
  • The default password hash is ripemd160, it's better to us sha256 instead
  • The default key size is 128 bits, it's better to use 256 bits instead

Creating the LVM Physical Volume (PV) :

cryptsetup luksOpen /dev/sda2 secure
pvcreate /dev/mapper/secure

Or creating the filesystem :

cryptsetup luksOpen /dev/sda2 secure
mkfs.ext4 -m 1 -L secure /dev/mapper/secure


Manual mounting after boot :

cryptsetup luksOpen /dev/sda2 secure
pvscan; vgchange -a y vg0  # if using LVM with a vg called vg0
# mount ...

Automatically mounting :

  • Edit /etc/crypttab, the none means that the password will be prompted for on the console upon boot (see man 5 crypttab) :
secure /dev/sda2 none
  • Edit /etc/fstab as needed. Example :
/dev/mapper/secure /secure ext4 defaults 0 0

Note: Only do this if it's easy to access the console after a reboot, since the boot sequence will be halted for the passphrase prompt way before the network is up (i.e. physical access, Serial on LAN with IPMI, etc.).