Encrypting drives using LUKS

This page has been converted from the Fedora Project Wiki and cleaned up for publishing here on the Fedora Docs Portal, but it has not yet been reviewed for technical accuracy. This means any information on this page may be outdated or inaccurate. Reviews for technical accuracy are greatly appreciated. If you want to help, see the README file in the source repository for instructions.

As a system administrator, you can encrypt a block device. This section gives a brief introduction to block encryption, describes Linux Unified Key Setup (LUKS), and lists the steps to create an encrypted block device.

Block device encryption

Block device encryption protects the data on a block device by encrypting it. To access the device’s decrypted contents, a user must provide a passphrase or key as authentication. This provides additional security beyond existing operating system security mechanisms as it protects the device’s contents even if it has been physically removed from the system.

Introduction to LUKS

Linux Unified Key Setup (LUKS) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase/key management policy.

LUKS uses the kernel device mapper subsystem with the dm-crypt module. This arrangement provides a low-level mapping that handles encryption and decryption of the device data. You can use the cryptsetup utility to perform user-level operations such as creating and accessing encrypted devices.

What LUKS does

  • LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop disk drives.

  • The underlying contents of the encrypted block device are arbitrary. This makes it useful for encrypting swap devices. This can also be useful with certain databases that use specially formatted block devices for data storage.

  • LUKS uses the existing device mapper kernel subsystem.

  • LUKS provides passphrase strengthening which protects against dictionary attacks.

  • LUKS devices contain multiple key slots, allowing users to add backup keys or passphrases.

What LUKS does not do

  • LUKS is not well-suited for applications requiring more than eight users to have distinct access keys to the same device.

  • LUKS is not well-suited for applications requiring file-level encryption.

Creating encrypted block devices

This procedure describes the steps to create and configure encrypted block devices after installation.

Step 1: Preparing a block device

  • Install the cryptsetup package:

    # dnf install cryptsetup-luks
  • Create the block devices you want to encrypt using parted, pvcreate, lvcreate, and mdadm.

  • Optionally, fill the device, for example, /dev/sda3 with random data before encrypting it as this increases the strength of encryption.

    Filling the device with random data increases the time necessary for encryption.

    The commands below destroy any existing data on the device.

    • To fill the device with high-quality random data:

      dd if=/dev/urandom of=<device>

      This takes several minutes per gigabyte on most systems.

    • To fill the device with lower-quality random data:

      badblocks -c 10240 -s -w -t random -v <device>

      This is quicker compared to the high-quality random data method.

Step 2: Formatting an encrypted device

  1. Format the device:

    # cryptsetup luksFormat <device>

    Sample output:

    WARNING!
    ========
    This will overwrite data on <device> (for example, /dev/xvdc) irrevocably.
    
    Are you sure? (Type uppercase yes): YES
    Enter LUKS passphrase:
    Verify passphrase:
    Command successful.

    This command initializes the volume, and sets an initial key or passphrase.

    The passphrase is not recoverable so do not forget it.

  2. To verify the formatting:

    # cryptsetup isLuks <device> && echo Success
  3. To see a summary of the encryption information for the device:

    # cryptsetup luksDump <device>

Step 3: Creating mapping to allow access to a decrypted content

To access a decrypted content on a device, you need to create a mapping using the kernel device-mapper.

LUKS provides a UUID (Universally Unique Identifier) for each device. This UUID is guranteed to remain the same as long as the LUKS header remains intact. To find a LUKS UUID for the device, run the following command:

# cryptsetup luksUUID <device>

An example of a reliable, informative and unique mapping name would be luks-<uuid>, where <uuid> is replaced with the LUKS UUID for the device (for example, luks-50ec957a-5b5a-47ee-85e6-f8085bbc97a8).

  1. Create a mapping to access the decrypted contents on the device:

    # cryptsetup luksOpen <device> <name>

    You are prompted to enter the passphrase for the device. Once you have authenticated, you can see the mapping /dev/mapper/<name> which represents the decrypted device. You can read from and write to this device like you would any other unencrypted block device.

  2. To see the status of the mapping:

    # cryptsetup -v status <name>

    Sample output:

    /dev/mapper/<name> is active.
      type:    LUKS1
      cipher:  aes-cbc-essiv:sha256
      keysize: 256 bits
      device:  /dev/xvdc
      offset:  4096 sectors
      size:    419426304 sectors
      mode:    read/write
    Command successful.

Step 4: Creating filesystems on a mapped device

After Step 3: Creating mapping to allow access to a decrypted content, you can now use the mapped device node /dev/mapper/<name> like any other block device.

  1. To create an ext2 filesystem on the mapped device:

    # mke2fs /dev/mapper/<name>
  2. To mount this file system:

    # mkdir /mnt/test/
    # mount /dev/mapper/<name> /mnt/test

Step 5: Adding the mapping information to /etc/fstab

In order for a system to setup mapping to a device, add a corresponding entry in the /etc/crypttab file.

  1. If your system does not have the /etc/crypttab file, create a new file and change the owner and group to root (root:root):

    # touch /etc/crypttab
    # chmod 0744
  2. To identify the correct device in case the device name changes, add:

    <name>  <device>  none

    Here, the <device> field should be given in the form UUID=<luks_uuid>, where <luks_uuid> is the LUKS UUID.

Step 6: Adding an entry to /etc/fstab

To ensure a persistent mapping between the device and the mount point, add the entry in the /etc/fstab file:

/dev/mapper/<name>