---
Author: Kristof Vandam
Categories:
- administration
Date: 2018-08-23T22:08:15+02:00
Draft: false
Tags:
- encryption
- security
- disk
- partition
Title: Luks Encryption
Truncated: true
---

Create an encrypted partition that will automatically mount at boot.
<!--more-->

Sometimes it's nice to have encryption, sometimes it's mandatory, either way, there are a couple of thing you should take
in mind. Most solutions you find are at disk level but these have some pro's and con's.

  PRO's                              |                 CON's                                                                 
-------------------------------------|---------------------------------------------------------------------------------------
  Every application can work with it | Data is only secured from physical theft                                              
  No extra development required      | Can cause some overhead, as everything goes through encryption/decryption, everything

There are also a couple of choisen you can make implementing LUKS, you could create a LVM layer on top of a LUKS partition or, what
we are doing in this guide, add a LUKS encrypted mount on top of a LVM stack. The latter allows you to automatically mount
the encrypted disk after or at boot time.

## Add a new disk (LVM)

This is unrelated to encrypting the disk, but in our setup we started by adding a new disk to the server.

The commands below are just some I often use as a group. From lines 1 to 3 you can just copy/paste. Line 1 makes sure a rescan
is triggered to detect the newly added disk. 2 & 3 create some variables, which can be checked and used later. Make sure the output
of these are what you expected. You can echo them as shown on 4 & 5.

Create a Physical Volume and extend the Volume Group 'centos'
```.language-command.line-numbers
root@server:/dev/centos # for i in /sys/class/scsi_host/host*; do echo "- - -" > $i/scan; done
root@server:/dev/centos # NEWDISK=$(dmesg|tail|grep 'Attached'|awk '{print $4}'|tail -n1|cut -d "[" -f2|cut -d "]" -f1)
root@server:/dev/centos # VGROUP=$(vgdisplay|grep Name|head -n1|awk '{print $3}')
root@server:/dev/centos # echo ${NEWDISK}
sdd
root@server:/dev/centos # echo ${VGROUP}
centos
root@server:/dev/centos # pvcreate /dev/${NEWDISK}
Physical volume "/dev/sdd" successfully created.
root@server:/dev/centos # vgextend ${VGROUP} /dev/${NEWDISK}
Volume group "centos" successfully extended
```

## Create a logical volume (LVM)

Add a Logical Volume named 'encrypted' to the Volume Group 'centos'.
```.language-command
root@server:/dev/centos # lvcreate -L 15G -n encrypted centos
Logical volume "encrypted" created. 
```

## Encrypt the partition

Ok, the fun parts starts here (**CAUTION** before continueing make sure there is no important data on */dev/centos/encrypted*, this will be wiped). We encrypt the Logical Volume with the first command. A passphrase is required (see it as a backup)
LUKS can contain up to 5 different passwords. In a future section we add a second, more complex, password to use as key on boot.
Hold tight.

After the first command (the actual formatting of the partition) we need to 'open' the partition. By opening we mean creating a new disk, but you
should notice there is a password required to do so. Use the password you just created.
```.language-command
root@server:/dev/centos # cryptsetup -v --verify-passphrase luksFormat /dev/centos/encrypted
root@server:/dev/mapper # cryptsetup luksOpen /dev/centos/encrypted luks-encrypted
```

## Create a mountpoint

Before you can use the encrypted partition you should mount it. Do it like you always do it. Create a directory to mount to and mount */dev/mapper/luks-encrypted* with *mount*.
```.language-command
root@server:/dev/mapper # mkdir /encrypted
root@server:/dev/mapper # mount /dev/mapper/luks-encrypted /encrypted
```
From here on you are actually done, if you want to type password manually on every boot. I highly doubt you want that so lets go on.
(It is ofourse more safe to do so).

## Create a key (to auto-mount the encrypted disk)

Create a key-file we can add to */etc/crypttab*, any random string will do, but we create it with */dev/urandom*. Make sure to set some strict permissions.
```.language-command
root@server:/dev/mapper # dd if=/dev/urandom of=/root/lukskey bs=1024 count=4
root@server:/dev/mapper # chmod 0400 /root/lukskey
```

## Unmount and add the key

Add the key you just created to make it valid for LUKS, but first unmount the mount and close the vault.
```.language-command
root@server:/ # umount /encrypted
root@server:/ # cryptsetup luksClose luks-encrypted
root@server:/ # cryptsetup luksAddKey /dev/mapper/centos-encrypted /root/lukskey
```

## Get UUID

Get the UUID of the disk, using the UUID to mount disk is a more solid solution than using the disknames (/dev/sd*). These disknames **CAN** change, the UUID cannot.
```.lang-command
root@server:/ # blkid /dev/mapper/centos-encrypted
/dev/mapper/centos-encrypted: UUID="0dab9a5c-1870-478d-8d74-226eeb512f78" TYPE="crypto_LUKS"
```

## Auto-mount LUKS (edit /etc/crypttab)

Add a entry to the */etc/crypttab*, see it as the */etc/fstab* file. Just as fstab crypttab will automount the defined entries.
```.language-command
root@server:/ # blkid /dev/mapper/centos-encrypted
/dev/mapper/centos-encrypted: UUID="0dab9a5c-1870-478d-8d74-226eeb512f78" TYPE="crypto_LUKS"
```

## Auto-mount LUKS (edit /etc/cypttab)

```.language-bash
luks-encrypted /dev/disk/by-uuid/0dab9a5c-1870-478d-8d74-226eeb512f78 /root/lukskey luks
```

## Check your work

Congrats, this should be it, reboot and make sure the disk is mounted automatically.