Luks Encryption

Add a new disk (LVM)

root@server:/dev/centos # for i in /sys/class/scsi_host/host*; do echo "- - -" > $i/scan; done
root@server:/dev/centos # NEWDISK=$(dmesg|tail|grep 'Attached'|awk '{print $4}'|tail -n1|cut -d "[" -f2|cut -d "]" -f1)
root@server:/dev/centos # VGROUP=$(vgdisplay|grep Name|head -n1|awk '{print $3}')
root@server:/dev/centos # echo ${NEWDISK}
sdd
root@server:/dev/centos # echo ${VGROUP}
centos
root@server:/dev/centos # pvcreate /dev/${NEWDISK}
Physical volume "/dev/sdd" successfully created.
root@server:/dev/centos # vgextend ${VGROUP} /dev/${NEWDISK}
Volume group "centos" successfully extended

Create a logical volume (LVM)

root@server:/dev/centos # lvcreate -L 15G -n encrypted centos
Logical volume "encrypted" created. 

Encrypt the partition

root@server:/dev/centos # cryptsetup -v --verify-passphrase luksFormat /dev/centos/encrypted
root@server:/dev/mapper # cryptsetup luksOpen /dev/centos/encrypted luks-encrypted

Create a mountpoint

root@server:/dev/mapper # mkdir /encrypted
root@server:/dev/mapper # mount /dev/mapper/luks-encrypted /encrypted

Create a key (to auto-mount the encrypted disk)

root@server:/dev/mapper # dd if=/dev/urandom of=/root/lukskey bs=1024 count=4
root@server:/dev/mapper # chmod 0400 /root/lukskey

Unmount and add the key

root@server:/ # umount /encrypted
root@server:/ # cryptsetup luksClose luks-encrypted
root@server:/ # cryptsetup luksAddKey /dev/mapper/centos-encrypted /root/lukskey

Get UUID

root@server:/ # blkid /dev/mapper/centos-encrypted
/dev/mapper/centos-encrypted: UUID="0dab9a5c-1870-478d-8d74-226eeb512f78" TYPE="crypto_LUKS"

Auto-mount LUKS (edit /etc/cypttab)

luks-encrypted /dev/disk/by-uuid/0dab9a5c-1870-478d-8d74-226eeb512f78 /root/lukskey luks