Install the LUKS package (if it’s not already installed):
# yum install -y cryptsetup-luks
Activate LUKS module:
# modprobe dm_crypt
Check the module is running:
# lsmod | grep dm_crypt dm_crypt 12894 0 dm_mod 82839 9 dm_crypt,dm_mirror,dm_log
Create a logical volume (here called lv_vol with a size of 100MB in the vg volume group):
# lvcreate --size 100M --name lv_vol vg
Convert the new logical volume to the LUKS format:
# cryptsetup luksFormat /dev/vg/lv_vol WARNING! ======== This will overwrite data on /dev/vg/lv_vol irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase:MyPassphraseVerify passphrase:MyPassphrase
Open and give a name to the LUKS logical volume (here vol):
# cryptsetup luksOpen /dev/vg/lv_vol vol Enter passphrase for /dev/vg/lv_vol:MyPassphrase
Create an EXT4 file system on the LUKS logical volume:
# mkfs.ext4 /dev/mapper/vol mke2fs 1.42.9 (28-Dec-2013) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) Stride=0 blocks, Stripe width=0 blocks 25168 inodes, 100352 blocks 5017 blocks (5.00%) reserved for the super user First data block=1 Maximum filesystem blocks=33685504 13 block groups 8192 blocks per group, 8192 fragments per group 1936 inodes per group Superblock backups stored on blocks: 8193, 24577, 40961, 57345, 73729 Allocating group tables: done Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: done
Create the /etc/crypttab file and add the following line:
vol /dev/vg/lv_vol /root/luks.key
Note: if you put ‘none‘ instead of ‘/root/luks.key‘, you will be asked for the passphrase at each boot at the console.
Create the /root/luks.key file for example to store the passphrase:
MyPassphrase
Add the passphrase to the LUKS logical volume:
# cryptsetup luksAddKey /dev/vg/lv_vol /root/luks.key Enter any passphrase:MyPassphrase
Edit the /etc/fstab file and add the following line (be careful when editing the /etc/fstab file or configure a virtual console):
/dev/mapper/vol /vol ext4 defaults 1 2
Create the mount point:
# mkdir /vol
Mount the LUKS logical volume:
# mount /vol
Note: To remove a LUKS file system, go to the page dealing with LUKS usage.
In addition, a Red Hat video about disk encryption (9min) is available.
Your install package seems to be incorrect – the only cryptsetup in the repos is just ‘cryptsetup’.
Great doc though, very useful! 🙂
Thank you.
You are perfectly right. If all the commands are the same between RHEL6 and RHEL7 for this tutorial, the name of the package has changed!
In RHEL6, it was called cryptsetup-luks, in RHEL7, it’s cryptsetup. I congratulate you for detecting this mistake!