RHCSA – Encrypted Filesystems

Overview

By the end of this article you should be able to answer the following questions:

In Linux it is possible to encrypt a filesystem so that you get a prompt to enter a password when you try to cd into it’s corresponding mountpoint. Hence this is an extra layer of security on top of ugo+rwx and SELinux system. The way it works is that there is an extra step to perform just before installing the actual filesystem. Here’s the process to creating an encrypted partition (using /dev/sdb3 as an example):

1. Create the partition – i.e. fdisk /dev/sdb.
2. Run the cryptsetup luksFormat /dev/sdb3 command, note the uppercase “F”. This will prompt you to choose a new password for your encrypted partition.
3. Unlock your encrypted partition using cryptsetup luksOpen /dev/sdb3 decryptedpartition, note the upper case “O”. Here we also specify the name we want for the unencrypted partition which in this example is “decryptedpartition”. This will prompt you to enter the password that you set earlier. After you enter the correct password, a new block device will appear in /dev/mapper/decryptedpartition
4. Format the newly decrypted block device, in the same way as you would do for any other partition, mkfs.xfs /dev/mapper/decryptedpartition
5. mount your decrypted partition: mount /dev/mapper/decryptedpartition /tmp/secret, make sure you create the mountpoint if it doesn’t already exist. You should now be able to start storing files in /tmp/secret and it will gets stored in the encrypted filesystem behind the scense, e.g. touch /tmp/secret/testfile.txt

Now let’s see all this in action:

1. create a partition using fdisk, or choose an existing partition
In my case I will use the following existing partition:

$ ls -l /dev/sdb3
brw-rw----. 1 root disk 8, 19 May 21 09:14 /dev/sdb3

2. Apply cryptsetup’s luksFormat

Linux Unified Key Setup (LUKS): This is the name for Linux’s partition encryption system, and works by applying a special kind of encrypted file-system container. LUKS is ideal if you want to use it to encrypt contents of usb-pens.

Before we apply the luksFormat, let’s first see if sdb3 currently has a file system installed on it:

$ blkid | grep "^/dev/sdb3"

As expected, it doesn’t.

Now let’s install the luksFormat:

$ cryptsetup luksFormat /dev/sdb3

WARNING!
========
This will overwrite data on /dev/sdb3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:

Now let’s check blkid again:

$ blkid | grep "^/dev/sdb3"
/dev/sdb3: UUID="5838a034-cfc2-4301-8cbc-c8c26f63fd75" TYPE="crypto_LUKS"

Now it does have it. This is a special filesystem that essentially acts as a secure container which is designed to hold an ordinary filesystem, such as ext4, which we’ll install further down.

3. Unlock the encrypted partition using cryptsetup’s luksOpen
Before we unlock the encrypted, partitions, let’s first see our list of block devices:

$ lsblk
NAME            MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda               8:0    0   20G  0 disk
├─sda1            8:1    0  500M  0 part /boot
└─sda2            8:2    0 19.5G  0 part
  ├─centos-swap 253:0    0    2G  0 lvm  [SWAP]
  └─centos-root 253:1    0 17.5G  0 lvm  /
sdb               8:16   0  2.1G  0 disk
├─sdb1            8:17   0   10M  0 part
├─sdb2            8:18   0   10M  0 part
├─sdb3            8:19   0   10M  0 part
├─sdb4            8:20   0    1K  0 part
├─sdb5            8:21   0   10M  0 part
├─sdb6            8:22   0   10M  0 part
└─sdb7            8:23   0 1001M  0 part
sr0              11:0    1 55.4M  0 rom

Let’s now unlock our encrypted partition:

$ ls -l /dev/mapper/ | grep decryptedpartition

$ cryptsetup luksOpen /dev/sdb3 decryptedpartition
Enter passphrase for /dev/sdb3:

Now let’s view lsblk again:

$ lsblk
NAME                   MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda                      8:0    0   20G  0 disk
├─sda1                   8:1    0  500M  0 part  /boot
└─sda2                   8:2    0 19.5G  0 part
  ├─centos-swap        253:0    0    2G  0 lvm   [SWAP]
  └─centos-root        253:1    0 17.5G  0 lvm   /
sdb                      8:16   0  2.1G  0 disk
├─sdb1                   8:17   0   10M  0 part
├─sdb2                   8:18   0   10M  0 part
├─sdb3                   8:19   0   10M  0 part
│ └─decryptedpartition 253:2    0    8M  0 crypt
├─sdb4                   8:20   0    1K  0 part
├─sdb5                   8:21   0   10M  0 part
├─sdb6                   8:22   0   10M  0 part
└─sdb7                   8:23   0 1001M  0 part
sr0                     11:0    1 55.4M  0 rom

As a result, this has created the following block device:

$ ls -l /dev/mapper/ | grep decryptedpartition
lrwxrwxrwx. 1 root root       7 May 21 09:26 decryptedpartition -> ../dm-2

$ ls -l /dev | grep dm-2
brw-rw----. 1 root disk    253,   2 May 21 09:26 dm-2

We can now chech the status of our newly decrypted block device, either via the symbolic link:

$ cryptsetup status /dev/mapper/decryptedpartition
/dev/mapper/decryptedpartition is active.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  device:  /dev/sdb3
  offset:  4096 sectors
  size:    16384 sectors
  mode:    read/write

or directly:

$ cryptsetup status /dev/dm-2
/dev/dm-2 is active.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  device:  /dev/sdb3
  offset:  4096 sectors
  size:    16384 sectors
  mode:    read/write

4. Format the decrypted block device

Now let’s install a file system onto the partition:

$ mkfs.ext4 /dev/mapper/decryptedpartition
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
2048 inodes, 8192 blocks
409 blocks (4.99%) reserved for the super user
First data block=1
Maximum filesystem blocks=8388608
1 block group
8192 blocks per group, 8192 fragments per group
2048 inodes per group

Allocating group tables: done
Writing inode tables: done
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

5. Mount your decrypted partition

Let’s first create the mountpoint:

$ mkdir /tmp/xfsmountpoint/

Just before the mounting, let’s check the block device’s status:

cryptsetup status /dev/mapper/decryptedpartition
/dev/mapper/decryptedpartition is active.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  device:  /dev/sdb3
  offset:  4096 sectors
  size:    16384 sectors
  mode:    read/write

Then do the mounting:

$ mount /dev/mapper/decryptedpartition /tmp/xfsmountpoint/

Now let’s check the status again:

 cryptsetup status /dev/mapper/decryptedpartition
/dev/mapper/decryptedpartition is active and is in use.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  device:  /dev/sdb3
  offset:  4096 sectors
  size:    16384 sectors
  mode:    read/write

Closing an encrypted partition

After you have finished working on your encrypted partition, you can then close it by taking the following steps:

1. unmount the encrypted file system, umount /dev/mapper/decryptedpartition
2. Then close your decrypted partition, cryptsetup luksClose /dev/mapper/decryptedpartition, note the uppercase “C”, this results in the deletion of the /dev/mapper/decryptedpartition block device.