Overview
The anaconda installer can ask you if you want to encrypt a partition when you are setting up a new system.
What if after the fact you want to add an encrypted disk that is auto-mounted at boot?
This post explains how to prepare a new partition that is encrypted and configure your system to mount it at boot. This guide is aimed at Fedora -based systems like RHEL and CentOS, and tested specifically on CentOS 7.3.
Preparing the system and disk
Ensure package cryptsetup is installed.
yum -y install cryptsetup
Prepare a valid disk and partition which the system can find.
Make a partition of the preferred size and of type Linux filesystem or Linux reserved.
# sudo fdisk /dev/vdb Command (m for help): p Disk /dev/vdb: 16.1 GB, 16106127360 bytes, 31457280 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk label type: gpt # Start End Size Type Name 1 2048 31457246 15G Linux reserved
The example partition in this post is /dev/vdb1.
Initializing the encrypted partition
Perform the initial setup of the encrypted partition. The dash here means it will prompt for a password (or accept it from standard input).
cryptsetup luksFormat /dev/vdb1 -
# cryptsetup luksFormat /dev/vdb1 - WARNING! ======== This will overwrite data on /dev/vdb1 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase:
Get the UUID of the partition using the blkid command.
blkid
# blkid /dev/vdb1: UUID="b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b" TYPE="crypto_LUKS" PARTUUID="6614fac8-8d0c-45dd-a1a7-b799248bc370"
To get just the sole output you need:
thisblockid=$( blkid /dev/vdb1 -o value | head -n1 )
To open the encrypted partition, use luksOpen.
cryptsetup luksOpen /dev/vdb1 "luks-${thisblockid}"
# cryptsetup luksOpen /dev/vdb1 luks-$( blkid /dev/vdb1 -o value | head -n1 ) Enter passphrase for /dev/vdb1: # ll /dev/mapper lrwxrwxrwx. 1 root root 7 Jul 9 16:08 luks-b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b -> ../dm-2
Now the /dev/mapper/luks-${thisblockid} path exists.
Make a filesystem of your choice.
mkfs.ext4 /dev/mapper/luks-b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b
Now you can mount this wherever you wish.
Mounting the encrypted partition automatically
To mount this encrypted partition at boot, you will need to modify /etc/fstab and /etc/crypttab.
Add to /etc/fstab an entry:
/dev/mapper/luks-b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b /mnt/foo ext4 defaul ts 0 0
Add to /etc/crypttab an entry:
luks-b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b UUID=b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b -
Now for each boot, you will be prompted to provide the luks passphrase before it can mount the specified mount point (in this case, /mnt/foo). The system will fail to boot completely if you do not provide the passphrase, even for an unimportant directory like /mnt/foo: It will drop into single-user mode.
References
Weblinks
- Guide to placing a keyfile on a USB flash drive https://askubuntu.com/a/90911/533065
- Inspiration for learning this topic http://vsnapshots.blogspot.com/2014/07/well-i-thought-id-have-quiet-year-and.html
Knowledge Base 