Creating an encrypted filesystem

From Crashcourse Wiki

Jump to: navigation, search

This is the recipe for creating an encrypted filesystem on a system using LVM using the cryptsetup-luks package. (If you're not running LVM, it's easy enough to translate the logical volume names in the commands to regular partition names.)

First, get the software: 

# yum install cryptsetup-luks

For what follows, I'll assume and use the following values:

  • f8: the name of my existing volume group
  • priv: the name of my new logical volume
  • cpriv: the mapper name by which the encrypted filesystem will be accessed
  • mystuff: the label I'll give to the new ext3 filesystem

Start by creating a new logical volume (of size, say, 2G) under the current volume group, and verifying its creation: 

# lvcreate --size 2G --name priv f8
# lvdisplay f8/priv
# ls -l /dev/mapper/f8-priv
# ls -l /dev/f8/priv

Now, initialize a LUKS partition corresponding to that new logical volume, during which you'll need to supply a passphrase: 

# cryptsetup luksFormat /dev/f8/priv

Now use cryptsetup to "open" that encrypted filesystem, and associate it with a new mapper name by which you'll mount it: 

# lvdisplay /dev/f8/priv                       [Note "# open" = 0 at the moment.]
# cryptsetup luksOpen /dev/f8/priv cpriv       [associate with mapper name "cpriv"]
# ls -l /dev/mapper/cpriv                      [Your new mapper file.]
# lvdisplay /dev/f8/priv                       [And note how "# open" = 1.]

Use that new mapper name to create a new ext3 filesystem, after which you can mount the filesystem and start using it (again, all by that new mapper name): 

# mke2fs -j -L mystuff /dev/mapper/cpriv
# mount /dev/mapper/cpriv /mnt
# df /mnt
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/cpriv      2063692     35880   1922984   2% /mnt
# ls /mnt
lost+found
# umount /mnt
#

De-activating the filesystem

At this point, you can mount and unmount that filesystem repeatedly without knowing the passphrase. If you actually want to make that filesystem inaccessible, you should unmount it and close it thusly: 

# cryptsetup luksClose cpriv
# ls -l /dev/mapper/cpriv              [It's gone.]

To re-mount that filesystem, you'll need to "open" it first, again supplying the passphrase: 

# cryptsetup luksOpen /dev/f8/priv cpriv

Automating mounts and unmounts

Add to/etc/crypttab the line: 

cpriv /dev/f8/priv none

And add to /etc/fstab something resembling: 

/dev/mapper/cpriv <your-mountpoint-here> ext3 defaults 1 2

The "none" in that first file means you'll need to manually supply the passphrase at boot time. If you'd rather not: 

$ man crypttab

You can figure it out.

Encrypting an existing filesystem

Pretty much all of the above, except that you'll have an existing logical volume and filesystem already, so just back up all that data in that existing filesystem first, and take it from there.

Feedback to rpjday@crashcourse.ca.

Return to Fedora_Cookbook.

Retrieved from "http://www.crashcourse.ca/wiki/index.php/Creating_an_encrypted_filesystem"
Personal tools