Getting started with Linux: disk encryption LUKS

Getting started with Linux: disk encryption LUKS

There are many disk devices in Linux. We usually want to encrypt them, which is more secure. LUKS (linux unified key settings) is a standard device encryption format. LUKS can encrypt partitions or volumes. In particular, you must first decrypt the encrypted volume to mount the file system.
Let's take an example to see what LUKS is.

RHCE-certified RHEL6 printing service, ISCSI storage, disk encryption LUKS and grub boot

Disk encryption LUKS in Linux

Disk encryption under RHEL6-LUKS

RHCE_RHEL6_135_U6.1 _ partition encryption LUKS

Linux uses LUKS to encrypt partitions

1. Preparations

The command supporting LUKS is cryptsetup (installed by default). If you want to see the commands supported by it, type the command:

Observe these commands and they will be frequently used in the following operations:

To do this experiment, we need to regenerate a device. The steps for generating a device are as follows:


2. New knowledge of LUKS

Cryptsetup is actually a device ing relationship. We use it to map a device to another device, and then operate and encrypt the new device, in this way, our original device will not be used directly to achieve a safe effect. After the partition is encrypted using cryptsetup, the partition is no longer allowed to be directly mounted. LUKS is also an encryption scheme based on device mapper mechanism. To use this partition, you must map it to the/dev/mapper directory. We can only mount this ing for use. However, during the ing, you need to enter the decryption password. The procedure is as follows.

(1) initialize the partition first.
Note: in uppercase, YES !! Enter the password of the device.


(2) map partitions and open LUKS
This step is to convert the original device to a device under/dev/mapper and assign it a new name. In this process, enter the password you just set. After the operation, we can see that a disk exists in the/dev/mapper directory.


(3) We have a device, but remember that this device cannot be used directly and must be formatted.


(4) After the disk is mounted, the disk is successfully mounted.


(5) In the previous experiment, we didn't seem to see where LUKS was safe. We just changed the original device name and used it. Then we closed the ing, then mount the original device/dev/vda7 to see if there is any prompt:

Obviously it cannot be mounted, because we have mapped it to another device disk, which greatly enhances the security of the device and then enables luks:



We have mounted the ing device disk just now, but it is manual. To mount it permanently, we must write it into the configuration file/etc/fstab, however, we need to enter the password for mounting during boot. Obviously, it is unreasonable to let people input the password each time. Therefore, we need to create a new file to store the luks opening password, and specify the file as the key file. First, we will demonstrate that the password is entered when these operations are not performed. If the password is correct, the device will be mounted, if the error occurs, the device will not be mounted at most, and the system will still be able to start:

For more details, please continue to read the highlights on the next page:

1 2 Next Page