CentOS 5.3: Encrypted Block Devices

by Mike on April 7, 2009 · 1 comment

in Server Security

CentOS 5.3 now comes with disk encryption. When you install the operating system you have the option to encrypt block devices, partitions that you create.  Block device encryption requires a passphrase or key as authentication in order to access the data on that partition.  The advantage of block encryption is that it will enforce the encryption even if the disk is removed from the operating system.  The application is not only valuable for laptops but provides security for disks on servers that may be moved or thrown away.  Having just recently wiped and “hammered” old server disks to protect the company data, it would be nice to know that there is an additional layer of security for that data.

The encryption is done using dm-crypt/LUKS. LUKS or Linux Unified Key Setup, provides the disk format for the data as well as it provides the passphrase/key management policy.  LUKS uses the dm-crypt module which is a kernel mapper subsystem and manages the encryption and decryption for the block device.  This is the same subsystem that is used by LVM so that it has proven itself to be stable. One of the  advantages of LUKS is that the underlying contents of the block device are arbitrary so that you can encrypt your SWAP space. You can encrypt ext3, LVM physical volumes, and RAID arrays with LUKS. A disadvantage of LUKS is that it is not a good choice for file level encryption.

If you choose to encrypt a block device you must be prepared as an administrator that you will need to provide the passphrase when the system boots for access to the block device.  If you wanted to provide better security for a block device you can fill the block device with random data:

dd if=/dev/urandom of=/dev/sdb3

Be sure to choose the correct location for your disk as it will probably not be /dev/sda3.  And of course anytime you fill a disk with urandom all information on that partition will be lost.

You can create encrypted block devices after installation.  Create a partition.

# fdisk /dev/sdb

Command (m for help): p

Disk /dev/sdb: 6442 MB, 6442450944 bytes
255 heads, 63 sectors/track, 783 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1         127     1020096   83  Linux
/dev/sdb2             128         254     1020127+  83  Linux

Command (m for help): n
Command action
e   extended
p   primary partition (1-4)
Partition number (1-4): 3
First cylinder (255-783, default 255):
Using default value 255
Last cylinder or +size or +sizeM or +sizeK (255-783, default 783): +500M

Command (m for help): p

Disk /dev/sdb: 6442 MB, 6442450944 bytes
255 heads, 63 sectors/track, 783 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1         127     1020096   83  Linux
/dev/sdb2             128         254     1020127+  83  Linux
/dev/sdb3             255         316      498015   83  Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table.
The new table will be used at the next reboot.
Syncing disks.

Run partprobe so the system knows the partition exists.

# partprobe

Format the partition so it is available for the encryption.

# cryptsetup luksFormat /dev/sdb3

This will overwrite data on /dev/sdb3 irrevocably.

Are you sure? (Type uppercase yes):
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.


# cryptsetup isLuks /dev/sdb3 && echo Sucess

Get information about the LUKS partition.

# cryptsetup luksDump /dev/sdb3
LUKS header information for /dev/sdb3

Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha1
Payload offset: 1032
MK bits:        128
MK digest:      4b 35 7f 88 90 0a 8c 7c b1 1e 39 58 07 91 a6 dd ce f8 74 1b
MK salt:        85 00 22 c0 b1 ff 20 20 40 0f a8 92 58 d3 92 4a
b5 d2 0b ff 5f c5 75 b9 53 bc 89 ac 51 26 ec a0
MK iterations:  10
UUID:           d77eb752-8a90-4d94-ae9f-2bec0a22c5d3

Key Slot 0: ENABLED
Iterations:             400623
Salt:                   7b e5 a5 d8 a7 b8 60 20 e7 62 1c 5b a9 da c4 99
7d 04 1b 45 50 fa f4 e5 fd d9 29 60 5b 5e eb aa
Key material offset:    8
AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Check the UUID for the partition.

# cryptsetup luksUUID /dev/sdb3

# cryptsetup luksOpen /dev/sdb3 db
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

View information about the mapped device with:

# dmsetup info db
Name:              db
State:             ACTIVE
Read Ahead:        256
Tables present:    LIVE
Open count:        0
Event number:      0
Major, minor:      253, 1
Number of targets: 1

# mke2fs -j /dev/mapper/db
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
124440 inodes, 497496 blocks
24874 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67633152
61 block groups
8192 blocks per group, 8192 fragments per group
2040 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 31 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

# mkdir /db
# mount /dev/mapper/db /db
# ls /db

Add an Entry in /etc/crypttab

You must add an entry in the /etc/crypttab in order for your partition to mount.  Notice the format is the name which contains the string luks followed by the UUID and then the UUID the second time with UUID.  LUKS provides a UUID (Universal Unique Identifier) for each device, just like having an physical volume in LVM.  The advantage of the UUID is that even if you move the disk or add other partitions it will remain constant.

luks-86470780-c8aa-4e5d-ad75-42616b381998 UUID=86470780-c8aa-4e5d-ad75-42616b381998 none
luks-d77eb752-8a90-4d94-ae9f-2bec0a22c5d3 UUID=d77eb752-8a90-4d94-ae9f-2bec0a22c5d3 none

Edit the /etc/fstab
Here again you will use a /dev/mapper reference to teh UUID for the partition.  Note there are two partitions mounted in this example, one block device that was created at install and another that was creatd manually after installation.

LABEL=/                 /                       ext3    defaults        1 1
LABEL=/home             /home                   ext3    defaults        1 2
/dev/mapper/luks-86470780-c8aa-4e5d-ad75-42616b381998 /data                   ext3    defaults        1 2
LABEL=/boot             /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
LABEL=SWAP-sda2         swap                    swap    defaults        0 0
/dev/mapper/luks-d77eb752-8a90-4d94-ae9f-2bec0a22c5d3 /db ext3  defaults 0 0

When you reboot the server you will need to provide the passphrase for each partition that you have encrypted.

{ 1 comment }

Wolfram R. Jarisch November 10, 2010 at 11:41 am

Excellent decription of the process. Only (minor) suggestion about the sequence – make a note about editing fstab and crypttab prior to the “mount /dev/mapper/db /db” (since, as noted, these edits are needed by mount).

Previous post:

Next post: