Chapter 4, Section 1 - Linux Unified Key Setup-on-disk-format (LUKS)
Introduction to LUKS
Linux Unified Key Setup-on-disk-format (or LUKS) allows you to encrypt partitions on your Linux computer. This is particularly important when it comes to mobile computers and removable media. LUKS allows multiple user keys to decrypt a master key which is used for the bulk encryption of the partition.
LUKS Implementation in Fedora
Fedora 9, and later, utilizes LUKS to perform file system encryption. By default, the option to encrypt the file system is unchecked during the installation. If you select the option to encrypt you hard drive, you will be prompted for a passphrase that will be asked every time you boot the computer. This passphrase "unlocks" the bulk encryption key that is used to decrypt your partition.
If you choose to modify the default partition table you can choose which partitions you want to encrypt. This is set in the partition table settings.
Fedora 9's default implementation of LUKS is AES 128 with a SHA256 hashing. Ciphers that are available are:
- AES - Advanced Encryption Standard - FIPS PUB 197
- twofish - Twofish: A 128-Bit Block Cipher
- serpent
- cast5 - RFC 2144
- cast6 - RFC 2612
Manually Encrypting Directories
If you are running a version of Fedora prior to Fedora 9 and want to encrypt a partition or you want to encrypt a partition after the fact in Fedora 9, or later, the following directions are for you. The below example demonstrates encrypting your /home
partition but any partition can be used.
The following procedure will reconfigure and format your /home
. The procedure is for single-user computers or computers that are shared between trusted users.
The following procedure will wipe all your existing data, so be sure to have a tested backup before you start. This also requires you to have a separate partition for /home
(in my case that is /dev/VG00/LV_home
). All the following must be done as root. Any of these steps failing means you must not continue until the step succeeded.
Step-by-Step Instructions
- enter runlevel 1:
telinit 1
- unmount your existing /home:
umount /home
- if it fails use fuser to find and kill processes hogging /home:
fuser -mvk /home
- verify /home is not mounted any longer:
cat /proc/mounts | grep home
- fill your partition with random data:
shred -v -n1 /dev/VG00/LV_home
(Other packages that perform a similar function are "scrub" and "wipe")
- initialize your partition:
cryptsetup --verbose --verify-passphrase luksFormat /dev/VG00/LV_home
- open the newly encrypted device:
cryptsetup luksOpen /dev/VG00/LV_home home
- check it's there:
ls -l /dev/mapper | grep home
- create a filesystem:
mkfs.ext3 /dev/mapper/home
- mount it:
mount /dev/mapper/home /home
- check it's visible:
df -h | grep home
- add the following to /etc/crypttab:
home /dev/VG00/LV_home none
- edit your /etc/fstab, removing the old entry for /home and adding
/dev/mapper/home /home ext3 defaults 1 2
- verify your fstab entry:
mount /home
- restore default SELinux security contexts:
/sbin/restorecon -v -R /home
- reboot:
shutdown -r now
- The entry into /etc/crypttab makes your computer ask your luks passphrase on boot.
- Log in as root and restore your backup.
What you have just accomplished.
Congratulations, you now have an encrypted partition for all of your data to safely rest while the computer is off.