LUKS / cryptsetup

Hello all,

So I am trying to encrypt a LV. These are the commands that I used to do it.

yum install -y cryptsetup [install]
modprobe dm_crypt [enable]
lsmod | grep dm_crypt [confirm its running]

umount /filedrop [unmont the lv]

telinit 1 [go to single user]
shred -v --iterations=1 /dev/mapper/rhel_filedropdev1v-filedrop [populate the lv with data - its a step from the redhat manual]

cryptsetup --verbose --verify-passphrase luksFormat /dev/mapper/rhel_filedropdev1v-filedrop [set up luks]

cryptsetup luksOpen dev/mapper/rhel_filedropdev1v-filedrop filedrop [set up a password]

reboot

mkfs.xfs -f /dev/mapper/rhel_filedropdev1v-filedrop [force the xfs - had to use the -f option]

mount /dev/mapper/rhel_filedrop1v-filedrop /filedrop
filedrop /dev/mapper/rhel_filedropdev1v-filedrop /filedrop [entry to the /etc/crypttab]

/dev/mapper/rhel_filedropdev1v-filedrop /filedrop xfs defaults 1 2 [entry tp the etc/fstab]

/sbin/restorecon -v -R /filedrop [restore SELinux]

So thats all well and good and seems to work fine.

So I reboot and get prompted to enter the password for /filedrop which is good. I enter correct password and can see data in the /filedrop - I already had restored it back.

So I reboot again - enter the incorrect password - again I can see the data. This to me a red flag - if wrong password should the LV not mount????

Also the RH manula says to use ext3, not xfs - is that correct as i ended up having to force it.

here is link to the manual: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-encryption

Also how do I tell LUKS / encrypt is running?

I tried systemctl start systemd-cryptsetup@filedrop.service and it tells me it not running. However does prompt for password before hand - so it see the /filedrop lv as password protected.

So has anyone any experience with LUKS and how to encrypt a LV?

Thank you.