Chapter 3. Encryption
3.1. Data at Rest
3.1.1. Full Disk Encryption
3.1.2. File-Based Encryption
3.1.3. LUKS Disk Encryption
Overview of LUKS
- What LUKS does
- LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop disk drives.
- The underlying contents of the encrypted block device are arbitrary. This makes it useful for encrypting
swapdevices. This can also be useful with certain databases that use specially formatted block devices for data storage.
- LUKS uses the existing device mapper kernel subsystem.
- LUKS provides passphrase strengthening which protects against dictionary attacks.
- LUKS devices contain multiple key slots, allowing users to add backup keys/passphrases.
- What LUKS does not do:
- LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device.
- LUKS is not well-suited for applications requiring file-level encryption.
220.127.116.11. LUKS Implementation in Red Hat Enterprise Linux
cryptsetup --help) is aes-cbc-essiv:sha256. Note that the installation program, Anaconda, uses by default the AES cipher in XTS mode, aes-xts-plain64. The default key size for LUKS is 256 bits. The default key size for LUKS with Anaconda (XTS mode) is 512 bits.
--key-sizeoptions. The syntax of the command is the following:
--key-size<key-size> luksFormat <device>
- AES — Advanced Encryption Standard, a 128-bit symmetric block cipher using encryption keys with lengths of 128, 192, and 256 bits; for more information, see the FIPS PUB 197.
- Twofish — A 128-bit block cipher operating with encryption keys of the range from 128 bits to 256 bits.
- Serpent — A 128-bit block cipher operating with 128-bit, 192-bit and 256-bit encryption keys.
- cast5 — A 64-bit Feistel cipher supporting encryption keys of the range from 40 to 128 bits; for more information, see the RFC 2144.
- cast6 — A 128-bit Feistel cipher using 128-bit, 160-bit, 192-bit, 224-bit, or 256-bit encryption keys; for more information, see the RFC 2612.
- CBC — Cipher Block Chaining; for more information, see the NIST SP 800-38A.
- XTS — XEX Tweakable Block Cipher with Ciphertext Stealing; for more information, see the IEEE 1619, or NIST SP 800-38E.
- CTR — Counter; for more information, see the NIST SP 800-38A.
- ECB — Electronic Codebook; for more information, see the NIST SP 800-38A.
- CFB — Cipher Feedback; for more information, see the NIST SP 800-38A.
- OFB — Output Feedback; for more information, see the NIST SP 800-38A.
- ESSIV — Encrypted Salt-Sector Initialization Vector - This IV should be used for ciphers in CBC mode. You should use the default hash: sha256.
- plain64 (or plain) — IV sector offset - This IV should be used for ciphers in XTS mode.
18.104.22.168. Manually Encrypting Directories
- Enter runlevel 1 by typing the following at a shell prompt as root:
- Unmount your existing
- If the command in the previous step fails, use
fuserto find processes hogging
/homeand kill them:
fuser -mvk /home
/homeis no longer mounted:
grep home /proc/mounts
- Fill your partition with random data:
shred -v --iterations=1 /dev/VG00/LV_homeThis command proceeds at the sequential write speed of your device and may take some time to complete. It is an important step to ensure no unencrypted data is left on a used device, and to obfuscate the parts of the device that contain encrypted data as opposed to just random data.
- Initialize your partition:
cryptsetup --verbose --verify-passphrase luksFormat /dev/VG00/LV_home
- Open the newly encrypted device:
cryptsetup luksOpen /dev/VG00/LV_home home
- Make sure the device is present:
ls -l /dev/mapper | grep home
- Create a file system:
- Mount the file system:
mount /dev/mapper/home /home
- Make sure the file system is visible:
df -h | grep home
- Add the following to the
home /dev/VG00/LV_home none
- Edit the
/etc/fstabfile, removing the old entry for
/homeand adding the following line:
/dev/mapper/home /home ext3 defaults 1 2
- Restore default SELinux security contexts:
/sbin/restorecon -v -R /home
- Reboot the machine:
shutdown -r now
- The entry in the
/etc/crypttabmakes your computer ask your
lukspassphrase on boot.
- Log in as root and restore your backup.
22.214.171.124. Adding a New Passphrase to an Existing Device
cryptsetup luksAddKey <device>
126.96.36.199. Removing a Passphrase from an Existing Device
cryptsetup luksRemoveKey <device>
188.8.131.52. Creating Encrypted Block Devices in Anaconda
kickstartfile to set a separate passphrase for each new encrypted block device. Also, kickstart allows you to specify a different type of encryption if the Anaconda default cipher, aes-xts-plain64, does not suit you. In dependencies on a device you want to encrypt, you can specify the
--cipher=<cipher-string>along with the
raiddirectives. This option has to be used together with the
--encryptedoption, otherwise it has no effect. For more information about the <cipher-string> format and possible cipher combinations, see Section 184.108.40.206, “LUKS Implementation in Red Hat Enterprise Linux”. For more information about kickstart configuration, see the Red Hat Enterprise Linux 6 Installation Guide.