Chapter 24. Locking data with LUKS password in the RHEL web console

In the web console’s Storage tab, you can now create, lock, unlock, resize, and otherwise configure encrypted devices using the LUKS (Linux Unified Key Setup) version 2 format.

This new version of LUKS offers:

  • More flexible unlocking policies
  • Stronger cryptography
  • Better compatibility with future changes

Prerequisites

  • The RHEL 9 web console has been installed. For details, see Installing the web console.
  • The cockpit-storaged package is installed on your system.

24.1. LUKS disk encryption

Linux Unified Key Setup-on-disk-format (LUKS) provides a set of tools that simplifies managing the encrypted devices. With LUKS, you can encrypt block devices and enable multiple user keys to decrypt a master key. For bulk encryption of the partition, use this master key.

Red Hat Enterprise Linux uses LUKS to perform block device encryption. By default, the option to encrypt the block device is unchecked during the installation. If you select the option to encrypt your disk, the system prompts you for a passphrase every time you boot the computer. This passphrase unlocks the bulk encryption key that decrypts your partition. If you want to modify the default partition table, you can select the partitions that you want to encrypt. This is set in the partition table settings.

Ciphers

The default cipher used for LUKS is aes-xts-plain64. The default key size for LUKS is 512 bits. The default key size for LUKS with Anaconda XTS mode is 512 bits. The following are the available ciphers:

  • Advanced Encryption Standard (AES)
  • Twofish
  • Serpent

Operations performed by LUKS

  • LUKS encrypts entire block devices and is therefore well-suited for protecting contents of mobile devices such as removable storage media or laptop disk drives.
  • The underlying contents of the encrypted block device are arbitrary, which makes it useful for encrypting swap devices. This can also be useful with certain databases that use specially formatted block devices for data storage.
  • LUKS uses the existing device mapper kernel subsystem.
  • LUKS provides passphrase strengthening, which protects against dictionary attacks.
  • LUKS devices contain multiple key slots, which means you can add backup keys or passphrases.
Important

LUKS is not recommended for the following scenarios:

  • Disk-encryption solutions such as LUKS protect the data only when your system is off. After the system is on and LUKS has decrypted the disk, the files on that disk are available to anyone who have access to them.
  • Scenarios that require multiple users to have distinct access keys to the same device. The LUKS1 format provides eight key slots and LUKS2 provides up to 32 key slots.
  • Applications that require file-level encryption.

Additional resources

24.2. Configuring the LUKS passphrase in the web console

If you want to add encryption to an existing logical volume on your system, you can only do so through formatting the volume.

Prerequisites

  • The web console must be installed and accessible. For details, see Installing the web console.
  • The cockpit-storaged package is installed on your system.
  • Available existing logical volume without encryption.

Procedure

  1. Log in to the RHEL 9 web console.

    For details, see Logging in to the web console.

  2. Click Storage.
  3. Select the storage device you want to format.
  4. Click the menu icon and select Format option.
  5. Select the Encrypt data box to activate encryption on your storage device.
  6. Set and confirm your new passphrase.
  7. [Optional] Modify further encryption options.
  8. Finalize formatting settings.
  9. Click Format.

24.3. Changing the LUKS passphrase in the web console

Change a LUKS passphrase on an encrypted disk or partition in the web console.

Prerequisites

  • The web console must be installed and accessible. For details, see Installing the web console.
  • The cockpit-storaged package is installed on your system.

Procedure

  1. Log in to the web console. For details, see Logging in to the web console.
  2. Click Storage
  3. In the Drives table, select the disk with encrypted data.
  4. In Content, select the encrypted partition.
  5. Click Encryption.
  6. In the Keys table, click the pen icon.

  7. In the Change passphrase dialog window:

    1. Enter your current passphrase.
    2. Enter your new passphrase.
    3. Confirm your new passphrase.
  8. Click Save