Skip to main content

LUKS Encrypted Block Storage

In this tutorial, you will learn how to configure a LUKS (Linux Unified Key Setup) encrypted block storage volume on a Linux server, with Ubuntu compatibility. LUKS provides transparent encryption for block devices, securing data stored on the volume by requiring a passphrase or key file during the boot process or when mounting the volume.

The steps outlined here assume you have administrative access (root or sudo privileges) to the server, and that the cloud provider has already allocated a block storage volume for use with the server. This guide will cover the following:

  1. Preparing the block storage volume.
  2. Installing necessary utilities.
  3. Setting up LUKS encryption.
  4. Creating a filesystem.
  5. Mounting and managing the encrypted volume.

Prerequisites

  • A Linux-based server (preferably Ubuntu or a similar distribution).
  • A block storage attached to the server.
  • A terminal with sudo or root access.
  • Basic knowledge of Linux command-line operations.

Step 1: Prepare the Block Storage Volume

  1. Identify the Block Device: First, list the attached block devices to identify your cloud storage volume.

    lsblk

    Look for a device that corresponds to your cloud storage volume. It will typically appear as /dev/sdX (e.g., /dev/sdb).

  2. Check Existing Partitions: If the disk has any existing partitions, you should either remove them or create a new partition.

    sudo fdisk /dev/sdX

    In fdisk, type d to delete any existing partitions, then type w to write changes.

  3. Create a New Partition (Optional): If you need to create a new partition, type n to add a partition. Afterward, type w to write the changes.

  4. Verify the Partition: Once the partition is created, verify it by listing the devices again.

    lsblk

    If you created a partition, it will be listed as /dev/sdX1 (or something similar).

Step 2: Install Necessary Packages

To work with LUKS encryption, you need the cryptsetup package. Install it using the following command:

Debian/Ubuntu:

sudo apt update
sudo apt install cryptsetup

Arch Linux:

sudo pacman -S cryptsetup

Fedora/Rocky Linux:

sudo dnf install -y cryptsetup

This package provides the utilities required for creating and managing LUKS encrypted volumes.

Step 3: Set Up LUKS Encryption

  1. Encrypt the Partition: Use the cryptsetup utility to encrypt the partition. Replace /dev/sdX1 with the partition you wish to encrypt.

    sudo cryptsetup luksFormat /dev/sdX1

    You will be prompted with a warning. Type YES in uppercase to confirm the action. Then, create a passphrase for the encryption.

  2. Open the LUKS Volume: Once the volume is encrypted, you need to "open" it, which creates a virtual device that you can interact with.

    sudo cryptsetup luksOpen /dev/sdX1 encrypted_volume

    This command opens the encrypted partition and maps it to a virtual device named encrypted_volume. You will be prompted for the passphrase created earlier.

  3. Verify the LUKS Volume: To check if the volume is open and available, list the devices again:

    lsblk

    You should see encrypted_volume listed as a mapped device under /dev/mapper/.

Step 4: Create a Filesystem

Now that the encrypted volume is open, you can format it with a filesystem. This step is necessary to store data on the encrypted volume.

  1. Choose a Filesystem Type: For general use, the ext4 filesystem is a good choice. To create an ext4 filesystem on the encrypted_volume, run:

    sudo mkfs.ext4 /dev/mapper/encrypted_volume

    If you prefer another filesystem, such as xfs or btrfs, you can replace ext4 with your desired filesystem.

  2. Label the Filesystem (Optional): You may want to label the filesystem for easier identification. For example, to label it "securedata":

    sudo e2label /dev/mapper/encrypted_volume securedata

    This step is optional but can help you identify the volume more easily.

Step 5: Mount the Encrypted Volume

After formatting the partition, you can mount it and begin using it to store data.

  1. Create a Mount Point: Create a directory to mount the encrypted volume to, for example /mnt/securedata:

    sudo mkdir /mnt/securedata

  2. Mount the Volume: Mount the volume to the newly created directory:

    sudo mount /dev/mapper/encrypted_volume /mnt/securedata

  3. Verify the Mount: To ensure the volume is mounted, use the df command or lsblk:

    df -h

    You should see /mnt/securedata listed with the correct disk space.

Step 6: Automate Mounting on Boot (Optional)

To automatically mount the encrypted volume after a server reboot, you need to make changes to the /etc/fstab and /etc/crypttab files.

  1. Edit /etc/crypttab: This file tells the system how to unlock the encrypted volume at boot time.

    sudo nano /etc/crypttab

    Add the following line:

    encrypted_volume /dev/sdX1 none luks

    This tells the system to unlock the encrypted volume /dev/sdX1 using LUKS encryption during boot.

  2. Edit /etc/fstab: This file tells the system where to mount the decrypted volume after unlocking it.

    sudo nano /etc/fstab

    Add the following line:

    /dev/mapper/encrypted_volume /mnt/securedata ext4 defaults 0 2

    This specifies that the decrypted volume should be mounted at /mnt/securedata.

  3. Test the Configuration: After making these changes, reboot the system to verify the encryption setup works correctly:

    sudo reboot

    Upon reboot, the system should prompt you for the passphrase, unlock the volume, and mount it automatically.

Step 7: Additional Management

  • Unmounting the Encrypted Volume: When you're finished using the volume, unmount it:

    sudo umount /mnt/securedata

    If the volume is still open, you can close it using:

    sudo cryptsetup luksClose encrypted_volume

  • Checking the Status of LUKS: You can view information about the LUKS encrypted volume using:

    sudo cryptsetup luksDump /dev/sdX1

  • Changing the LUKS Passphrase: If you wish to change the encryption passphrase:

    sudo cryptsetup luksChangeKey /dev/sdX1

    Follow the prompts to enter the current passphrase and then set a new one.

Conclusion

You have now successfully set up LUKS encryption on a block storage volume in a Linux cloud server, ensuring that your data is encrypted and secure. By following this guide, you can maintain a secure environment for your data, with automated mounting on boot if required.

Notes

  • Always back up any critical data before performing encryption operations.
  • Use strong passphrases and key management practices to ensure the security of your encrypted volumes.
Back to top