Red Hat Security: Linux in Physical, Virtual, and Cloud
This course is now legacy content
This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.
Abstract
| Goal | Encrypt data on storage devices with LUKS, and use NBDE to manage automatic decryption when servers are booted. |
| Objectives |
|
| Sections |
|
| Lab |
Protecting Data with LUKS and NBDE |
Objectives
After completing this section, students should be able to create encrypted storage devices with LUKS, and manually open and mount storage on LUKS-encrypted devices.
Encrypting Storage with Linux Unified Key Setup (LUKS)
The risk of a system's physical compromise puts sensitive data in its storage devices at risk of compromise. This is particularly true for mobile systems such as laptops or for removable media, but servers may also have security requirements that the data they store is protected at rest. Encrypting this data helps mitigate the risk of its exposure if the system is lost.
Red Hat Enterprise Linux supports block device encryption with Linux Unified Key Setup (LUKS) technology. Encrypting a block device (such as a disk partition or LVM physical volume) is easiest at installation time, but LUKS can also be configured after installation. However, setting up LUKS encryption requires that the file systems on the device be reformatted.
Creation of Encrypted Devices at Installation
When performing an interactive installation, select the Encrypt check box during partition creation to encrypt the partition. The system prompts for a passphrase to use in decrypting the partition when this option is selected. The passphrase must be manually entered every time the system boots. If you are creating a custom partition table, you can select which partitions you want to encrypt.
When performing automated installations, Kickstart can create encrypted block devices. If you only want to use automated partitioning, you can specify that encryption should be used with the following directive:
autopart --type=lvm --encrypted --passphrase=PASSPHRASE
If you are configuring specific disk partitions, you must specify the --encrypted and --passphrase options for each partition to be encrypted.
For example, the following line in a Kickstart profile encrypts the existing /dev/vda2 partition using the specified passphrase for decryption, formats it with an ext4 file system, and mounts it on /home:
part /home --fstype=ext4 --size=10000 --onpart=vda2 --encrypted --passphrase=PASSPHRASE
Similar syntax works for encrypting an LVM physical volume:
part pv.01 --size=10000 --encrypted --passphrase=PASSPHRASE
Note that the passphrase, PASSPHRASE, is stored in the Kickstart profile in plain text, and so the Kickstart profile must be secured.
If you omit the --passphrase option then the installer prompts for the passphrase during installation.
Encrypting Devices with LUKS after Installation
You can use the cryptsetup command to encrypt existing devices after installation.
The cryptsetup package which contains this command is available in the default Red Hat Enterprise Linux installation.
You can use the cryptsetup luksFormat partition_name command to encrypt a partition.
The following example encrypts the /dev/vdb1 device:
[root@demo ~]#cryptsetup luksFormat /dev/vdb1WARNING! ======== This will overwrite data on /dev/vdb1 irrevocably. Are you sure? (Type uppercase yes):YESEnter passphrase:demopassVerify passphrase:demopass
Warning
The cryptsetup luksFormat command reformats the targeted block device, and destroys any data that is currently stored on that device.
You can use the cryptsetup luksDump command to verify the encryption information for an encrypted device. This command displays information such as the LUKS header information, and the key slots (each of which may contain a valid passphrase) in use by the LUKS-encrypted device. Note that it also reports on the cipher used to encrypt the device (by default, aes-xts-plain64).
[root@demo ~]#cryptsetup luksDump /dev/vdb1LUKS header information for /dev/vdb1 Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha256 Payload offset: 4096 MK bits: 256 MK digest: bb 77 e1 77 f9 f9 37 69 56 00 9d cb c2 59 b0 e6 d6 52 d5 b8 MK salt: 11 99 36 16 76 89 a3 70 49 d7 43 bc 31 5c 66 12 ff 7b a4 bc 73 c3 96 82 dd 90 00 81 5c 07 32 3a MK iterations: 63000 UUID: f831968f-cbc6-4130-b1a0-3475882e9f8b Key Slot 0: ENABLED Iterations: 496123 Salt: 9a 98 b3 67 09 c9 96 ea 25 28 66 1e 0b f0 dd ef ca 01 38 2e 39 55 be a4 f1 aa 9a 1e d7 5f 8f 82 Key material offset: 8 AF stripes: 4000 Key Slot 1: ENABLED Iterations: 485767 Salt: 64 a7 59 0f c4 85 2f c6 9d 96 59 11 fe dc 5b 2b 21 cd 26 30 bf 61 21 60 41 0a 48 7c 4b 4c e6 d4 Key material offset: 264 AF stripes: 4000 Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED
Note
If you are creating a LUKS-encrypted file system after installation, be aware that some mount points have specific SELinux context assignments (/home and /tmp for example).
You might need to use the restorecon command on the file system once you have it mounted into its permanent location.
Opening and Mounting Encrypted Devices
To manually open a LUKS-encrypted partition so that you may access its data, you can use the cryptsetup luksOpen command.
This command maps the partition to a decrypted, logical device-mapper block device, under the /dev/mapper directory.
Then, if the decrypted device contains a normal file system, you can provide the name of this logical device as an input to the mount command in order to access it.
The following example decrypts the /dev/vdb1 device and maps it to the example logical device-mapper device. To decrypt the partition, the cryptsetup luksOpen command prompts for the passphrase used to encrypt it.
[root@demo ~]#cryptsetup luksOpen /dev/vdb1 exampleEnter passphrase for /dev/vdb1:demopass
Important
You can also configure LUKS-encrypted devices so that they are decrypted and mounted automatically at boot time. This may require entry of a password on the system's console at boot time, or you can use NBDE to automatically decrypt the device if certain conditions are met. This topic is covered in a later chapter.
Unmounting and Closing Encrypted Devices
Before manually closing a LUKS-encrypted device, you should make sure that you have unmounted its file systems and are not using that device for active logical volumes.
The cryptsetup luksClose command unmaps the LUKS-encrypted partition from the logical device-mapper device.
The following example unmaps the /dev/vdb1 device from the example logical device-mapper device.
[root@demo ~]#cryptsetup luksClose example
References
cryptsetup(8) man page
For more information, refer to the Hardening Your System with Tools and Services chapter in the Red Hat Enterprise Linux 7 Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/#chap-Hardening_Your_System_with_Tools_and_Services
