Red Hat Security: Linux in Physical, Virtual, and Cloud
Abstract
| Goal |
Encrypt data on storage devices with Linux Unified Key Setup (LUKS), and use Network-bound Disk Encryption (NBDE) to manage automatic decryption when servers are booted. |
| Sections |
|
| Lab |
|
Create encrypted storage devices with LUKS, and manually open and mount storage on LUKS-encrypted devices.
The threat of a system's physical compromise puts sensitive data in its storage devices at risk. Although this risk applies particularly to mobile systems such as laptops or removable media, servers might also have security requirements to protect the data that they store. Encrypting this data helps mitigate the risk of its exposure if the system is lost.
Red Hat Enterprise Linux supports block device encryption with LUKS technology. Encrypting a block device (such as a disk partition or LVM physical volume) can be completed during installation, but LUKS can also be configured after installation. However, to set up LUKS encryption after installation, you must reformat the file systems on the device.
In Red Hat Enterprise Linux, the default format for LUKS encryption is LUKS2. The earlier LUKS1 format remains fully supported and it is provided as a compatible format with earlier Red Hat Enterprise Linux releases. Compared to LUKS1 re-encryption, LUKS2 re-encryption is more robust and safer to use.
The LUKS2 format enables future updates of various parts without needing to modify binary structures. Internally, the LUKS2 format uses the JSON text format for metadata, provides redundancy of metadata, detects metadata corruption, and automatically repairs from a metadata copy.
LUKS is not recommended in the following scenarios:
Solutions that require disk encryption to protect the data only when your system is off. After the system is on and LUKS has decrypted the disk, the files on that disk are available to anyone who has access to them.
Scenarios that require multiple users to have distinct access keys to the same device. The LUKS1 format provides eight key slots and LUKS2 provides up to 32 key slots.
Applications that require file-level encryption.
The LUKS2 format supports re-encrypting encrypted devices when the devices are in use. For example, you do not have to unmount the file system on the device to perform the following tasks:
Change the volume key
Change the encryption algorithm
When encrypting a non-encrypted device, you must still unmount the file system. You can remount the file system after a short initialization of the encryption.
The LUKS1 format does not support online re-encryption.
LUKS performs the following operations for encrypting block devices:
LUKS encrypts entire block devices and is therefore well suited for protecting content on mobile devices such as removable storage media or laptop disk drives.
LUKS encrypts the swap devices by encrypting underlying contents of the block device. This encryption can also be useful with certain databases that use specially formatted block devices for data storage.
LUKS uses the existing device mapper in the kernel subsystem.
LUKS provides passphrase strengthening, which protects against dictionary attacks.
LUKS devices contain multiple key slots, so users can add backup keys or passphrases.
When installing interactively, select during partition creation. The system prompts for a passphrase to decrypt the partition when this option is selected. You must manually enter the passphrase every time that the system boots. If you are creating a custom partition table, then you can select which partitions to encrypt.
With automated installations, Kickstart can create encrypted block devices. If you prefer automated partitioning, then you can specify the use of encryption with the following directive:
autopart --type=lvm --encrypted --passphrase=PASSPHRASE
If you are configuring specific disk partitions, then you must specify the --encrypted and --passphrase options for each partition to be encrypted.
For example, the following line in a Kickstart profile encrypts the existing /dev/vda2 partition by using the specified passphrase for decryption, formats it with an ext4 file system, and mounts it on /home:
part /home --fstype=ext4 --size=10000 --onpart=vda2 --encrypted --passphrase=PASSPHRASE
You can use similar syntax to encrypt an LVM physical volume:
part pv.01 --size=10000 --encrypted --passphrase=PASSPHRASE
The passphrase, PASSPHRASE, is stored in the Kickstart profile in plain text, so the Kickstart profile must be secured.
If you omit the --passphrase option, then the installer prompts for the passphrase during installation.
You can use the cryptsetup command to encrypt existing devices after installation.
The cryptsetup package that contains this command is available in the default Red Hat Enterprise Linux installation.
You can use the cryptsetup luksFormat command to encrypt a partition.
The following example encrypts the /dev/vdb1 device:
[root@host ~]#cryptsetup luksFormat /dev/vdb1WARNING! ======== This will overwrite data on /dev/vdb1 irrevocably. Are you sure? (Type 'yes' in capital letters):YESEnter passphrase for /dev/vdb1:Verify passphrase:PASSPHRASEPASSPHRASE
Warning
The cryptsetup luksFormat command reformats the targeted block device, and deletes any data that is currently stored on that device.
You can use the cryptsetup luksDump command to verify the encryption information for an encrypted device.
This command displays information such as the LUKS header information, and the key slots (each of which might contain a valid passphrase) that the LUKS-encrypted device uses.
The output also reports the cipher that encrypts the device (by default, aes-xts-plain64).
[root@host ~]#cryptsetup luksDump /dev/vdb1LUKS header information Version: 2 Epoch: 3 Metadata area: 16384 [bytes] Keyslots area: 16744448 [bytes] UUID: 3f386240-06a3-4336-881f-7a1f96a2cd01 Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: 16777216 [bytes] length: (whole device) cipher:aes-xts-plain64sector: 512 [bytes] Keyslots: 0: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: argon2id Time cost: 4 Memory: 748531 Threads: 2 Salt: cb 4e 45 73 e4 dd 35 ac 12 41 0f 4d d6 52 0d 28 d9 1c 41 33 44 d8 61 9a bf 31 d7 e1 79 9b ec 00 AF stripes: 4000 AF hash: sha256 Area offset:32768 [bytes] Area length:258048 [bytes] Digest ID: 0 Tokens: Digests: 0: pbkdf2 Hash: sha256 Iterations: 94296 Salt: bb c5 e2 aa 9d 9c e1 f2 9b 8a 17 f4 3c ac f4 af 3b b3 06 50 45 cf 50 0f 7c 23 b3 3c ee 77 49 64 Digest: df f4 af 04 03 a5 1b e5 24 69 6b 0d dc d5 28 40 90 c6 d8 86 5f ff db 73 53 77 cf db 32 b9 9b 9c
Note
If you are creating a LUKS-encrypted file system after installation, be aware that some mount points have specific SELinux context assignments (the /home and /tmp directories, for example).
You might need to use the restorecon command on the file system after it is mounted to its permanent location.
You can use the cryptsetup open command to manually open a LUKS-encrypted partition and access its data.
This command maps the partition to a decrypted, logical device-mapper block device, in the /dev/mapper directory.
Then, if the decrypted device contains a file system, you can provide the name of this logical device as an input to the mount command to access it.
The following example decrypts the /dev/vdb1 device and maps it to the vdb1_encrypted logical device-mapper device.
To decrypt the partition, the cryptsetup open command prompts for the passphrase that was used to encrypt it.
[root@host ~]#cryptsetup open /dev/vdb1 vdb1_encryptedEnter passphrase for /dev/vdb1:PASSPHRASE
The following example shows the status of the encrypted block device:
[root@host ~]#cryptsetup status vdb1_encrypted/dev/mapper/vdb1_encrypted is active. type:LUKS2cipher:aes-xts-plain64keysize: 512 bits key location: keyring device: /dev/vdb1 sector size: 512 offset: 32768 sectors size: 2015232 sectors mode: read/write
Important
You can also configure LUKS-encrypted devices so that they are decrypted and mounted automatically at boot time. This configuration might require entering a password on the system's console at boot time, or you can use Network-Bound Disk Encryption (NBDE) to automatically decrypt the device if certain conditions are met. This topic is covered in a later section.
Before manually closing a LUKS-encrypted device, ensure that you unmounted its file systems and are not using that device for active logical volumes.
In the following example, the cryptsetup close command unmaps the LUKS-encrypted /dev/vdb1 partition device from the vdb1_encrypted logical device-mapper device.
[root@host ~]# cryptsetup close vdb1_encryptedReferences
cryptsetup(8) man page
For more information, refer to the Encrypting Block Devices Using LUKS chapter in the Security Hardening guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/encrypting-block-devices-using-luks_security-hardening
