RH415 - ch03s02

Create an encrypted partition with LUKS. You then open it, format it with an XFS file system, and demonstrate that you can mount it. Finally, you unmount the file system and close the partition.

Outcomes

Encrypt a partition by using LUKS.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start luks-manage

Instructions

Verify that the /dev/vdb additional disk is available on the servera machine. In this exercise, you use this disk to create an encrypted partition.

[student@workstation ~]$ ssh student@servera
...output omitted...
[student@servera ~]$

Change to the root user. Use student as the password.

[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#

Verify that the /dev/vdb disk is available, and has no partition.

[root@servera ~]# parted -l
Error: /dev/vdb: unrecognised disk label
Model: Virtio Block Device (virtblk)
Disk /dev/vdb: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:

...output omitted...

Create a partition on the /dev/vdb disk on the servera machine.

Use the parted command to create a partition on the /dev/vdb disk on the servera machine.

[root@servera ~]# parted /dev/vdb mklabel msdos mkpart primary xfs 1M 1G
Information: You may need to update /etc/fstab.

Verify that the partition is available.

[root@servera ~]# parted /dev/vdb print
Model: Virtio Block Device (virtblk)
Disk /dev/vdb: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number  Start   End     Size    File system  Name  Flags
 1      1049kB  1073MB  1072MB               xfs

Encrypt the /dev/vdb1 partition with LUKS. Use the redhatRHT passphrase.

[root@servera ~]# cryptsetup luksFormat /dev/vdb1

WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/vdb1: redhatRHT
Verify passphrase: redhatRHT

Map the encrypted partition to the encryptedvdb1 logical device.
1. Use the cryptsetup open command to map the encrypted partition to the encryptedvdb1 logical device.
```
[root@servera ~]# cryptsetup open /dev/vdb1 encryptedvdb1
Enter passphrase for /dev/vdb1: redhatRHT
```
2. Verify that the partition is now mapped to the /dev/mapper/encryptedvdb1 logical device.
```
[root@servera ~]# ls /dev/mapper/encryptedvdb1
/dev/mapper/encryptedvdb1
```

Create an XFS file system on the encrypted partition, and mount this file system on the /encrypted directory. Then, create a file in the /encrypted directory.

Create an XFS file system on the /dev/mapper/encryptedvdb1 device.

[root@servera ~]# mkfs.xfs /dev/mapper/encryptedvdb1
meta-data=/dev/mapper/encryptedvdb1 isize=512    agcount=4, agsize=64384 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=1, sparse=1, rmapbt=0
         =                       reflink=1    bigtime=1 inobtcount=1
data     =                       bsize=4096   blocks=257536, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0, ftype=1
log      =internal log           bsize=4096   blocks=1566, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0

Create the /encrypted directory.
```
[root@servera ~]# mkdir /encrypted
```

Mount the /dev/mapper/encryptedvdb1 device on the /encrypted directory.

[root@servera ~]# mount -t xfs /dev/mapper/encryptedvdb1 /encrypted

Verify that the /dev/vdb1 partition is correctly mounted.

[root@servera ~]# mount | grep encryptedvdb1
/dev/mapper/encryptedvdb1 on /encrypted type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)

Create a file called testfile in the /encrypted directory by using the touch command.
```
[root@servera ~]# touch /encrypted/testfile
```

Unmount the file system and unmap the encrypted partition.
1. Unmount the file system from the /encrypted directory.
```
[root@servera ~]# umount /encrypted
```
2. Unmap the encrypted partition.
```
[root@servera ~]# cryptsetup close encryptedvdb1
```
Return to the workstation machine as the student user.
```
[root@servera ~]# logout
[student@servera ~]$ logout
Connection to servera closed.
[student@workstation ~]$
```
Important
The encrypted /dev/vdb1 device that is created in this exercise is required to complete the the section called “Guided Exercise: Automating Storage Device Decryption with NBDE ”. If you choose to skip the latter guided exercise, then run the lab finish luks-nbde command after running the lab finish luke-manage command at the end of this guided exercise.

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish luks-manage

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299

Red Hat Security: Linux in Physical, Virtual, and Cloud

Guided Exercise: Managing Storage Device Encryption with LUKS

Important