In enterprises such as small businesses and government offices users may have to secure their systems in order to protect their private data, which includes customers details, important files, contact details, and so on. To do so, Linux provides good number of cryptographic techniques, which can be used to protect data on physical devices such as hard disks or a removable media. One such cryptographic technique uses the Linux Unified Key Setup-on-disk-format (LUKS). This technique allows for the encryption of Linux partitions.
LUKS has the following functionality:
An entire block device can be encrypted using LUKS. It's well suited to protecting data on removable storage media or laptop disk drives.
Once encrypted, the contents of the encrypted block devices are random, thus making it useful for the encryption of swap devices.
LUKS uses an existing device mapper kernel subsystem.
It also provides a passphrase strengthener, which helps in protecting against dictionary attacks.
For the following process to work, it is necessary that /home is created on a separate partition while installing Linux.
For manually encrypting directories follow these steps:
Move to Run level 1. Type the following command in the shell prompt or terminal:
telinit 1Now, unmount the current /home partition using this command:
umount /homeThe previous command might fail if there is any process controlling
/home. Find and kill any such process using thefusercommand:fuser -mvk /homeCheck to confirm that the
/homepartition is not mounted now:grep home /proc/mountsNow, put some random data into the partition:
shred -v --iterations=1 /dev/MYDisk/homeThe previous command might take some time to complete, so be patient. The time taken depends on the write speed of your device.
Once the previous command completes, initialize the partition:
cryptsetup --verbose --verify-passphrase luksFormat /dev/MYDisk/homeOpen the newly created encrypted device:
cryptsetup luksOpen /dev/MYDisk/homeCheck to confirm that the device is present:
ls -l /dev/mapper | grep homeNow create a filesystem:
mkfs.ext3 /dev/mapper/homeThen, mount the new filesytem:
mount /dev/mapper/home /homeConfirm that the filesystem is still visible:
df -h | grep homeEnter the following line in the
/etc/crypttabfile:home /dev/MYDisk/home noneMake changes in the
/etc/fstabfile to delete the entry for/homeand add the following line:/dev/mapper/home /home ext3 defaults 1 2Once completed, run this command to restore the default SELinux security settings:
/sbin/restorecon -v -R /homeReboot the machine:
shutdown -r nowAfter rebooting, the system will prompt us for the LUKS passphrase on boot. You can log in as the root now and restore your backup.
Congratulations! You have successfully created an encrypted partition. Now you can keep all your data safe even when your computer is off.
We first move into running level 1 and unmounting the /home partition. Once unmounted, we fill some random data in the /home partition. Then, we initialize the partition, using the cryptsetup command to encrypt it.
Once the encryption is done, we mount the filesystem back again, and then make an entry of the partition in the /etc/crypttab file. Also, the /etc/fstab file is edited to add an entry for the preceding encrypted partition.
After completing all the steps, we have restored the default settings of SELinux.
Doing this, the system will always ask for the LUKS passphrase on boot.