RHEL – How to Encrypt a Partition using Cryptsetup and LUKS

EUTScglkIUlpZsV Cryptsetup uses dm-crypt to encrypt a disk at the partition level.  In RHEL, cryptsetup is used with Linux Unified Key Setup (LUKS), a disk encryption specification. Mounting a LUKS encrypted partiton requires a passphrase, which can either be passed in a file or via the command line. Read more about dm-crypt here.

Anyway to use crypsetup, you first must have a free partiton on a disk. In this instance I am using /dev/sdc1, which is a freeagent external usb drive.

First initialize the LUKS partition. My target is /dev/sdc1

#cryptsetup luksFormat /dev/sdc1

Then open the LUKS partition setup the dev mapper device. The command below creates /dev/mapper/freeagent

#cryptsetup luksOpen /dev/sdc1 freeagent

Create a passkey file if you want the device to be able to automount at boot. 

#touch /root/freeagent_passkey && chmod 600 /root/freeagent_passkey

Make cryptsetup aware of the key

#cryptsetup luksAddKey /dev/sdc1 /root/freeagent_passkey

#echo "mypasskey" > /root/freeagent_passkey

Dont forget to make a filesystem

#mkfs -t ext4 /dev/mapper/freeagent

Then add the following to /etc/fstab…

/dev/mapper/freeagent   /freeagent              ext4    _netdev         1 1

And add the following to /etc/crypttab. Note that the first entry is the name of the /dev/mapper device

freeagent       /dev/sdc1       /freeagent

To get a status on a device and to see the mappings between /dev/mapper and /dev/sdc1

#cryptsetup status

/dev/mapper//dev/mapper/freeagent is active:
  cipher:  aes-cbc-essiv:sha256
  keysize: 128 bits
  device:  /dev/sdc1
  offset:  1032 sectors
  size:    2930270970 sectors
  mode:    read/write

Make sure you keep track of when to use /dev/mapper/freeagent vs /dev/sdc1 in the commands above.

3 thoughts on “RHEL – How to Encrypt a Partition using Cryptsetup and LUKS

  1. Dear Eng.
    I try the procedure you give up, but after finishing it it did not work I try to mount the file system it did not work, also when I restart the machine it did start and say that the file system created on the encrypted partition is invalid


  2. Thank you for the writeup! I also had problems with the restart of the machine, and getting a failure. I made two corrections.
    1) in the line with _netdev, I changed _netdev to defaults
    2) Inside of /etc/crypttab, remove the /freeagent
    Now my server is mounting properly.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s