RHEL6 – More on Cryptsetup and Luks — Removing Encryption

Old-lockWay back in the day — back in March of two thousand-naught-eleven, I added a blog post on how to encrypt a partion using crypsetup and luks on RHEL. Its title, ironically enought was, RHEL, How to Encrypt a Partition Using Cryptsetup and Luks.

Today we are going to talk about how to revert an encyrpted partion back to its unencrypted state so that i can use my usb drive normally again.

# cryptsetup status freeagent
/dev/mapper/freeagent is active.
  type:    LUKS1
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/sdd1
  offset:  4096 sectors
  size:    2930267906 sectors
  mode:    read/write

First take note of the device name and the name the dev mapper has given the device. The former is /dev/sdd1 and the latter is /dev/mapper/freeagent.

So first lets remove the key file mapping. You will be prompted for your LUKS passphrase

#cryptsetup luksRemoveKey /dev/sdd1
Enter LUKS passphrase to be deleted:

Then lets remove the dev/mapper mapping for /dev/sdd1. Once complete we are free to create a new filesystem on the disk as needed.

#cryptsetup remove /dev/mapper/freeagent /dev/sdd1


Disk Encryption: High-impact Strategies – What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors


RHEL – How to Encrypt a Partition using Cryptsetup and LUKS

EUTScglkIUlpZsV Cryptsetup uses dm-crypt to encrypt a disk at the partition level.  In RHEL, cryptsetup is used with Linux Unified Key Setup (LUKS), a disk encryption specification. Mounting a LUKS encrypted partiton requires a passphrase, which can either be passed in a file or via the command line. Read more about dm-crypt here.

Anyway to use crypsetup, you first must have a free partiton on a disk. In this instance I am using /dev/sdc1, which is a freeagent external usb drive.

First initialize the LUKS partition. My target is /dev/sdc1

#cryptsetup luksFormat /dev/sdc1

Then open the LUKS partition setup the dev mapper device. The command below creates /dev/mapper/freeagent

#cryptsetup luksOpen /dev/sdc1 freeagent

Create a passkey file if you want the device to be able to automount at boot. 

#touch /root/freeagent_passkey && chmod 600 /root/freeagent_passkey

Make cryptsetup aware of the key

#cryptsetup luksAddKey /dev/sdc1 /root/freeagent_passkey

#echo "mypasskey" > /root/freeagent_passkey

Dont forget to make a filesystem

#mkfs -t ext4 /dev/mapper/freeagent

Then add the following to /etc/fstab…

/dev/mapper/freeagent   /freeagent              ext4    _netdev         1 1

And add the following to /etc/crypttab. Note that the first entry is the name of the /dev/mapper device

freeagent       /dev/sdc1       /freeagent

To get a status on a device and to see the mappings between /dev/mapper and /dev/sdc1

#cryptsetup status

/dev/mapper//dev/mapper/freeagent is active:
  cipher:  aes-cbc-essiv:sha256
  keysize: 128 bits
  device:  /dev/sdc1
  offset:  1032 sectors
  size:    2930270970 sectors
  mode:    read/write

Make sure you keep track of when to use /dev/mapper/freeagent vs /dev/sdc1 in the commands above.