CentOS 5.3: Encrypted Block Devices

CentOS 5.3 now comes with disk encryption. When you install the operating system you have the option to encrypt block devices, partitions that you create. Block device encryption requires a passphrase or key as authentication in order to access the data on that partition. The advantage of block encryption is that it will enforce the encryption even if the disk is removed from the operating system. The application is not only valuable for laptops but provides security for disks on servers that may be moved or thrown away. Having just recently wiped and “hammered” old server disks to protect the company data, it would be nice to know that there is an additional layer of security for that data.

The encryption is done using dm-crypt/LUKS. LUKS or Linux Unified Key Setup, provides the disk format for the data as well as it provides the passphrase/key management policy. LUKS uses the dm-crypt module which is a kernel mapper subsystem and manages the encryption and decryption for the block device. This is the same subsystem that is used by LVM so that it has proven itself to be stable. One of the advantages of LUKS is that the underlying contents of the block device are arbitrary so that you can encrypt your SWAP space. You can encrypt ext3, LVM physical volumes, and RAID arrays with LUKS. A disadvantage of LUKS is that it is not a good choice for file level encryption.

If you choose to encrypt a block device you must be prepared as an administrator that you will need to provide the passphrase when the system boots for access to the block device. If you wanted to provide better security for a block device you can fill the block device with random data:

dd if=/dev/urandom of=/dev/sdb3

Be sure to choose the correct location for your disk as it will probably not be /dev/sda3. And of course anytime you fill a disk with urandom all information on that partition will be lost.

You can create encrypted block devices after installation. Create a partition.

# fdisk /dev/sdb

Command (m for help): p

Disk /dev/sdb: 6442 MB, 6442450944 bytes

255 heads, 63 sectors/track, 783 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System

/dev/sdb1 * 1 127 1020096 83 Linux

/dev/sdb2 128 254 1020127+ 83 Linux

Command (m for help): n

Command action

e extended

p primary partition (1-4)

p

Partition number (1-4): 3

First cylinder (255-783, default 255):

Using default value 255

Last cylinder or +size or +sizeM or +sizeK (255-783, default 783): +500M

Command (m for help): p

Disk /dev/sdb: 6442 MB, 6442450944 bytes

255 heads, 63 sectors/track, 783 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System

/dev/sdb1 * 1 127 1020096 83 Linux

/dev/sdb2 128 254 1020127+ 83 Linux

/dev/sdb3 255 316 498015 83 Linux

Command (m for help): w

The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.

The kernel still uses the old table.

The new table will be used at the next reboot.

Syncing disks.

Run partprobe so the system knows the partition exists.

# partprobe

Format the partition so it is available for the encryption.

# cryptsetup luksFormat /dev/sdb3

WARNING!

========

This will overwrite data on /dev/sdb3 irrevocably.

Are you sure? (Type uppercase yes):

Are you sure? (Type uppercase yes): YES

Enter LUKS passphrase:

Verify passphrase:

Command successful.

Verify.

# cryptsetup isLuks /dev/sdb3 && echo Sucess

Sucess

Get information about the LUKS partition.

# cryptsetup luksDump /dev/sdb3

LUKS header information for /dev/sdb3

Version: 1

Cipher name: aes

Cipher mode: cbc-essiv:sha256

Hash spec: sha1

Payload offset: 1032

MK bits: 128

MK digest: 4b 35 7f 88 90 0a 8c 7c b1 1e 39 58 07 91 a6 dd ce f8 74 1b

MK salt: 85 00 22 c0 b1 ff 20 20 40 0f a8 92 58 d3 92 4a

b5 d2 0b ff 5f c5 75 b9 53 bc 89 ac 51 26 ec a0

MK iterations: 10

UUID: d77eb752-8a90-4d94-ae9f-2bec0a22c5d3

Key Slot 0: ENABLED

Iterations: 400623

Salt: 7b e5 a5 d8 a7 b8 60 20 e7 62 1c 5b a9 da c4 99

7d 04 1b 45 50 fa f4 e5 fd d9 29 60 5b 5e eb aa

Key material offset: 8

AF stripes: 4000

Key Slot 1: DISABLED

Key Slot 2: DISABLED

Key Slot 3: DISABLED

Key Slot 4: DISABLED

Key Slot 5: DISABLED

Key Slot 6: DISABLED

Key Slot 7: DISABLED

Check the UUID for the partition.

# cryptsetup luksUUID /dev/sdb3

d77eb752-8a90-4d94-ae9f-2bec0a22c5d3

# cryptsetup luksOpen /dev/sdb3 db

Enter LUKS passphrase:

key slot 0 unlocked.

Command successful.

View information about the mapped device with:

# dmsetup info db

Name: db

State: ACTIVE

Read Ahead: 256

Tables present: LIVE

Open count: 0

Event number: 0

Major, minor: 253, 1

Number of targets: 1

# mke2fs -j /dev/mapper/db

mke2fs 1.39 (29-May-2006)

Filesystem label=

OS type: Linux

Block size=1024 (log=0)

Fragment size=1024 (log=0)

124440 inodes, 497496 blocks

24874 blocks (5.00%) reserved for the super user

First data block=1

Maximum filesystem blocks=67633152

61 block groups

8192 blocks per group, 8192 fragments per group

2040 inodes per group

Superblock backups stored on blocks:

8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Writing inode tables: done

Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 31 mounts or

180 days, whichever comes first. Use tune2fs -c or -i to override.

# mkdir /db

# mount /dev/mapper/db /db

# ls /db

lost+found



Add an Entry in /etc/crypttab

You must add an entry in the /etc/crypttab in order for your partition to mount. Notice the format is the name which contains the string luks followed by the UUID and then the UUID the second time with UUID. LUKS provides a UUID (Universal Unique Identifier) for each device, just like having an physical volume in LVM. The advantage of the UUID is that even if you move the disk or add other partitions it will remain constant.

luks-86470780-c8aa-4e5d-ad75-42616b381998 UUID=86470780-c8aa-4e5d-ad75-42616b381998 none

luks-d77eb752-8a90-4d94-ae9f-2bec0a22c5d3 UUID=d77eb752-8a90-4d94-ae9f-2bec0a22c5d3 none

Edit the /etc/fstab

Here again you will use a /dev/mapper reference to teh UUID for the partition. Note there are two partitions mounted in this example, one block device that was created at install and another that was creatd manually after installation.

LABEL=/ / ext3 defaults 1 1

LABEL=/home /home ext3 defaults 1 2

/dev/mapper/luks-86470780-c8aa-4e5d-ad75-42616b381998 /data ext3 defaults 1 2

LABEL=/boot /boot ext3 defaults 1 2

tmpfs /dev/shm tmpfs defaults 0 0

devpts /dev/pts devpts gid=5,mode=620 0 0

sysfs /sys sysfs defaults 0 0

proc /proc proc defaults 0 0

LABEL=SWAP-sda2 swap swap defaults 0 0

/dev/mapper/luks-d77eb752-8a90-4d94-ae9f-2bec0a22c5d3 /db ext3 defaults 0 0

When you reboot the server you will need to provide the passphrase for each partition that you have encrypted.