See Also
Chapter 4. Hardening Your System with Tools and Services
4.10. Encrypt ion
4.10.1. Using LUKS Disk Encrypt ion
Linux Unifie d Ke y Se tup-on-dis k-format (or LUKS) allows you to e ncrypt partitions on your Linux compute r. This is particularly important whe n it come s to mobile compute rs and re movable me dia. LUKS allows multiple us e r ke ys to de crypt a mas te r ke y, which is us e d for the bulk e ncryption of the partition.
Overview of LUKS
What LUKS do es
LUKS e ncrypts e ntire block de vice s and is the re fore we ll-s uite d for prote cting the conte nts of mobile de vice s s uch as re movable s torage me dia or laptop dis k drive s .
The unde rlying conte nts of the e ncrypte d block de vice are arbitrary. This make s it us e ful for e ncrypting swap de vice s . This can als o be us e ful with ce rtain databas e s that us e s pe cially formatte d block de vice s for data s torage . LUKS us e s the e xis ting de vice mappe r ke rne l s ubs ys te m.
LUKS provide s pas s phras e s tre ngthe ning which prote cts agains t dictionary attacks .
LUKS de vice s contain multiple ke y s lots , allowing us e rs to add backup ke ys or pas s phras e s .
What LUKS do es not do :
LUKS is not we ll-s uite d for applications re quiring many (more than e ight) us e rs to have dis tinct acce s s ke ys to the s ame de vice .
LUKS is not we ll-s uite d for applications re quiring file -le ve l e ncryption.
4.10.1.1. LUKS Implementation in Red Hat Enterprise Linux
Re d Hat Ente rpris e Linux 7 utilize s LUKS to pe rform file s ys te m e ncryption. By de fault, the option to e ncrypt the file s ys te m is unche cke d during the ins tallation. If you s e le ct the option to e ncrypt your hard drive , you will be prompte d for a pas s phras e that will be as ke d e ve ry time you boot the compute r. This pas s phras e "unlocks " the bulk e ncryption ke y that is us e d to de crypt your partition. If you choos e to modify the de fault partition table you can choos e which partitions you want to e ncrypt. This is s e t in the partition table s e ttings . The de fault ciphe r us e d for LUKS (s e e cryptsetup --help) is ae s -cbc-e s s iv:s ha256 (ESSIV - Encrypte d Salt-Se ctor Initialization Ve ctor). Note that the ins tallation program, Anaco nda, us e s by de fault XTS mode (ae s -xts -plain64). The de fault ke y s ize for LUKS is 256 bits . The de fault ke y s ize for LUKS with Anaco nda (XTS mode ) is 512 bits . Ciphe rs that are available are :
AES - Advance d Encryption Standard - FIPS PUB 197 Twofis h (A 128-bit Block Ciphe r)
Se rpe nt
cas t5 - RFC 2144 cas t6 - RFC 2612
4.10.1.2. Manually Encrypting Directories
Warning
Following this proce dure will re move all data on the partition that you are e ncrypting.
You WILL los e all your information! Make s ure you backup your data to an e xte rnal s ource be fore be ginning this proce dure !
1. Ente r runle ve l 1 by typing the following at a s he ll prompt as root:
telinit 1
2. Unmount your e xis ting /home:
umount /home
3. If the command in the pre vious s te p fails , us e fuser to find proce s s e s hogging /home and kill the m:
fuser -mvk /home
4. Ve rify /home is no longe r mounte d:
grep home /proc/mounts
5. Fill your partition with random data:
shred -v --iterations=1 /dev/VG00/LV_home
This command proce e ds at the s e que ntial write s pe e d of your de vice and may take s ome time to comple te . It is an important s te p to e ns ure no une ncrypte d data is le ft on a us e d de vice , and to obfus cate the parts of the de vice that contain e ncrypte d data as oppos e d to jus t random data.
6. Initialize your partition:
cryptsetup --verbose --verify-passphrase luksFormat /dev/VG00/LV_home
7. Ope n the ne wly e ncrypte d de vice :
cryptsetup luksOpen /dev/VG00/LV_home home
8. Make s ure the de vice is pre s e nt:
ls -l /dev/mapper | grep home 9. Cre ate a file s ys te m:
mkfs.ext3 /dev/mapper/home
10. Mount the file s ys te m:
mount /dev/mapper/home /home
11. Make s ure the file s ys te m is vis ible : df -h | grep home
12. Add the following to the /etc/crypttab file : home /dev/VG00/LV_home none
13. Edit the /etc/fstab file , re moving the old e ntry for /home and adding the following line :
/dev/mapper/home /home ext3 defaults 1 2 14. Re s tore de fault SELinux s e curity conte xts :
/sbin/restorecon -v -R /home
15. Re boot the machine : shutdown -r now
16. The e ntry in the /etc/crypttab make s your compute r as k your luks pas s phras e on boot.
17. Log in as root and re s tore your backup.
You now have an e ncrypte d partition for all of your data to s afe ly re s t while the compute r is off.
4.10.1.3. Add a New Passphrase to an Existing Device
Us e the following command to add a ne w pas s phras e to an e xis ting de vice : cryptsetup luksAddKey device
Afte r be ing prompte d for any one of the e xis ting pas s pras e s for authe ntication, you will be prompte d to e nte r the ne w pas s phras e .
4.10.1.4. Remove a Passphrase f rom an Existing Device
Us e the following command to re move a pas s phras e from an e xis ting de vice : cryptsetup luksRemoveKey device
You will be prompte d for the pas s phras e you wis h to re move and the n for any one of the re maining pas s phras e s for authe ntication.
4.10.1.5. Creating Encrypted Block Devices in Anaconda
You can cre ate e ncrypte d de vice s during s ys te m ins tallation. This allows you to e as ily configure a s ys te m with e ncrypte d partitions .
To e nable block de vice e ncryption, che ck the Encrypt System che ck box whe n s e le cting automatic partitioning or the Encrypt che ck box whe n cre ating an individual partition, s oftware RAID array, or logical volume . Afte r you finis h partitioning, you will be prompte d for an e ncryption pas s phras e . This pas s phras e will be re quire d to acce s s the e ncrypte d de vice s . If you have pre -e xis ting LUKS de vice s and provide d corre ct pas s phras e s for the m e arlie r in the ins tall proce s s the pas s phras e e ntry dialog will als o contain a che ck box. Che cking this che ck box indicate s that you would like the ne w pas s phras e to be adde d to an available s lot in e ach of the pre -e xis ting e ncrypte d block de vice s .
Note
Che cking the Encrypt System che ck box on the Automatic Partitioning s cre e n and the n choos ing Create custom layout doe s not caus e any block de vice s to be e ncrypte d automatically.
Note
You can us e kickstart to s e t a s e parate pas s phras e for e ach ne w e ncrypte d block de vice .
4.10.1.6. Additional Resources
For additional information on LUKS or e ncrypting hard drive s unde r Re d Hat Ente rpris e Linux 7 vis it one of the following links :
LUKS home page LUKS/crypts e tup FAQ
LUKS - Linux Unifie d Ke y Se tup Wikipe dia article
HOWTO: Cre ating an e ncrypte d Phys ical Volume (PV) us ing a s e cond hard drive and pvmove
4.10.2. Creat ing GPG Keys
GPG is us e d to ide ntify yours e lf and authe nticate your communications , including thos e with pe ople you do not know. GPG allows anyone re ading a GPG-s igne d e mail to ve rify its authe nticity. In othe r words , GPG allows s ome one to be re as onably ce rtain that
communications s igne d by you actually are from you. GPG is us e ful be caus e it he lps pre ve nt third partie s from alte ring code or inte rce pting conve rs ations and alte ring the me s s age .
4.10.2.1. Creating GPG Keys in GNOME
To cre ate a GPG Ke y in GNOME, follow the s e s te ps :