Sometimes data may need to be secured. For a server environment, you can lock the data down with permissions that only allow specific people to get to the data.
The problem arises when a business may have employees that are using portable devices, such as laptops. If someone steals the laptop or it’s lost, this could pose a security risk if someone recovers the data.
We could assume that some people may need to have immediate access to a client list or some other important data that requires being secured by anyone outside the company.
How we can handle this is to create an encrypted volume that can store the data and keep it safe.
Encryption Service
We will use the Linux Unified Key Service (LUKS) to manage the encryption of the data.
To start, we need to enable the service, since it is an unloaded module.
To check the status, we can use the command:
NOTE: You will need to use ‘sudo’ for these commands or use ‘sudo su’ to switch to elevated privileges.
The result should show it is equal to ‘m’, which is a loadable module. We can see if the system has loaded the module with:
You should not see the module name on the list since we have not started the module.
So, to get the module to load at boot-time, we need to create a new file in the folder that lists modules to be loaded at boot up.
Perform the following command to see what file names do not exist:
You should not have a file named ‘load.conf’, so this is the one we will use. If you have a file named ‘load.conf’, then you need to choose another valid name.
Edit the file with the name you have chosen that is in the ‘/etc/modules-load.d’ folder. Add one line to it:
Save and exit the file. If you decide to reboot your system now, when the system restarts, then the system loads the module when it starts back up. Just check:
Now you are ready to set up an encrypted space.
Volume or Partition
Whether you use a partition or volume is up to you. I will show it both ways. For my CentOS system, I will use a volume, and on Ubuntu I will use a partition.
So, in my CentOS system, I will create a volume named ‘data’. By using the command ‘vgs’ I can get a list of my volume groups and see that my ‘vgroup’ has 456MB free. So, we will create a new volume:
Now the logical volume exists named ‘data’.
For Ubuntu, I have 5.75 GB of storage unused on SDB which I will create a partition using Gparted and leave unformatted. It will be ‘/dev/sdb16’.
Be sure to have the ‘dm_crypt’ module loaded.
Encryption Format
For this next section, you will need to verify the installation of the ‘cryptsetup’ utility.
CentOS:
Ubuntu:
You can verify these by just running ‘cryptsetup’ in a terminal. You should get the help information for the program.
For CentOS, we need to get the volume ready, so run:
The system will prompt you to type ‘yes’ in uppercase to continue. The ‘-y’ parameter is used to prompt for a passphrase, which is done twice to verify it.
The passphrase must pass a dictionary test. So use a unique word with upper and lowercase letters, numbers and punctuation characters if needed. The encryption may take some time.
For the Ubuntu system, the command is:
The same prompts are present as with CentOS. Just make sure you set the correct partition name. Under Gparted, the app lists the partition File System as ‘Encrypted’.
The partition and volume are both set as encrypted. Now, we only need to open and format the volume and partition for storing files.
For CentOS, use:
This will open the ‘data’ volume and give it the name ‘data’ that is mounted under the ‘/dev/mapper/’ folder where the system places the logical volumes when mounted, also LUKS encrypted partitions. The system should prompt you for the passphrase before mounting the volume.
The ‘mkfs.xfs’ line is used to format the volume as XFS.
For Ubuntu, we can use the following two commands:
For Ubuntu, we formatted the partition as ext4, whereas for CentOS we used XFS. These are the two formats you can use for encrypted space.
NOTE: As you see, it mounts the storage with the ‘luksOpen’ parameter, but we can use the ‘luksClose’ to unmount the storage. Just pass the name that you used when mounting it.
Mounting the Encrypted Space
The best way is to add the volume or partition to the ‘/etc/fstab’ file. You cannot add encrypted files to the ‘fstab’ directly and must in ‘/etc/crypttab’.
To mount the volume at boot, we need a place to put the mounted storage and the UUID for the ‘fstab’ file.
So, to make the mount point, let’s place it at ‘/data’. We need a folder here, so use:
Perform this command on either system. You can use a different folder if you wish.
Now, we need the UUID of the storage. To get the UUID, use:
From the output, select and copy the UUID, include ‘UUID” and all the way to the last double-quote after the UUID alphanumeric code.
Open or create the file ‘/etc/crypttab’ file and place the UUID in the file and then add the rest as follows for an example:
If you used a different folder that ‘/data’, change it as needed. If you by chance used EXT4 instead of XFS, then replace that as well. The rest should be the same.
Save and exit the file and if you want, reboot to test the setup.
Once rebooted, you will need to open a terminal issue with the command:
Replace ‘<user> with your username so you can access the encrypted folder.
You now have an encrypted storage device, whether it is a logical volume or a partition.
Conclusion
We have covered how you can create an encrypted storage unit. This can definitely be handy for any data that you do not want anyone to access but you.
For mobile Linux systems, this can definitely help with security for files and folders.
The problem arises when a business may have employees that are using portable devices, such as laptops. If someone steals the laptop or it’s lost, this could pose a security risk if someone recovers the data.
We could assume that some people may need to have immediate access to a client list or some other important data that requires being secured by anyone outside the company.
How we can handle this is to create an encrypted volume that can store the data and keep it safe.
Encryption Service
We will use the Linux Unified Key Service (LUKS) to manage the encryption of the data.
To start, we need to enable the service, since it is an unloaded module.
To check the status, we can use the command:
Code:
grep -i DM_CRYPT /boot/config-$(uname -r)NOTE: You will need to use ‘sudo’ for these commands or use ‘sudo su’ to switch to elevated privileges.
The result should show it is equal to ‘m’, which is a loadable module. We can see if the system has loaded the module with:
Code:
lsmod | grep dm_cryptYou should not see the module name on the list since we have not started the module.
So, to get the module to load at boot-time, we need to create a new file in the folder that lists modules to be loaded at boot up.
Perform the following command to see what file names do not exist:
Code:
ls /etc/modules-load.dYou should not have a file named ‘load.conf’, so this is the one we will use. If you have a file named ‘load.conf’, then you need to choose another valid name.
Edit the file with the name you have chosen that is in the ‘/etc/modules-load.d’ folder. Add one line to it:
Code:
dm_cryptSave and exit the file. If you decide to reboot your system now, when the system restarts, then the system loads the module when it starts back up. Just check:
Code:
lsmod | grep dm_cryptNow you are ready to set up an encrypted space.
Volume or Partition
Whether you use a partition or volume is up to you. I will show it both ways. For my CentOS system, I will use a volume, and on Ubuntu I will use a partition.
So, in my CentOS system, I will create a volume named ‘data’. By using the command ‘vgs’ I can get a list of my volume groups and see that my ‘vgroup’ has 456MB free. So, we will create a new volume:
Code:
lvcreate -L 400m -n data vgroupNow the logical volume exists named ‘data’.
For Ubuntu, I have 5.75 GB of storage unused on SDB which I will create a partition using Gparted and leave unformatted. It will be ‘/dev/sdb16’.
Be sure to have the ‘dm_crypt’ module loaded.
Encryption Format
For this next section, you will need to verify the installation of the ‘cryptsetup’ utility.
CentOS:
Code:
sudo yum install cryptsetupUbuntu:
Code:
sudo apt install cryptsetup.binYou can verify these by just running ‘cryptsetup’ in a terminal. You should get the help information for the program.
For CentOS, we need to get the volume ready, so run:
Code:
cryptsetup -y luksFormat /dev/vgroup/dataThe system will prompt you to type ‘yes’ in uppercase to continue. The ‘-y’ parameter is used to prompt for a passphrase, which is done twice to verify it.
The passphrase must pass a dictionary test. So use a unique word with upper and lowercase letters, numbers and punctuation characters if needed. The encryption may take some time.
For the Ubuntu system, the command is:
Code:
cryptsetup -y luksFormat /dev/vgroup/sdb16The same prompts are present as with CentOS. Just make sure you set the correct partition name. Under Gparted, the app lists the partition File System as ‘Encrypted’.
The partition and volume are both set as encrypted. Now, we only need to open and format the volume and partition for storing files.
For CentOS, use:
Code:
cryptsetupluksOpen /dev/vgroup/data data
mkfs.xfs /dev/mapper/dataThis will open the ‘data’ volume and give it the name ‘data’ that is mounted under the ‘/dev/mapper/’ folder where the system places the logical volumes when mounted, also LUKS encrypted partitions. The system should prompt you for the passphrase before mounting the volume.
The ‘mkfs.xfs’ line is used to format the volume as XFS.
For Ubuntu, we can use the following two commands:
Code:
cryptsetup luksOpen /dev/sdb16 data
mkfs.ext4 /dev/mapper/dataFor Ubuntu, we formatted the partition as ext4, whereas for CentOS we used XFS. These are the two formats you can use for encrypted space.
NOTE: As you see, it mounts the storage with the ‘luksOpen’ parameter, but we can use the ‘luksClose’ to unmount the storage. Just pass the name that you used when mounting it.
Mounting the Encrypted Space
The best way is to add the volume or partition to the ‘/etc/fstab’ file. You cannot add encrypted files to the ‘fstab’ directly and must in ‘/etc/crypttab’.
To mount the volume at boot, we need a place to put the mounted storage and the UUID for the ‘fstab’ file.
So, to make the mount point, let’s place it at ‘/data’. We need a folder here, so use:
Code:
mkdir /dataPerform this command on either system. You can use a different folder if you wish.
Now, we need the UUID of the storage. To get the UUID, use:
Code:
blkid | grep /dev/mapper/dataFrom the output, select and copy the UUID, include ‘UUID” and all the way to the last double-quote after the UUID alphanumeric code.
Open or create the file ‘/etc/crypttab’ file and place the UUID in the file and then add the rest as follows for an example:
Code:
UUID="eb7dd309-8879-4371-86e1-dffd561e330e" /data xfs defaults 0 0If you used a different folder that ‘/data’, change it as needed. If you by chance used EXT4 instead of XFS, then replace that as well. The rest should be the same.
Save and exit the file and if you want, reboot to test the setup.
Once rebooted, you will need to open a terminal issue with the command:
Code:
sudo chown <user> /dataReplace ‘<user> with your username so you can access the encrypted folder.
You now have an encrypted storage device, whether it is a logical volume or a partition.
Conclusion
We have covered how you can create an encrypted storage unit. This can definitely be handy for any data that you do not want anyone to access but you.
For mobile Linux systems, this can definitely help with security for files and folders.
