How To Encrypt A Filesystem On Redhat 6.4/Centos 6.4 Linux (FIPS or NO FIPS)

Quick tutorial on how to encrypt a filesystem (at the device level) on Redhat 6.4 a.k.a. CentOS 6.4 a.k.a. Oracle Linux 6.4. This is a three step process: 1) enable FIPS (if desired), 2) encrypt filesystem, and 3) automated mount if desired.

I put this guide together because at first it was a bit roundabout to verify the FIPS part with the LUKS part. Eventually I pulled from a few different resources to come up with this procedure.

Here we go!
encrypt a linux filesystem

What I won’t cover

I *WILL NOT* cover what filesystem encryption is

You came here to figure out how to encrypt a filesystem. So I won’t cover what it is exactly or why you’d want to do it.

I *WILL NOT* cover booting off of encrypted filesystems

I will only encrypt a non-OS filesystem, such as /home, or something arbitrary like /data. Mostly because this is what the goal of this specific project was.

Sponsored Links

What I will cover

I *WILL* cover enabling FIPS
I will cover how to use FIPS (FIPS_140-2) encryption standard since most of the time if you have a corporate or security requirement for filesystem encryption, it will mandate the use of FIPS. You can find out more about FIPS standards at the below links:

I *WILL* cover how to open/unencrypt and mount on boot/reboot

While there are some obvious security implications to that, I’m sure it will be of interest to many of you.

Part 1: Enabling FIPS (optional) on your CentOS 6.4

You can skip this part if you do not want to follow FIPS encryption standard. The steps for encrypting a filesystem are the same whether you adhere to FIPS or not.

1. Have your install DVD handy

The first reason is to install dracut-fips.

The second reason is in case you need to boot into rescue mode. Part of the process is editing your grub.conf. One syntactical error and you’re toast and will have to boot rescue mode.

2. Check if FIPS is enabled

Because heck if it’s already enabled, you can go to the next part!
[root@centos64]# cat /proc/sys/crypto/fips_enabled


[root@centos64]# cat /proc/sys/crypto/fips_enabled
0
[root@centos64]#

0 = disabled
1 = enabled

3. Disable future prelinking

[root@centos64]# vi /etc/sysconfig/prelink

Change
PRELINKING=yes
to
PRELINKING=no

4. Undo all current prelinking now

[root@centos64]# prelink -ua

5. Install dracut-fips

Off of cd/dvd or off internet

[root@centos64]# yum install dracut-fips

6. Rebuild your initramfs

[root@centos64]# dracut -f

7. Backup your grub.conf file

First, where is grub.conf? It will be in one of these two locations
/boot/grub/grub.conf
/boot/efi/EFI/redhat/grub.conf

In my example, it is in /boot/grub/grub.conf

[root@centos64]# cp -p /boot/grub/grub.conf /boot/grub/grub.conf.pre-fips

8. Find out which device the /boot filesystem is on

[root@centos64]# df -h


[root@vacprhel64-test redhat]# df -h
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/vg_vacprhel64tes-lv_root
137819200 8383172 122435148 7% /
tmpfs 26753972 460 26753512 1% /dev/shm
/dev/sda2 495844 41664 428580 9% /boot
/dev/sda1 204580 260 204320 1% /boot/efi
[root@vacprhel64-test redhat]#

9. Add “fips=1″ and “boot=/dev/****” to the “kernel” command in grub.conf

For me, my /boot is on /boot/dev/sda2
[root@centos64]# vi /boot/grub/grub.conf

Add in the “fips=1″ and “boot=/dev/***” lines to the kernel command line

So this is my edited grub.conf file


[root@centos64]# cat /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/mapper/vg_centos6464bittempl-lv_root
# initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-358.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg_centos6464bittempl-lv_root rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=us LANG=en_US.UTF-8 rd_LVM_LV=vg_centos6464bittempl/lv_swap rd_LVM_LV=vg_centos6464bittempl/lv_root rd_NO_MD crashkernel=auto SYSFONT=latarcyrheb-sun16 rd_NO_DM rhgb quiet fips=1 boot=/dev/sda2
initrd /initramfs-2.6.32-358.el6.x86_64.img
[root@centos64]#

10. REBOOT!

Have your install DVD handy. If you messed up the syntax of your grub.conf file, it will not boot and you will need to boot into rescue mode. From here, you will either edit the grub.conf file and fix the syntax OR you can copy your backup back to the original and let it boot fully and then try the steps again.

[root@centos64]# reboot

11. Check if FIPS is enabled

[root@centos64]# cat /proc/sys/crypto/fips_enabled


[root@centos64]# cat /proc/sys/crypto/fips_enabled
1
[root@centos64]#

0 = disabled
1 = enabled

12. DONE enabling FIPS

Part 2: Encrypting A Filesystem on your CentOS 6.4 Using LUX

It can be a physical device, physical partition, LVM, etc. This is done at the device level so we are looking for something in “/dev/***”

If FIPS is enabled (like in previous section), the encryption will follow the FIPS 140_2 standard. Otherwise by default LUKS will use aes-cbc-essiv:sha256. You can find out more about LUKS here: RedHat LUKS Disk Encryption

Note: encrypting a device will DESTROY whatever is on there. If you need your data, back it up elsewhere, encrypt the device, then copy it back.

1. Designate which device will be encrypted

Whether you have to allocate a new disk, a new logical volume (LV), etc… first we need to know which one. In my example, I have a LV /dev/vgtest/testlv.

2. If this is an existing volume, “shred” it

In other words, destroy the data that’s already on there.

[root@centos64]# shred -v –iterations=1 /dev/vgtest/testlv

3. Encrypt the partition. During this time you will create and verify a password to open it

[root@centos64]# cryptsetup –verbose –verify-passphrase luksFormat /dev/vgtest/testlv

Here is my sample session


[root@centos64]# cryptsetup --verbose --verify-passphrase luksFormat /dev/vgtest/testlv

WARNING!
========
This will overwrite data on /dev/vgtest/testlv irrevocably.

Are you sure? (Type uppercase yes): YES <-- type in "YES"
Enter LUKS passphrase:
Verify passphrase:
Running in FIPS mode. <-- will not appear if FIPS not enabled
Command successful.
[root@centos64]#

4. Open the device and alias it to “somename” of your choice

[root@centos64]# cryptsetup luksOpen /dev/vgtest/testlv somename


[root@centos64]# cryptsetup luksOpen /dev/vgtest/testlv somename
Enter passphrase for /dev/vgtest/testlv: <--- Enter encryption password here
[root@centos64]#

5. Verify mapper has the path

[root@centos64]# ls /dev/mapper/somename

At this point, treat /dev/mapper/somename as you would any ordinary filesystem or device

6. Create filesystem as you normally would

[root@centos64]# mkfs -t ext3 /dev/mapper/somename

7. Mount it and verify it

[root@centos64]# mount /dev/mapper/somename /mnt

Use “df” to check it’s mounted. Create files, etc.

8. Closing your filesystem

At any time if you want to take it offline, yuo can use the command:
[root@centos64]# cryptsetup luksClose somename

9. Adding more passwords

If you want to add more passwords, you can use this command
[root@centos64]# cryptsetup luksAddKey /dev/vgtest/testlv

It will ask you for a valid password first. Then it will ask you to type in the new password to be added and then verify it.


[root@centos64]# cryptsetup luksAddKey /dev/vgtest/testlv
Enter any passphrase: <--- Enter encryption password here
Enter new passphrase for key slot: <--- Enter additional/new encryption password here
Verify passphrase: <--- Verify additional/new encryption password here
[root@centos64]#

12. DONE encrypting your filesystem

Part 3: Opening and Mounting your LUKS encrypted filesystem at bootup

At this point you have your encrypted filesystem. After reboot you will again need to open it using the “cryptsetup luksOpen [device] [alias]” command and type the password in. And then at anytime you can close it again using “cryptsetup luksClose [alias]“.

What if you want to automatically open and mount on boot/reboot? That’s this section:

SECURITY CONCERN: Any “automated” way of opening an encrypted filesystem will leave you open as a security risk for someone to figure out how you are doing it and then be able to manually do it themselves

1. Find the blkid of the device

[root@centos64]# blkid


[root@centos64]# blkid
/dev/sda1: UUID="9a9af13d-33b7-4422-80f8-44f77d69a36e" TYPE="ext4"
/dev/sda2: UUID="96v0c6-eC4Y-tLhU-05DF-W4bU-cy49-K9XTB6" TYPE="LVM2_member"
/dev/mapper/vgtest-testlv: UUID="4f643337-fa7d-4f0f-8de6-2b295146ba14" TYPE="crypto_LUKS"
/dev/mapper/vg_centos6464bittempl-lv_root: UUID="12fec655-beeb-4f0a-b416-4e187e40890f" TYPE="ext4"
/dev/mapper/vg_centos6464bittempl-lv_swap: UUID="80333948-fc29-4426-95f7-4a7c5676aa4d" TYPE="swap"
[root@centos64]#

Since I have device-mapper-multipath running, you may see something like the above for LVs. the path “/dev/mapper/vgtest-testlv” is the same as “/dev/vgtest/testlv”. The blkid is 4f643337-fa7d-4f0f-8de6-2b295146ba14

2. Add a keyfile as a password

Similar to the above section where you can add more passwords, you can also add a file as a password.

In my example, I’ll create a file: /root/keyfile

[root@centos64]# dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
[root@centos64]# chmod 0400 /root/keyfile

Now add it using this command:

[root@centos64]# cryptsetup luksAddKey /dev/vgtest/testlv /root/keyfile

Similar to above it will ask you for an existing password first before it adds it.

Now you can open it with:

[root@centos64]# cryptsetup luksOpen /dev/vgtest/testlv somename –key-file=/root/keyfile

You can use this file anytime to open it.

If you want to be able to do this on bootup, you will need to use the file /root/keyfile to do it as you cannot store a password to do it on bootup.

3. Add to /etc/crypttab

[root@centos64]# vi /etc/crypttab

Add the entry:

somename UUID=”4f643337-fa7d-4f0f-8de6-2b295146ba14″ /root/keyfile

4. REBOOT

[root@centos64]# reboot

5. Upon reboot, verify the mapper name is there

[root@centos64]# ls -1 /dev/mapper/somename

6. Now you can add the /etc/fstab entry in for /dev/mapper/somename

[root@centos64]# vi /etc/fstab

The line would be something like this:

/dev/mapper/somename /somename ext3 defaults 1 2

7. REBOOT again!

[root@centos64]# reboot

8. Verify mounted using “df -h” command

[root@centos64]# df -h

12. DONE mounting encrypted filesystem at boot/reboot

THE END!

Geek, Linux

4 thoughts on “How To Encrypt A Filesystem On Redhat 6.4/Centos 6.4 Linux (FIPS or NO FIPS)

  1. Many thanks for the instructions. One remark please:

    Part 2, Step 2: you need to umount the partition first or you’ll get the following error message
    shred: /dev/sda2: error writing at offset 12288: Invalid argument

  2. Nice write up. Is there a way to confirm/verify whether a system was encrypted in FIPS mode? In EL7, you can set fips=1 at time of installation, and in theory the system will be encrypted with FIPS. It would be nice to confirm I have FIPS encrypted data.

    • That’s a good question, I didn’t find much of an answer, I only did preliminary research. The only thing I could find is using the “cat” comand I mentioned in the above article. This also means any filesystems encrypted AFTER the fips is enabled. If it is encrypted before, then you will have to I believe destory/reencrypt/reformat. I’ll be honest I have not done anything beyond this article when I had to build it so this is just my guess. Apologies for not having a better answer for you

      [root@centos64]# cat /proc/sys/crypto/fips_enabled
      1
      [root@centos64]#

Leave a Comment

Your email address will not be published. Required fields are marked *

Spam protection by WP Captcha-Free