Creating an Encrypted File System on IDrive Compute Volumes
Creating an Encrypted File System on IDrive Compute Volumes
User Guides
- Connect to an Instance using SSH Remote Desktop with X2Go
- Encrypted File System on Volumes
Overview
This guide will help you create a file system in a disk encrypted with LUKS (Linux Unified Key Setup) on your IDrive Compute block storage volume.
When you attach an encrypted volume to an instance, the operating system of your instance needs to decrypt it to read any data.
Install Cryptsetup
Cryptsetup is a utility which is used to manage LUKS volumes along with other encrypted formats.
Follow the steps given below to install Cryptsetup in the required distribution:
- Debian / Ubuntu
sudo apt install cryptsetup
- CentOS/Fedora
sudo yum install cryptsetup-luks
- openSUSE
sudo zypper install cryptsetup
Note: In case of CentOS 8, a minimum memory of 2GB is required on the instance to perform the below-mentioned steps.
Create an encrypted disk
Create an encrypted disk on your volume using Cryptsetup.
Follow the steps given below to initialize an encrypted disk on your volume:
-
Run the following commands on your instance:
sudo cryptsetup -y -v luksFormat /dev/vdb
Note: Make sure to replace /dev/vdb with the path of your volume. -y verifies the passphrase by asking for it twice and -v shows more detailed error messages.
Next, you will be asked to confirm overwriting the data on the volume. Type YES in uppercase and press ENTER.
You will receive this output warning:
This will overwrite data on /dev/vdb irrevocably.
Are you sure? (Type YES in uppercase): YESYou will be prompted to create a passphrase for the encrypted disk. Create a strong passphrase and confirm by typing it a second time.
Note: The passphrase cannot be recovered. So make sure to safely store it with you.
You will receive an output similar to this:
Enter passphrase:
Verify passphrase:
Command successful.The passphrase can be changed with the cryptsetup luksChangeKey command. Moreover, you are able to add up to 8 additional passphrases per device with cryptsetup luksAddKey.
- Now your disk is created and encrypted. You need to decrypt it and map to a label for ease of reference.
sudo cryptsetup luksOpen /dev/vdb volume-encrypted
Note: You can replace volume-encrypted in the above sample with any name of your choice.
- Verify and confirm the details of the encrypted disk.
cryptsetup status volume-encrypted
You will receive an output similar to this: /dev/mapper/volume-encrypted is active.
type: LUKS1
cipher: aes-xts-plain64
keysize: 256 bits
device: /dev/sdb
offset: 4096 sectors
size: 209711104 sectors
mode: read/writeAn encrypted disk with passphrase protection will be created.
- Next, you will need to create a file system on the disk so that the operating system can use it to store files and mount it.
Use mkfs.xfs, mkfs.ext4 or mkfs.ext2 utility to create a file system on the volume.
sudo mkfs.xfs /dev/mapper/volume-encrypted
- Create a mount point where the file system will be attached. Since an empty directory in the /mnt directory is recommended, you can use /mnt/encrypted:
sudo mkdir /mnt/encrypted
sudo mount /dev/mapper/volume-encrypted /mnt/encryptedRun $ df -h to check the available disk space of your instance.
On successful creation, you will see /dev/mapper/volume-encrypted in the list.
You will receive an output similar to this:
Filesystem Size Used Avail Use% Mounted on devtmpfs 472M 8.0K 472M 1% /dev tmpfs 490M 0 490M 0% /dev/shm tmpfs 490M 7.0M 483M 2% /run tmpfs 490M 0 36G 0% /sys/fs/cgroup /dev/vda1 40G 1.7G 490M 5% / tmpfs 98M 0 36G 0% /run/user/0 /dev/mapper/volume-encrypted 1019M 34M 986M 4% /mnt/encrypted
You can unmount the file system and lock the encrypted disk when you do not need to access the data on the volume.
sudo umount /mnt/encrypted
sudo cryptsetup luksClose volume-encryptedRun $ df -h to verify that the file system is no longer available.
To make the data on the volume accessible again, follow the steps given above for opening the disk (cryptsetup luksopen ...), creating a mount point, and mounting the file system.
Automatically mount the file system on boot
-
Create a key and add it as a passphrase. You can add up to 8 passphrases.
Use the key to configure the volume to be decrypted and mounted while the instance is booting.
Create a key file at /root/.secure_key.
sudo dd if=/dev/urandom of=/root/.secure-key bs=1024 count=4
A 4 KB file with random contents will be created.
-
Modify the permissions of this key file to make it readable only by the root user.
sudo chmod 0400 /root/.secure-key
-
Add the key as a passphrase for the encrypted disk.
cryptsetup luksAddKey /dev/vdb /root/.secure-key
You will be prompted for a passphrase. You may enter the passphrase that you set while creating and encrypting the disk.
-
Open /etc/crypttab, a configuration file that defines encrypted disks to set up when the system starts, with vi or a text editor that you use.
sudo vi /etc/crypttab
Add the following line to the bottom of the file to map the volume at boot:
...
volume-encrypted /dev/vdb /root/.secure-key luksNote: The format of the lines in /etc/crypttab is device_name device_path key_path options.
- Save and close the file.
-
Open /etc/fstab, a configuration file to automate mounting for editing.
sudo vi /etc/fstab
Add the following line to the bottom of the file to automatically mount the disk at boot.
...
/dev/mapper/volume-encrypted /mnt/encrypted xfs defaults,nofail 0 0Note: The first three arguments of the lines in /etc/fstab will always be device_path mount_point file_system_type.
Know about the other fields in fstab's man page (man fstab).
-
Save and close the file.
The encrypted file system will now automatically mount when the instance boots.