Encrypting disks in linux environments

A comprehensive guide containing automatic decryption at boot and live extension.
By Kostas Koutsogiannopoulos

In an age where data security is paramount, encrypting your disk on a Linux system is an essential step to ensure that your sensitive information remains protected. Disk encryption provides a robust layer of security, making it significantly more challenging for unauthorized users to access your data, even if they gain physical access to your device. This article explores the process of encrypting a disk in a Linux environment, the benefits of doing so, and potential complications to be aware of.

Understanding disk encryption

Disk encryption is a method of converting data into a format that is unreadable without the appropriate decryption key. In a Linux environment, this is typically accomplished using tools like LUKS (Linux Unified Key Setup), dm-crypt, or eCryptfs. These tools provide encryption at the block device level, ensuring that all data written to the disk is automatically encrypted.

Benefits of disk encryption

Data security: The primary benefit of disk encryption is the protection of your data from unauthorized access. If your laptop or server is stolen, the data on the disk remains inaccessible without the decryption key, making it virtually impossible for the thief to extract usable information.
Compliance: For organizations, encrypting disks can help meet various regulatory requirements, such as GDPR, HIPAA, or PCI-DSS, which mandate the protection of sensitive information.
Protection against data breaches: In the event of a security breach, encrypted data is far less likely to be exploited, as attackers would need to decrypt the data before they can make any use of it.
Prevention of data leakage: Encryption ensures that even if someone gains unauthorized access to your hardware, they cannot easily extract or view the data, thereby reducing the risk of data leakage.

Potential complications

While disk encryption offers significant security advantages, it can also introduce certain challenges:

Performance overhead: Encryption and decryption processes consume system resources, potentially leading to a noticeable performance overhead, especially on systems with limited hardware resources.
Data loss: If you forget the encryption passphrase or lose the key, the encrypted data becomes permanently inaccessible. It’s crucial to have a secure backup of the key or passphrase.
Complexity of management or recovery processes: In the event of a system failure, recovering data from an encrypted disk can be more complex than from an unencrypted one, requiring the correct passphrase and sometimes additional tools or procedures. Also if you need to live extend your volume, will need some some extra steps. We will include an example in the guide bellow.
Compatibility issues: Some older systems or certain hardware configurations may not fully support disk encryption, leading to boot issues or the need for additional troubleshooting steps.
"At rest" vs "in transit" data encryption: While disk encryption protects data at rest (this is the term that is often used), it does not secure data in transit. You must implement additional security measures (like TLS) to protect data being transmitted over network.
Key management: Managing encryption keys securely is critical. If keys are stored insecurely or mishandled, the benefits of encryption can be negated.

Steps to encrypt a disk on linux

The following guide is tested on Almalinux 9 so it can be used "as is" on any Enterprise Linux distribution (Rocky Linux, CentOS, RHEL, Oracle Linux) or any other distribution with minimal adjustments.

1. Installing necessary tools: Before you begin, ensure that you have the necessary tools installed. For instance, you might need to install cryptsetup:

sudo dnf install cryptsetup

2. Preparing the disk: If you are encrypting an existing disk, back up all data. Encryption will erase all data on the disk. Lets say that our disk is /dev/sdb with 2GB of storage:

sudo dd if=/dev/zero of=/dev/sdb bs=1M

3. Create the logical volume: We will create a logical volume on /dev/sdb. if required later we will extend the volume on another device:

sudo pvcreate /dev/sdb
sudo vgcreate ENCRVG /dev/sdb
sudo lvcreate -l +100%FREE -n ENCRLV ENCRVG
sudo lvdisplay

4. Setting up LUKS encryption: To set up LUKS encryption on a logical volume (e.g. /dev/ENCRVG/ENCRLV, use the following command:

sudo cryptsetup -y -v --type luks2 luksFormat /dev/ENCRVG/ENCRLV

WARNING!
========
This will overwrite data on /dev/ENCRVG/ENCRLV irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/ENCRVG/ENCRLV:
Verify passphrase:
Key slot 0 created.
Command successful.

As you can see, you will be prompted to create a passphrase which will be required to unlock the disk or create new keys that can also decrypt the device. Needless to say that if we miss the passphrase we will lose the ability to manage the encrypted device.

5. Open and map the Encrypted Disk: After setting up LUKS, open the encrypted disk. This will also map the decrypted volume under /dev/mapper/ directory with the given name "encrypted_volume":

sudo cryptsetup luksOpen /dev/ENCRVG/ENCRLV encrypted_volume
Enter passphrase for /dev/ENCRVG/ENCRLV:

6. Creating a Filesystem: Once the volume is unlocked(open) and mapped, create a filesystem on it:

sudo mkfs.xfs /dev/mapper/encrypted_volumesudo mkfs.ext4 /dev/mapper/encrypted_partition

7. Mounting the Encrypted Disk: Finally, mount the encrypted partition under any directory e.g. /mnt/encr_fs

sudo mkdir /mnt/encr_fs
sudo mount /dev/mapper/encrypted_volume /mnt/encr_fs/

Your encrypted disk is now ready for use:

df /mnt/encr_fs/
Filesystem                   1K-blocks  Used Available Use% Mounted on
/dev/mapper/encrypted_volume   2011136 47064   1964072   3% /mnt/encr_fs

8. Automating Decryption at Boot (Optional): If you want the disk to be decrypted at boot time without asking you for the passphrase, you can configure /etc/crypttab and /etc/fstab accordingly. This step requires careful consideration, as it involves storing the decryption key securely.

8a. Create a random encryption key of size 4K:

sudo dd if=/dev/urandom of=/root/encryption.key bs=1024 count=4
4+0 records in
4+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 0.000111472 s, 36.7 MB/s

8b. Register the above key to the encrypted device:

sudo cryptsetup luksAddKey /dev/ENCRVG/ENCRLV /root/encryption.key
Enter any existing passphrase:

8c. Add the following entry in /etc/crypttab configuration file:

encrypted_volume /dev/ENCRVG/ENCRLV /root/encryption.key

Format: <name to map the device> <storage device> <encryption key registered to the device>

8d. Add the following entry in /etc/fstab configuration file:

/dev/mapper/encrypted_volume /mnt/encr_fs xfs defaults 0 0

Your encrypted filesystem will be ready to use after reboot.

Live extension of the encrypted volume

Following this procedure we can add more space to our encrypted device without affecting any application that may be using it. Lets add a new physical volume to our LVM (/dev/sdc with another 2GB of storage):

sudo pvcreate /dev/sdc
Physical volume "/dev/sdc" successfully created.

sudo vgextend ENCRVG /dev/sdc
Volume group "ENCRVG" successfully extended

sudo lvextend -l +100%FREE ENCRVG
Size of logical volume ENCRVG/ENCRLV changed from <2.00 GiB (511 extents) to 3.99 GiB (1022 extents).
Logical volume ENCRVG/ENCRLV successfully resized.

sudo cryptsetup resize /dev/mapper/encrypted_volume

sudo xfs_growfs /mnt/encr_fs/
meta-data=/dev/mapper/encrypted_volume isize=512    agcount=4, agsize=129792 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=1, sparse=1, rmapbt=0
         =                       reflink=1    bigtime=1 inobtcount=1 nrext64=0
data     =                       bsize=4096   blocks=519168, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0, ftype=1
log      =internal log           bsize=4096   blocks=16384, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0

And this is the new state of our block devices:

lsblk
NAME                 MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
sda                    8:0    0   20G  0 disk
├─sda1                 8:1    0    1G  0 part  /boot
└─sda2                 8:2    0   19G  0 part
  ├─almalinux-root   253:0    0   17G  0 lvm   /
  └─almalinux-swap   253:1    0    2G  0 lvm   [SWAP]
sdb                    8:16   0    2G  0 disk
└─ENCRVG-ENCRLV      253:2    0    4G  0 lvm
  └─encrypted_volume 253:3    0    4G  0 crypt /mnt/encr_fs
sdc                    8:32   0    2G  0 disk
└─ENCRVG-ENCRLV      253:2    0    4G  0 lvm
  └─encrypted_volume 253:3    0    4G  0 crypt /mnt/encr_fs
sr0                   11:0    1  1.4G  0 rom

And our encrypted, extended filesystem:

df -h /mnt/encr_fs/
Filesystem                    Size  Used Avail Use% Mounted on
/dev/mapper/encrypted_volume  4.0G   61M  3.9G   2% /mnt/encr_fs

Conclusion

Encrypting your disk in a Linux environment is a powerful way to enhance your data security, providing peace of mind against unauthorized access. However, it requires careful consideration of the associated complications, such as performance impacts, data loss risks, and the complexity of system recovery. By understanding both the benefits and potential challenges, you can make an informed decision about whether disk encryption is the right choice for your needs.

Always ensure that you have a secure backup strategy and understand the implications of encryption before proceeding. With the right preparation, disk encryption can be a cornerstone of your Linux system’s security architecture.

Posted by Kostas Koutsogiannopoulos · Aug. 26, 2024 · linux

Authors

Kostas Koutsogiannopoulos (49)

Dimitris Dimitropoulos (5)

Michael Cossenas (2)