Encryption with dm-crypt and LUKS


Install the necessary tools

If you did a ‘minimal’ CentOS 6.x install, you’ll need these:

yum install cryptsetup device-mapper util-linux  
modprobe dm_crypt  
lsmod | grep dm_crypt

Prepare the Device

I used LVM. This section could’ve been about making a software RAID. If you’ve prepared your device or have a standard disk (e.g. /dev/sdb1), you can skip to the next section.

pvcreate /dev/vda2  
vgcreate volgroups /dev/vda2  
lvcreate -l 100%FREE -n secure volgroups

You now have a block storage device at /dev/mapper/volgroups-secure. You’ll create an encrypted device using it.

Creating the Encrypted Device

cryptsetup luksFormat /dev/mapper/volgroups-secure  
cryptsetup luksOpen   /dev/mapper/volgroups-secure secure

This creates the device /dev/mapper/secure. The cipher used is AES-256-CBC. Fill it with junk; will take time, but this will prevent people from knowing the size of data on your device.

dd if=/dev/urandom of=/dev/mapper/secure

Now create a filesystem

mkfs -t ext4 /dev/mapper/secure

Mount it!

mount -t ext4 /dev/mapper/secure /mnt/secure

Close it when done:

crypsetup luksClose secure

Mounting at boot

LVM Resizing

For the example above,

lvextend -L+2048G /dev/mapper/volgroups-secure  
resize2fs /dev/mapper/secure