Disk encryption using cryptsetup
Configure virtual machine disk encryption using cryptsetup for Linux.
Follow the preparatory steps to create a test Linux VM running CentOS 7.9, as well as an additional disk that will be encrypted.
-
Create the Linux VM from CentOS 7.9 image.
-
Output a list of disks and find the name of the desired disk (for example,
/dev/vdb):sudo fdisk -l -
If there is no file system on the disk, format it.
-
Check that there is no file system on the disk:
lsblk -f -
Format the disk:
sudo mkfs.ext4 /dev/vdb -
Check the formatting result:
lsblk -f
-
-
Configure disk mounting.
-
Create a directory to mount the disk
/volumes/disk1:sudo mkdir /volumessudo mkdir /volumes/disk1 -
Add a line with the disk mount parameters to the
/etc/fstabfile:sudo sed -i '$a /dev/vdb /volumes/disk1 auto defaults 0 0' /etc/fstab -
Print the contents of the file and make sure that the line is added:
cat /etc/fstab
-
-
Restart the VM:
sudo reboot -
Make sure that the disk is mounted in the specified directory:
lsblk
Run the command to install:
sudo yum install -y cryptsetup cryptsetup-reencrypt
-
Make the disk non-bootable.
-
Stop all processes using the disk:
sudo lsof /volumes/disk1sudo systemctl stop volumes-disk1.mount -
See the size of the current file system:
sudo e2fsck -f /dev/vdbExample of the result of executing the command:
e2fsck 1.42.9 (28-Dec-2013)Pass 1: Checking inodes, blocks, and sizesPass 2: Checking directory structurePass 3: Checking directory connectivityPass 4: Checking reference countsPass 5: Checking group summary information/dev/vdb: 88/655360 files (3.4% non-contiguous), 60910/2621440 blocks -
Change the file system size to the minimum possible:
sudo resize2fs -M /dev/vdbExample of the result of executing the command:
resize2fs 1.42.9 (28-Dec-2013)Resizing the filesystem on /dev/vdb to 24971 (4k) blocks.The filesystem on /dev/vdb is now 24971 blocks long. -
Start disk encryption:
sudo cryptsetup-reencrypt /dev/vdb --new --reduce-device-size 4096S -
Enter and confirm the keyword:
Enter new passphrase:Verify passphrase: -
Wait for the encryption process to complete:
Finished, time 00:23.401, 3875 MiB written, speed 165.6 MiB/s -
Check the work with the encrypted disk:
-
Run the command:
sudo cryptsetup open /dev/vdb vdb_crypt -
Enter the passphrase and press Enter.
-
-
Expand the file system to disk size:
sudo resize2fs /dev/mapper/vdb_crypt -
Change the name of the device to mount:
sudo sed 's#/dev/vdb#/dev/mapper/vdb_crypt#' -i /etc/fstab
-
Output the contents of the
fstabfile and make sure that the entry has been changed:cat /etc/fstab -
Mount the disk:
sudo mount /volumes/disk1 -
Add information about the encrypted partition to
/etc/crypttab:-
Get
rootaccess:sudo -s -
Run the command:
UUID=$(blkid -s UUID -o value /dev/vdb)echo "vdb_crypt UUID=${UUID} none luks,discard" >> /etc/crypttabexit
-
Configure the bootloader so that the passphrase for decrypting the disk is requested when the system boots. To enter a passphrase, use the VNC console of the VM.
-
Change the settings of the
grubloader. Remove theconsole=ttyS0,115200setting in the bootloader parameters:sudo sed 's#console=ttyS0,115200 ##' -i /etc/default/grub -
Review the
grubfile and make sure that the setting is removed:cat /etc/default/grub -
Configure the bootloader:
sudo grub2-mkconfig -o /boot/grub2/grub.cfg -
Restart the VM.
-
Go to the VNC Console virtual machine. In the console output, when the operating system boots, you will be prompted to enter a keyword:
Please enter passphrase for disk vdb_crypt on /volumes/disk1: -
Enter the passphrase and press Enter.
The passphrase for decrypting the disk will be requested every time the OS boots. After entering the passphrase, the disk will be mounted and you can work with the file system as before encryption.