Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

29.4. Creating Encrypted Block Devices on the Installed System After Installation

Encrypted block devices can be created and configured after installation.

29.4.1. Create the block devices
Copia collegamento

Create the block devices you want to encrypt by using parted, pvcreate, lvcreate and mdadm.

29.4.2. Optional: Fill the device with random data
Copia collegamento

Filling <device> (eg: /dev/sda3) with random data before encrypting it greatly increases the strength of the encryption. The downside is that it can take a very long time.

Warning

The commands below will destroy any existing data on the device.
  • The best way, which provides high quality random data but takes a long time (several minutes per gigabyte on most systems): 
    dd if=/dev/urandom of=<device>
    Copy to Clipboard Toggle word wrap
  • Fastest way, which provides lower quality random data: 
    badblocks -c 10240 -s -w -t random -v <device>
    Copy to Clipboard Toggle word wrap

29.4.3. Format the device as a dm-crypt/LUKS encrypted device
Copia collegamento

Warning

The command below will destroy any existing data on the device. 
cryptsetup luksFormat <device>
Copy to Clipboard Toggle word wrap

Note

For more information, read the cryptsetup(8) man page.
After supplying the passphrase twice the device will be formatted for use. To verify, use the following command: 
cryptsetup isLuks <device> && echo Success
Copy to Clipboard Toggle word wrap
To see a summary of the encryption information for the device, use the following command: 
cryptsetup luksDump <device>
Copy to Clipboard Toggle word wrap

29.4.4. Create a mapping to allow access to the device's decrypted contents
Copia collegamento

To access the device's decrypted contents, a mapping must be established using the kernel device-mapper.
It is useful to choose a meaningful name for this mapping. LUKS provides a UUID (Universally Unique Identifier) for each device. This, unlike the device name (eg: /dev/sda3), is guaranteed to remain constant as long as the LUKS header remains intact. To find a LUKS device's UUID, run the following command: 
cryptsetup luksUUID <device>
Copy to Clipboard Toggle word wrap
An example of a reliable, informative and unique mapping name would be luks-<uuid>, where <uuid> is replaced with the device's LUKS UUID (eg: luks-50ec957a-5b5a-47ee-85e6-f8085bbc97a8). This naming convention might seem unwieldy but is it not necessary to type it often. 
cryptsetup luksOpen <device> <name>
Copy to Clipboard Toggle word wrap
There should now be a device node, /dev/mapper/<name>, which represents the decrypted device. This block device can be read from and written to like any other unencrypted block device.
To see some information about the mapped device, use the following command: 
dmsetup info <name>
Copy to Clipboard Toggle word wrap

Note

For more information, read the dmsetup(8) man page.
Use the mapped device node (/dev/mapper/<name>) as any other block device. To create an ext2 filesystem on the mapped device, use the following command: 
mke2fs /dev/mapper/<name>
Copy to Clipboard Toggle word wrap
To mount this filesystem on /mnt/test, use the following command:

Important

The directory /mnt/test must exist before executing this command. 
mount /dev/mapper/<name> /mnt/test
Copy to Clipboard Toggle word wrap

29.4.6. Add the mapping information to /etc/crypttab
Copia collegamento

In order for the system to set up a mapping for the device, an entry must be present in the /etc/crypttab file. If the file doesn't exist, create it and change the owner and group to root (root:root) and change the mode to 0744. Add a line to the file with the following format: 
<name>  <device>  none
Copy to Clipboard Toggle word wrap
The <device> field should be given in the form "UUID=<luks_uuid>", where <luks_uuid> is the LUKS uuid as given by the command cryptsetup luksUUID <device>. This ensures the correct device will be identified and used even if the device node (eg: /dev/sda5) changes.

Note

For details on the format of the /etc/crypttab file, read the crypttab(5) man page.

29.4.7. Add an entry to /etc/fstab
Copia collegamento

Add an entry to /etc/fstab. This is only necessary if you want to establish a persistent association between the device and a mountpoint. Use the decrypted device, /dev/mapper/<name> in the /etc/fstab file.
In many cases it is desirable to list devices in /etc/fstab by UUID or by a filesystem label. The main purpose of this is to provide a constant identifier in the event that the device name (eg: /dev/sda4) changes. LUKS device names in the form of /dev/mapper/luks-<luks_uuid> are based only on the device's LUKS UUID, and are therefore guaranteed to remain constant. This fact makes them suitable for use in /etc/fstab.

Note

For details on the format of the /etc/fstab file, read the fstab(5) man page.
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat