主页
产品
Red Hat Enterprise Linux
10
Managing storage devices
17.5. Encrypting existing data on a block device using LUKS2 with a detached header

17.5. Encrypting existing data on a block device using LUKS2 with a detached header

You can encrypt existing data on a block device without creating free space for storing a LUKS header. The header is stored in a detached location, which also serves as an additional layer of security. The procedure uses the LUKS2 encryption format.

Prerequisites

The block device has a file system.
Your data is backed up.
警告
You might lose your data during the encryption process due to a hardware, kernel, or human failure. Ensure that you have a reliable backup before you start encrypting the data.

Procedure

Unmount all file systems on the device, for example:
```
# umount /dev/<nvme0n1p1>
```
Replace <nvme0n1p1> with the device identifier corresponding to the partition you want to unmount.

Initialize the encryption:

# cryptsetup reencrypt --encrypt --init-only --header </home/header> /dev/<nvme0n1p1> <nvme_encrypted>

WARNING!
========
Header file does not exist, do you want to create it?

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for </home/header>:
Verify passphrase:
/dev/mapper/<nvme_encrypted> is now active and ready for online encryption.

Replace:

</home/header> with a path to the file with a detached LUKS header. The detached LUKS header has to be accessible to unlock the encrypted device later.
<nvme_encrypted> with the name of the device mapper that is created after encryption.

Mount the device:

# mount /dev/mapper/<nvme_encrypted> /mnt/<nvme_encrypted>

Add an entry for a persistent mapping to the /etc/crypttab file:
```
# <nvme_encrypted> /dev/disk/by-id/<nvme-partition-id> none header=</home/header>
```
Replace <nvme-partition-id> with the identifier of the NVMe partition.
Regenerate initramfs with dracut:
```
# dracut -f --regenerate-all -v
```
Add an entry for a persistent mounting to the /etc/fstab file:
1. Find the file system’s UUID of the active LUKS block device:
  $ blkid -p /dev/mapper/<nvme_encrypted> /dev/mapper/<nvme_encrypted>: UUID="37bc2492-d8fa-4969-9d9b-bb64d3685aa9" BLOCK_SIZE="4096" TYPE="xfs" USAGE="filesystem"
2. Open /etc/fstab in a text editor and add a device in this file, for example:
  $ vi /etc/fstab UUID=<file_system_UUID> /home auto rw,user,auto 0
  Replace <file_system_UUID> with your file system’s UUID.

Resume the online encryption:

# cryptsetup reencrypt --resume-only --header </home/header> /dev/<nvme0n1p1>

Enter passphrase for /dev/<nvme0n1p1>:
Auto-detected active dm device '<nvme_encrypted>' for data device /dev/<nvme0n1p1>.
Finished, time 00m51s,   10 GiB written, speed 198.2 MiB/s

Verification

Verify if the existing data on a block device using LUKS2 with a detached header is encrypted:

# cryptsetup luksDump </home/header>

LUKS header information
Version:       	2
Epoch:         	88
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	c4f5d274-f4c0-41e3-ac36-22a917ab0386
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)

Data segments:
  0: crypt
	offset: 0 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]
[...]

View the status of the encrypted blank block device:

# cryptsetup status <nvme_encrypted> --header </home/header>

/dev/mapper/<nvme_encrypted> is active and is in use.
  type: LUKS2
  cipher: aes-xts-plain64
  keysize: 512 bits
  key location: keyring
  device: /dev/<nvme0n1p1>
  sector size: 512
  offset: 0 sectors
  size: 10485760 sectors
  mode: read/write

17.5. Encrypting existing data on a block device using LUKS2 with a detached header

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links