How to Encrypt a Block Storage volume with LUKS on Ubuntu 18.04

Encrypting your Block Storage volume adds an extra layer of security to your most sensitive data and can help protect it even in the event of server or account level compromise. We’ll be using the standard LUKS (Linux Unified Key Setup) encryption specification in this article.

Install cryptsetup

Cryptsetup is the tool we will use to setup LUKS encryption. The package should already be installed, but if it’s missing, this command will install it. 

$ sudo apt install cryptsetup

Prepare your volume

This will destroy any data on the volume, so make sure you are using a fesh one or have backups you can restore from. 

Find the volume name

$ lsblk
NAME     MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
xvda     202:0    0   20G  0 disk
├─xvda1  202:1    0 19.9G  0 part /
├─xvda14 202:14   0    4M  0 part
└─xvda15 202:15   0  106M  0 part
xvdb     202:16   0   75G  0 disk 

My Block Storage volume was assigned the name xvdb, which I’ll be using throughout this article. Make sure you use the correct name to avoid formatting the wrong volume.

Create a new GPT partition table

We are using gdisk to format the volume. This can seem intimidating, but it’s actually a very easy utility to use. Just make sure to use the help command “?” if you aren’t sure what to do next. 

$ sudo gdisk /dev/xvdb
GPT fdisk (gdisk) version 1.0.3

Partition table scan:
  MBR: protective
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): o
This option deletes all partitions and creates a new protective MBR.
Proceed? (Y/N): y

Create a new partition

Still in gdisk, we are creating a single partition that encompasses the entire volume.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-157286366, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-157286366, default = 157286366) or {+-}size{KMGTP}:
Current type is 'Linux filesystem'
Hex code or GUID (L to show codes, Enter = 8300):
Changed type of partition to 'Linux filesystem'

Command (? for help): p
Disk /dev/xvdb: 157286400 sectors, 75.0 GiB
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): DBE6F693-6761-4356-BD24-0F0ACE48768E
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 157286366
Partitions will be aligned on 2048-sector boundaries
Total free space is 2014 sectors (1007.0 KiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048       157286366   75.0 GiB    8300  Linux filesystem

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): y
OK; writing new GUID partition table (GPT) to /dev/xvdb.
The operation has completed successfully.

Verify the partition was created

Use the lsblk command to confirm that your new partition was created. Here we can see that partition xvdb1 was successfully created on volume xvdb, that the partition is the full size of the disk, and that it isn’t mounted yet:

$ lsblk
NAME     MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
xvda     202:0    0   20G  0 disk
├─xvda1  202:1    0 19.9G  0 part /
├─xvda14 202:14   0    4M  0 part
└─xvda15 202:15   0  106M  0 part
xvdb     202:16   0   75G  0 disk
└─xvdb1  202:17   0   75G  0 part 

Encrypt the partition

Perform the disk encryption using luksFormat, and enter a passphrase when prompted. Remember that recovering a lost passphrase on the device is virtually impossible and losing it will be effectively the same as disk data loss in virtually every scenario, so store this information carefully.

$ sudo cryptsetup luksFormat /dev/xvdb1

WARNING!
========
This will overwrite data on /dev/xvdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/xvdb1:
Verify passphrase: 

Open the encrypted device

Now that the disk is encrypted, use luksOpen to access the volume using the passphrase:

$ sudo cryptsetup luksOpen /dev/xvdb1 secure
Enter passphrase for /dev/xvdb1: 

List devices

The device should now be accessable and listed as available.

$ lsblk
NAME       MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
xvda       202:0    0   20G  0 disk
├─xvda1    202:1    0 19.9G  0 part  /
├─xvda14   202:14   0    4M  0 part
└─xvda15   202:15   0  106M  0 part
xvdb       202:16   0   75G  0 disk
└─xvdb1    202:17   0   75G  0 part
  └─secure 253:0    0   75G  0 crypt

Create and mount a filesystem

Now that partitioning and creating the encrypted volume is completed, you will need to format the filesystem so that Linux can make use of the space, and then mount the finished volume to be recognized as part of the server’s file system.

Create an ext4 filesystem

$ sudo mkfs.ext4 /dev/mapper/secure
mke2fs 1.44.1 (24-Mar-2018)
Creating filesystem with 19660027 4k blocks and 4915200 inodes
Filesystem UUID: 471ca710-4206-4834-98f7-d7795ee89981
Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
    4096000, 7962624, 11239424

Allocating group tables: done
Writing inode tables: done
Creating journal (131072 blocks): done
Writing superblocks and filesystem accounting information: done   

Create the mount point

sudo mkdir /data

Mount the newly created filesystem

$ sudo mount /dev/mapper/secure /data

Verify the device now has a mount point

$ lsblk
NAME       MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
xvda       202:0    0   20G  0 disk
├─xvda1    202:1    0 19.9G  0 part  /
├─xvda14   202:14   0    4M  0 part
└─xvda15   202:15   0  106M  0 part
xvdb       202:16   0   75G  0 disk
└─xvdb1    202:17   0   75G  0 part
  └─secure 253:0    0   75G  0 crypt /data

All set! You can now read and write the device just as you would a normal filesystem.

Close the device

Once you’re done, you can unmount and close the device in order to make use of the encryption protecting it. You’ll need to reopen it with your password before it can be used again.

Unmount the volume

Unmount the volume from the server with the following command:

$ sudo umount /dev/mapper/secure

Close the encrypted partition

Finally, use the luksClose command to effectively “re-lock” the encrypted drive, preventing access until such time as it is opened again using the passphrase:

$ sudo cryptsetup luksClose secure

Leave a Reply

Your email address will not be published. Required fields are marked *