Skip to main content

Encryption with LUKS

· 5 min read
Cristian Dobra

In today's digital age, the security of data has become paramount. As we increasingly rely on digital devices for storing sensitive information—ranging from personal documents to financial records—protecting this data from unauthorized access is crucial. This is where LUKS encryption comes into play.

What is LUKS Encryption?

LUKS, which stands for Linux Unified Key Setup, is a standard for disk encryption. It is widely used on Linux systems to protect data at rest, meaning the data stored on a physical medium (like a hard drive or SSD). LUKS provides a robust and transparent way to encrypt entire block devices, ensuring that all data written to the disk is automatically encrypted.

Why Use LUKS Encryption?

Data Confidentiality: LUKS encryption ensures that the data on your disk is unreadable without the proper decryption key. This is particularly important for protecting sensitive information from unauthorized access, whether due to theft, loss, or unauthorized users attempting to access the data.

Physical Security:

In the event that a physical device is stolen, the data remains protected. Without the correct passphrase or key, the encrypted data appears as random, unreadable bytes, rendering it useless to anyone who doesn't have access.

Compliance with Regulations:

Many industries and organizations are required to adhere to strict data protection regulations, such as GDPR, HIPAA, or PCI-DSS. Implementing LUKS encryption helps ensure compliance with these regulations by safeguarding sensitive information and maintaining data privacy standards.

Protection Against Data Breaches:

Data breaches can have severe consequences, including financial loss, reputational damage, and legal repercussions. By encrypting data at rest, LUKS provides an additional layer of security that helps prevent unauthorized data access, even if a breach occurs.

Ease of Use:

Despite its powerful capabilities, LUKS is relatively easy to use. With tools like cryptsetup, setting up and managing LUKS encryption can be straightforward, making it accessible for both novice and experienced Linux users.

The Purpose of LUKS Encryption

The primary purpose of LUKS encryption is to protect data integrity and confidentiality. By encrypting the entire disk or specific partitions, LUKS ensures that:

  • Only authorized users can access the data: Decryption requires the correct passphrase or key, making unauthorized access significantly more difficult.
  • Data remains secure in various scenarios: Whether the device is lost, stolen, or improperly accessed, the encrypted data remains protected.
  • Users maintain control over their data: Encryption keys are managed by the user, ensuring that only they have the ability to decrypt and access the data.

In essence, LUKS encryption serves as a vital tool in the arsenal of data security practices. It provides a comprehensive, reliable, and efficient means of protecting sensitive information, ensuring that your data remains confidential and secure in an increasingly interconnected world.

Conclusion

Implementing LUKS encryption on your Linux systems is not just a technical decision; it's a crucial step towards safeguarding your data against a myriad of potential threats. Whether you're a business looking to protect client information or an individual concerned about personal privacy, LUKS encryption offers a robust solution for securing your digital assets.

By providing this context, you set the stage for your readers to understand why LUKS encryption is important before diving into the technical details of how to implement it using cryptsetup and other tools. This approach helps ensure that your audience appreciates the significance of the commands and procedures you describe later in your blog.

Example of how to use LUKS encryption

In below example we will guide you on how to encrypt a mounted disk on Rocky linux and how to release the unused space.

Assuming the virtual machine VM is created

On HOST server:

Add SCSI disk to VM. The disk must be qcow2 format

Create disk image:

qemu-img create -f qcow2 /VM/disks/fstrim.qcow2 2G

Check if format is qcow2

[root@myserver ]# qemu-img info fstrim.qcow2
image: fstrim.qcow2
file format: qcow2
virtual size: 2 GiB (21474836480 bytes)

Edit and add disk on virtual machine

virsh edit VM

Add below lines, after disk

<disk type='file' device='disk'>
<driver name='qemu' type='qcow2' discard='unmap'/>
<source file='/VM/disks/fstrim.qcow2'/>
<target dev='vdb' bus='scsi'/>
<address type='drive' controller='0' bus='0' target='0' unit='2'/>
</disk>

On Virtual Machine

Install cryptsetup

yum -y install crytpsetup

Encrypt the disk with LUKS (it will format the disk and lose all the data):

cryptsetup luksFormat /dev/sdx

Open the disk to set up a filesystem

cryptsetup luksOpen --allow-discards  /dev/sdx mydisk

Format new encrypted disk

mkfs.xfs /dev/mapper/mydisk

Mount encrypted disk

mount /dev/mapper/mydisk /mnt/

Create files to test. Both on VM and HOST SERVER the space will increase with 1G.

dd if=/dev/random of=/mnt/1.img bs=1M count=1024

After deleting the 1G file in VM /mnt, the space on HOST will not decrease. To decrese it in VM must be run below command:

rm 1.img
fstrim -v /mnt

ON HOST SERVER - check the disk space:

BEFORE TRIM

[root@myserver ]# du -sh fstrim.qcow2
1.1G fstrim.qcow2

AFTER TRIM

[root@myserver ]# du -sh fstrim.qcow2
85M fstrim.qcow2

The trim can be done manually as discribed above with command 'fstrim -v /mnt' and automatically once per week: Enable / start the service fstrim.timer.

systemctl enable fstrim.timer
systemctl start fstrim.timer

After reboot, the file system will be mounted manually, because the password must be entered again for the encrypted disk.

cryptsetup luksOpen --allow-discards  /dev/sdx mydisk
mount /dev/mapper/mydisk /mnt/