Creating an Encrypted File System on IDrive Compute Volumes

User Guides

Connect to an Instance using SSH

Remote Desktop with X2Go

Encrypted File System on Volumes

Overview

This guide will help you create a file system in a disk encrypted with LUKS (Linux Unified Key Setup) on your IDrive Compute block storage volume.

When you attach an encrypted volume to an instance, the operating system of your instance needs to decrypt it to read any data.

Install Cryptsetup

Cryptsetup is a utility which is used to manage LUKS volumes along with other encrypted formats.

Follow the steps given below to install Cryptsetup in the required distribution:

Debian / Ubuntu
```
sudo apt install cryptsetup
```
CentOS/Fedora
```
sudo yum install cryptsetup-luks
```
openSUSE
```
sudo zypper install cryptsetup
```

Note: In case of CentOS 8, a minimum memory of 2GB is required on the instance to perform the below-mentioned steps.

Create an encrypted disk

Create an encrypted disk on your volume using Cryptsetup.

Follow the steps given below to initialize an encrypted disk on your volume:

Run the following commands on your instance:
```
sudo cryptsetup -y -v luksFormat /dev/vdb
```
Note: Make sure to replace /dev/vdb with the path of your volume. -y verifies the passphrase by asking for it twice and -v shows more detailed error messages.

Next, you will be asked to confirm overwriting the data on the volume. Type YES in uppercase and press ENTER.

You will receive this output warning:

This will overwrite data on /dev/vdb irrevocably.
Are you sure? (Type YES in uppercase): YES

You will be prompted to create a passphrase for the encrypted disk. Create a strong passphrase and confirm by typing it a second time.

Note: The passphrase cannot be recovered. So make sure to safely store it with you.

You will receive an output similar to this:

Enter passphrase:
Verify passphrase:
Command successful.

The passphrase can be changed with the cryptsetup luksChangeKey command. Moreover, you are able to add up to 8 additional passphrases per device with cryptsetup luksAddKey.
Now your disk is created and encrypted. You need to decrypt it and map to a label for ease of reference.
```
sudo cryptsetup luksOpen /dev/vdb volume-encrypted
```
Note: You can replace volume-encrypted in the above sample with any name of your choice.
Verify and confirm the details of the encrypted disk.
```
cryptsetup status volume-encrypted
```
You will receive an output similar to this:

/dev/mapper/volume-encrypted is active.
type: LUKS1
cipher: aes-xts-plain64
keysize: 256 bits
device: /dev/sdb
offset: 4096 sectors
size: 209711104 sectors
mode: read/write

An encrypted disk with passphrase protection will be created.
Next, you will need to create a file system on the disk so that the operating system can use it to store files and mount it.
Use mkfs.xfs, mkfs.ext4 or mkfs.ext2 utility to create a file system on the volume.
```
sudo mkfs.xfs /dev/mapper/volume-encrypted
```

Create a mount point where the file system will be attached. Since an empty directory in the /mnt directory is recommended, you can use /mnt/encrypted:

	                				sudo mkdir /mnt/encrypted

									sudo mount /dev/mapper/volume-encrypted /mnt/encrypted

Run $ df -h to check the available disk space of your instance.

On successful creation, you will see /dev/mapper/volume-encrypted in the list.

You will receive an output similar to this:

Filesystem	Size	Used	Avail	Use%	Mounted on
devtmpfs	472M	8.0K	472M	1%	/dev
tmpfs	490M	0	490M	0%	/dev/shm
tmpfs	490M	7.0M	483M	2%	/run
tmpfs	490M	0	36G	0%	/sys/fs/cgroup
/dev/vda1	40G	1.7G	490M	5%	/
tmpfs	98M	0	36G	0%	/run/user/0
/dev/mapper/volume-encrypted	1019M	34M	986M	4%	/mnt/encrypted

You can unmount the file system and lock the encrypted disk when you do not need to access the data on the volume.

 sudo umount /mnt/encrypted

								 sudo cryptsetup luksClose volume-encrypted

Run $ df -h to verify that the file system is no longer available.

To make the data on the volume accessible again, follow the steps given above for opening the disk (cryptsetup luksopen ...), creating a mount point, and mounting the file system.

Automatically mount the file system on boot

Create a key and add it as a passphrase. You can add up to 8 passphrases.
Use the key to configure the volume to be decrypted and mounted while the instance is booting.

Create a key file at /root/.secure_key.
```
sudo dd if=/dev/urandom of=/root/.secure-key  bs=1024 count=4
```
A 4 KB file with random contents will be created.
Modify the permissions of this key file to make it readable only by the root user.
```
sudo chmod 0400 /root/.secure-key
```
Add the key as a passphrase for the encrypted disk.
```
cryptsetup luksAddKey /dev/vdb /root/.secure-key
```
You will be prompted for a passphrase. You may enter the passphrase that you set while creating and encrypting the disk.
Open /etc/crypttab, a configuration file that defines encrypted disks to set up when the system starts, with vi or a text editor that you use.
```
sudo vi /etc/crypttab
```
Add the following line to the bottom of the file to map the volume at boot:
```
...
volume-encrypted /dev/vdb /root/.secure-key  luks
```
Note: The format of the lines in /etc/crypttab is device_name device_path key_path options.
Save and close the file.
Open /etc/fstab, a configuration file to automate mounting for editing.
```
sudo vi /etc/fstab
```
Add the following line to the bottom of the file to automatically mount the disk at boot.
```
...
/dev/mapper/volume-encrypted /mnt/encrypted xfs  defaults,nofail 0 0
```
Note: The first three arguments of the lines in /etc/fstab will always be device_path mount_point file_system_type.

Know about the other fields in fstab's man page (man fstab).
Save and close the file.
The encrypted file system will now automatically mount when the instance boots.