Creating an Encrypted File System on IDrive Compute Volumes


This guide will help you create a file system in a disk encrypted with LUKS (Linux Unified Key Setup) on your IDrive Compute block storage volume.

When you attach an encrypted volume to an instance, the operating system of your instance needs to decrypt it to read any data.

Install Cryptsetup

Cryptsetup is a utility which is used to manage LUKS volumes along with other encrypted formats.

Follow the steps given below to install Cryptsetup in the required distribution:

  1. Debian / Ubuntu
    sudo apt install cryptsetup
  2. CentOS/Fedora
    sudo yum install cryptsetup-luks
  3. openSUSE
    sudo zypper install cryptsetup

Note: In case of CentOS 8, a minimum memory of 2GB is required on the instance to perform the below-mentioned steps.

Create an encrypted disk

Create an encrypted disk on your volume using Cryptsetup.

Follow the steps given below to initialize an encrypted disk on your volume:

  1. Run the following commands on your instance:
    sudo cryptsetup -y -v luksFormat /dev/vdb

    Note: Make sure to replace /dev/vdb with the path of your volume. -y verifies the passphrase by asking for it twice and -v shows more detailed error messages.

    Next, you will be asked to confirm overwriting the data on the volume. Type YES in uppercase and press ENTER.

    You will receive this output warning:

    This will overwrite data on /dev/vdb irrevocably.
    Are you sure? (Type YES in uppercase): YES

    You will be prompted to create a passphrase for the encrypted disk. Create a strong passphrase and confirm by typing it a second time.

    Note: The passphrase cannot be recovered. So make sure to safely store it with you.

    You will receive an output similar to this:

    Enter passphrase:
    Verify passphrase:
    Command successful.

    The passphrase can be changed with the cryptsetup luksChangeKey command. Moreover, you are able to add up to 8 additional passphrases per device with cryptsetup luksAddKey.

  2. Now your disk is created and encrypted. You need to decrypt it and map to a label for ease of reference.
    sudo cryptsetup luksOpen /dev/vdb volume-encrypted

    Note: You can replace volume-encrypted in the above sample with any name of your choice.

  3. Verify and confirm the details of the encrypted disk.
    cryptsetup status volume-encrypted
    You will receive an output similar to this:

    /dev/mapper/volume-encrypted is active.
    type: LUKS1
    cipher: aes-xts-plain64
    keysize: 256 bits
    device: /dev/sdb
    offset: 4096 sectors
    size: 209711104 sectors
    mode: read/write

    An encrypted disk with passphrase protection will be created.

  4. Next, you will need to create a file system on the disk so that the operating system can use it to store files and mount it.

    Use mkfs.xfs, mkfs.ext4 or mkfs.ext2 utility to create a file system on the volume.

    sudo mkfs.xfs /dev/mapper/volume-encrypted
  5. Create a mount point where the file system will be attached. Since an empty directory in the /mnt directory is recommended, you can use /mnt/encrypted:
    	                				sudo mkdir /mnt/encrypted
    sudo mount /dev/mapper/volume-encrypted /mnt/encrypted

    Run $ df -h to check the available disk space of your instance.

    On successful creation, you will see /dev/mapper/volume-encrypted in the list.

    You will receive an output similar to this:

    Filesystem Size Used Avail Use% Mounted on
    devtmpfs 472M 8.0K 472M 1% /dev
    tmpfs 490M 0 490M 0% /dev/shm
    tmpfs 490M 7.0M 483M 2% /run
    tmpfs 490M 0 36G 0% /sys/fs/cgroup
    /dev/vda1 40G 1.7G 490M 5% /
    tmpfs 98M 0 36G 0% /run/user/0
    /dev/mapper/volume-encrypted 1019M 34M 986M 4% /mnt/encrypted

    You can unmount the file system and lock the encrypted disk when you do not need to access the data on the volume.

     sudo umount /mnt/encrypted
    sudo cryptsetup luksClose volume-encrypted

    Run $ df -h to verify that the file system is no longer available.

    To make the data on the volume accessible again, follow the steps given above for opening the disk (cryptsetup luksopen ...), creating a mount point, and mounting the file system.

Automatically mount the file system on boot

  1. Create a key and add it as a passphrase. You can add up to 8 passphrases.

    Use the key to configure the volume to be decrypted and mounted while the instance is booting.

    Create a key file at /root/.secure_key.

    sudo dd if=/dev/urandom of=/root/.secure-key  bs=1024 count=4

    A 4 KB file with random contents will be created.

  2. Modify the permissions of this key file to make it readable only by the root user.
    sudo chmod 0400 /root/.secure-key
  3. Add the key as a passphrase for the encrypted disk.
    cryptsetup luksAddKey /dev/vdb /root/.secure-key

    You will be prompted for a passphrase. You may enter the passphrase that you set while creating and encrypting the disk.

  4. Open /etc/crypttab, a configuration file that defines encrypted disks to set up when the system starts, with vi or a text editor that you use.
    sudo vi /etc/crypttab

    Add the following line to the bottom of the file to map the volume at boot:

    volume-encrypted /dev/vdb /root/.secure-key luks

    Note: The format of the lines in /etc/crypttab is device_name device_path key_path options.

  5. Save and close the file.
  6. Open /etc/fstab, a configuration file to automate mounting for editing.
    sudo vi /etc/fstab

    Add the following line to the bottom of the file to automatically mount the disk at boot.

    /dev/mapper/volume-encrypted /mnt/encrypted xfs defaults,nofail 0 0

    Note: The first three arguments of the lines in /etc/fstab will always be device_path mount_point file_system_type.

    Know about the other fields in fstab's man page (man fstab).

  7. Save and close the file.

    The encrypted file system will now automatically mount when the instance boots.