Encrypting volumes with LUKS

Last updated on 28 September 2022

For sensitive data storage in the cloud, I will usually provision a separate volume, encrypt it, and then use this as the volume mapper for containerised services.

Creating and attaching a volume

I use Linode to host the vast majority of my services. In Linode, new volumes can be easily created and attached to an instance.

After a short while the instance will then recognise the new device and make it available via the OS.

Encrypting the volume

This note assumes your attached volume is mapped as /dev/sdc by your system. You can check this using lsblk.

This note also assumes you have cryptsetup installed. On Alpine Linux, you can install it with apk add cryptsetup.

Step 1: Create a LUKS partition:

cryptsetup luksFormat /dev/sdc

Enter the passphrase, etc.

Step 2: Open the partition, entering your passphrase, and provide a "mapper":

cryptsetup luksOpen /dev/sdc mydata

Step 3: Now, create a new filesystem. E.g. for ext4:

mkfs.ext4 /dev/mapper/mydata

Step 4: Mount the new filesystem:

mkdir /data
mount /dev/mapper/mydata /data

Step 5: Create a new encryption key and mark it as readonly:

echo "complex string" > /root/data-key
chmod 0400 /root/data-key

Step 6: Add the key to the LUKS setup:

cryptsetup luksAddKey /dev/sdc /root/data-key

Step 7: Get the UUIDs for the devices by running lsblk -f. You'll need these for the next steps.

Step 8: Set-up the crypttab by editing /etc/crypttab and adding:

mydata    UUID=    /root/data-key    luks

(where <LUKS UUID> is the UUID for the LUKS device from above).

This ensures the volume is correctly decrypted at boot.

Note: on Alpine Linux there is no crypttab. Instead refer to the section below.*

Step 9: Finally, add an entry for the decrypted volume in /etc/fstab:

UUID=   /data  ext4   defaults	0	0

This auto-mounts the decrypted filesystem to /data on boot. For <ext4 UUID> use the UUID for the filesystem itself that you obtained earlier.

Auto-decrypting on Alpine Linux

Alpine doesn’t use a crypttab to manage the decryption at boot-time. Instead add the following to /etc/conf.d/dmcrypt:

target=mydata
source='/dev/sdc'
key='/root/data-key'

And then enable the service at boot:

rc-update add dmcrypt boot

Viewing properties

Run cryptsetup luksDump /dev/sdc to view the encryption properties. E.g.:

	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2id

=> Back to notes

Proxy Information

Original URL: gemini://wilw.capsule.town/notes/volume-encryption.gmi
Status Code: Success (20)
Meta: text/gemini;lang=en-GB
Capsule Response Time: 180.171004 milliseconds
Gemini-to-HTML Time: 0.683524 milliseconds

This content has been proxied by September (ba2dc).