Achieving full disk encryption with LUKS in RHEL

You can encrypt partitions on your RHEL server with Linux® Unified Key Setup-on-disk-format (LUKS), which is important when it comes to mobile Computers and removable media. LUKS allows multiple user keys to decrypt a main key that is used for the bulk encryption of the partition. The following instructions are applicable to RHEL versions RHEL6 or newer.

These steps assume that the server can access a new, unencrypted IBM Cloud® Block Storage for Classic volume that was not formatted or mounted. For more information about connecting Block Storage for Classic to a Linux® host, see Connecting to storage on Linux®.

All new Block Storage for Classic is automatically provisioned with provider-managed encryption-at-rest. For more information, see Securing Your Data - Provider-managed Encryption-At-Rest.

What LUKS does

LUKS encrypts entire block devices and is therefore suited for protecting the contents of mobile devices such as removable storage media or Notebook disk drives.
The underlying contents of the encrypted block device are arbitrary, making it useful for encrypting swap devices. The encrypting can also be useful with certain databases that use specially formatted block devices for data storage.
LUKS uses the existing device mapper kernel subsystem.
LUKS provides passphrase strengthening, which protects against dictionary attaches.
LUKS contains multiple key slots, so users can add backup keys or passphrases.

What LUKS doesn't do

LUKS does not allow applications that require many (more than eight) users to have distinct access keys to the same devices.
LUKS does not work with applications that require file-level encryption. For more information, see RHEL Security Guide.

Setting up a LUKS-encrypted volume with Endurance Block Storage for Classic

The process of data encryption creates a load on the host that might potentially impact performance.

Type the following command at a shell prompt as root to install the required package:
```
yum install cryptsetup-luks
```
Get the disk ID:
```
fdisk –l | grep /dev/mapper
```
Locate your volume in the listing.

Encrypt the block device.

This command initializes the volume, and you can set a passphrase.

cryptsetup -y -v luksFormat /dev/mapper/3600a0980383034685624466470446564

Respond with YES (all uppercase letters).

The device now appears as an encrypted volume:

$ blkid | grep LUKS
/dev/mapper/3600a0980383034685624466470446564: UUID="46301dd4-035a-4649-9d56-ec970ceebe01" TYPE="crypto_LUKS"

Open the volume, and create a mapping.

cryptsetup luksOpen /dev/mapper/3600a0980383034685624466470446564 cryptData

Enter the passphrase.

Verify the mapping, and view the status of the encrypted volume.

$ cryptsetup -v status cryptData
/dev/mapper/cryptData is active.
  type:  LUKS1
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/mapper/3600a0980383034685624466470446564
  offset:  4096 sectors
  size:    41938944 sectors
  mode:    read/write
  Command successful

Write random data to /dev/mapper/cryptData on the encrypted device. This action ensures that the outside world sees this as random data, which means it is protected against disclosure of usage patterns. This step can take a while.
```
shred -v -n1 /dev/mapper/cryptData
```
Format the volume.
```
mkfs.ext4 /dev/mapper/cryptData
```
Mount the volume.

mkdir /cryptData

mount /dev/mapper/cryptData /cryptData

df -H /cryptData

Unmounting and closing the encrypted volume securely

umount /cryptData
cryptsetup luksClose cryptData

Remounting and mounting an existing LUKS encrypted partition

$ cryptsetup luksOpen /dev/mapper/3600a0980383034685624466470446564 cryptData
   Enter the password previously provided.
$ mount /dev/mapper/cryptData /cryptData
$ df -H /cryptData
$ lsblk
NAME                                       MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
xvdb                                       202:16   0    2G  0 disk
└─xvdb1                                    202:17   0    2G  0 part  [SWAP]
xvda                                       202:0    0   25G  0 disk
├─xvda1                                    202:1    0  256M  0 part  /boot
└─xvda2                                    202:2    0 24.8G  0 part  /
sda                                          8:0    0   20G  0 disk
└─3600a0980383034685624466470446564 (dm-0) 253:0    0   20G  0 mpath
└─cryptData (dm-1)                         253:1    0   20G  0 crypt /cryptData
sdb                                          8:16   0   20G  0 disk
└─3600a0980383034685624466470446564 (dm-0) 253:0    0   20G  0 mpath
└─cryptData (dm-1)                         253:1    0   20G  0 crypt /cryptData