This note describes the steps to implement a storage-level encryption on an application VM, with LUKS, as documented in this note.
#1 Install the required packages on the VM
yum -y install cryptsetup#2 Encryption the partition, here /u01 on /dev/sdb1
cryptsetup -y -v luksFormat /dev/sdb1Use lsblk
#4 Open the encrypted volume, specify a partition name
cryptsetup -v luksOpen /dev/sdb1 sdb1-encrypt#5 Format the partition
suo mkfs.xfs /dev/mapper/sdb1-encrypt#6 Update fstab to specify the new encryption partition
/dev/mapper/vdb1-encrypt /u01 xfs defaults 1 2#6 Create a keystore file to store the key
mkdir -p /etc/luks-keys
dd if=/dev/urandom of=/etc/luks-keys/osckey bs=1024 count=4
4+0 records in
4+0 records out
4096 bytes (4.1 kB) copied, 0.000188002 s, 21.8 MB/s#7 Save the keys in the keystore
cryptsetup -v luksAddKey /dev/vdb1 /etc/luks-keys/osckey
Enter any existing passphrase:
Key slot 0 unlocked.
Key slot 0 unlocked.
Command successful.#8 Create the file /etc/cryptab with the following content, the UUID can be found from the blkid command
vdb1-encrypt UUID=602ace62-660c-4ee4-b31d-6c50e987018a /etc/luks-keys/osckey luks#9 Reboot