ODA/KVM VM Encryption

This note describes the steps to implement a storage-level encryption on an application VM, with LUKS, as documented in this note.

#1 Install the required packages on the VM

yum -y install cryptsetup

#2 Encryption the partition, here /u01 on /dev/sdb1

cryptsetup -y -v luksFormat /dev/sdb1

Use lsblk

#4 Open the encrypted volume, specify a partition name

cryptsetup -v luksOpen /dev/sdb1 sdb1-encrypt

#5 Format the partition

suo mkfs.xfs /dev/mapper/sdb1-encrypt

#6 Update fstab to specify the new encryption partition

/dev/mapper/vdb1-encrypt /u01 xfs defaults 1 2

#6 Create a keystore file to store the key

mkdir -p /etc/luks-keys
dd if=/dev/urandom of=/etc/luks-keys/osckey bs=1024 count=4
4+0 records in
4+0 records out
4096 bytes (4.1 kB) copied, 0.000188002 s, 21.8 MB/s

#7 Save the keys in the keystore

cryptsetup -v luksAddKey /dev/vdb1 /etc/luks-keys/osckey
Enter any existing passphrase:
Key slot 0 unlocked.
Key slot 0 unlocked.
Command successful.

#8 Create the file /etc/cryptab with the following content, the UUID can be found from the blkid command

vdb1-encrypt UUID=602ace62-660c-4ee4-b31d-6c50e987018a /etc/luks-keys/osckey luks

#9 Reboot