Encrypt LVM Volumes with LUKS


Encrypting the logical volumes is among the best possible answers to safe the information at relaxation. There are many different strategies for information encryption however LUKS is the most efficient because it plays encryption whilst running on the kernel degree. LUKS or Linux Unified Key Setup is the usual process to encrypt the arduous disks on Linux.

Generally, other walls are created on a difficult pressure and every partition must be encrypted the use of other keys. This approach it’s a must to set up more than one keys for various walls. LVM volumes encrypted with LUKS clear up the issue of more than one keys control. First, all of the arduous disk is encrypted with LUKS after which this tough pressure can be utilized as bodily quantity. The information demonstrates the encryption procedure with LUKS via following the given steps:

  1. cryptsetup package deal set up
  2. Hard pressure encryption with LUKS
  3. Creating encrypted logical volumes
  4. Changing encryption passphrase

Installing cryptsetup Package

In order to encrypt the LVM volumes with LUKS, set up the desired applications as follows:

Now, load the kernel modules used to care for encryption.

Encrypt Hard Drive with LUKS

First step to encrypt the volumes with LUKS is to spot the arduous pressure on which LVM goes to be created. Display the entire arduous disks at the device the use of the lsblk command.

Currently, there are 3 arduous drives connected to the device which are /dev/sda, /dev/sdb and /dev/sdc. For this instructional, we can use the /dev/sdc arduous pressure to encrypt with LUKS. First create a LUKS partition the use of the next command.

[email protected]:~$ sudo cryptsetup luksFormat –hash=sha512 –key-size=512 –cipher=aes-xts-plain64 –verify-passphrase /dev/sdc

It will ask for the affirmation and a passphrase to create a LUKS partition. For now, you’ll input a passphrase that isn’t a lot safe as this will probably be used just for random information era.

NOTE: Before making use of the above command, make sure that there’s no essential information within the arduous pressure as it’ll blank the pressure and not using a possibilities of information restoration.

After arduous pressure encryption, open and map it as crypt_sdc the use of the next command:

It will ask for the passphrase to open the encrypted arduous pressure. Use the passphrase for encrypting the arduous pressure within the earlier step:

List the entire attached units at the device the use of the lsblk command. The form of the mapped encrypted partition will seem because the crypt as an alternative of section.

After opening the LUKS partition, now fill the mapped tool with 0s the use of the next command:

This command will fill the whole arduous pressure with 0s. Use the hexdump command to learn the arduous pressure:

Close and wreck the mapping of the crypt_sdc the use of the next command:

Override the arduous pressure header with random information the use of the dd command.

[email protected]:~$ sudo dd if=/dev/urandom of=/dev/sdc bs=512 depend=20480 standing=growth

Now our arduous pressure is stuffed with random information and it is able to be encrypted. Again, create a LUKS partition via the use of the luksFormat approach of the cryptsetup device.

[email protected]:~$ sudo cryptsetup luksFormat –hash=sha512 –key-size=512 –cipher=aes-xts-plain64 –verify-passphrase /dev/sdc

For this time, use a safe passphrase as this will probably be used to free up the arduous pressure.

Again, map the encrypted arduous pressure as crypt_sdc:

Creating Encrypted Logical Volumes

So a long way, we now have encrypted the arduous pressure and mapped it as crypt_sdc at the device. Now, we can create logical volumes at the encrypted arduous pressure. First of all, use the encrypted arduous pressure as bodily quantity.

While growing the bodily quantity, the objective pressure should be the mapped arduous pressure i.e /dev/mapper/crypte_sdc on this case.

List the entire to be had bodily volumes the use of the pvs command.

The newly created bodily quantity from the encrypted arduous pressure is called as /dev/mapper/crypt_sdc:

Now, create the amount staff vge01 which can span the bodily quantity created within the earlier step.

List the entire to be had quantity teams at the device the use of the vgs command.

The quantity staff vge01 is spanning over one bodily quantity and the overall length of the amount staff is 30GB.

After growing the amount staff vge01, now create as many logical volumes as you wish to have. Generally, 4 logical volumes are created for root, change, house and information walls. This instructional best creates one logical quantity for demonstration.

List the entire current logical volumes the use of the lvs command.

There is just one logical quantity lv00_main which is created within the earlier step with a length of 5GB.

Changing Encryption Passphrase

Rotating the passphrase of the encrypted arduous pressure is among the best possible practices to safe the information. The passphrase of the encrypted arduous pressure will also be modified via the use of the luksChangeKey approach of the cryptsetup device.

While converting the passphrase of the encrypted arduous pressure, the objective pressure is the real arduous pressure as an alternative of the mapper pressure. Before converting the passphrase, it’ll ask for the previous passphrase.


The information at relaxation will also be secured via encrypting the logical volumes. Logical volumes supply flexibility to increase the dimensions of the amount with none downtime and encrypting the logical volumes secures the saved information. This weblog explains the entire steps required to encrypt the arduous pressure with LUKS. The logical volumes then will also be created at the arduous pressure which are robotically encrypted.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More