How To Install LUKS on LVM
LUKS stands for Linux Unified Key System. It’s a kernel-level encryption utility for Linux which is based on the dm-crypt system.
LUKS provides for transparent disk and volume encryption. This means that the files on the encrypted disk or volume can be accessed directly as usual after mounting just as with unencrypted disks.
It can be deployed at the partition level or by creating a file which serves as a container or volume which can then be mounted on the system just the same as mounting a disk drive.
It can also be used together with the disk management system LVM or Logical Volume Manager. LVM provides an easy way to add, remove and resize disk drive partitions without having to lose data. One of the biggest advantages of LVM is that you can carry out these operations without having to reboot.
LVM operates by creating a layer of abstraction between the operating system and the disks or existing disk partitions. You assign your drives to LVM, creating “volume groups” (VGs) and then create LVM partitions known as “logical volumes” (LVs) according to your requirements.
Another advantage of LVM is that the logical volumes you create can span more than one disk, something which isn’t possible with conventional hardware drive level partitioning.
LVM presents these logical volumes to the operating system in just the same way as conventional hard drives. It also gives you the option to create snapshots of your logical volumes without having to first unmount the disk.
LVM is included in many distributions as standard.
LUKS can be deployed with LVM in two different ways.
The first way is by encrypting the disk with LUKS and then installing LVM on the encrypted disk after opening it for use. This is known as “LVM on LVM”.
Or the second way, known as “LUKS on LVM” which is to install LVM on the disk, and then install LUKS on selected logical volumes.
This page describes the second method, ie LUKS on LVM.
We assume that LVM is already installed and configured and that the logical volume you wish to encrypt with LUKS is available for use.
For detailed instructions on installing and configuring disks with LVM and creating logical volumes, see the article “How To Install LVM”.
Installing LUKS on LVM
LUKS uses a system called crypt-dm. This needs to be installed on your system if not already present.
On Debian/Ubuntu systems it can be installed with:
apt-get install cryptsetup
NEXT, install on the logical volume:
first, make sure the volume is unmounted.
cryptsetup luksFormat /dev/lvmvolgroup/PRIMARY_BACKUP
You will be prompted to set a password for the volume encryption. Make sure you remember this password else you will not be able to access your data!
root@len:/media/kevin# cryptsetup luksFormat /dev/mapper/lvmvolgroup-PRIMARY_BACKUP
WARNING: Device /dev/mapper/lvmvolgroup-PRIMARY_BACKUP already contains a ‘ext4’ superblock signature.
This will overwrite data on /dev/mapper/lvmvolgroup-PRIMARY_BACKUP irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/mapper/lvmvolgroup-PRIMARY_BACKUP:
How to Unlock LUKS Partition
Having created the LUKS logical volume or partition, let us unlock it:
root@len:/media/kevin# cryptsetup open /dev/lvmvolgroup/PRIMARY_BACKUP PRIMARY_BACKUP
Enter passphrase for /dev/lvmvolgroup/PRIMARY_BACKUP:
Next you need to format ie create a file system, on the encrypted disk. Here we are creating an ext4 file system.
root@yoga:/home/kevin# mkfs.ext4 /dev/mapper/lvmvolgroup-PRIMARY_BACKUP
mke2fs 1.45.5 (07-Jan-2020)
Creating filesystem with 1302528 4k blocks and 325760 inodes
Filesystem UUID: 2ff2e594-86d2-4fa5-ab93-afa51ef3975e
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
Then you can mount the volume:
mount -t ext4 /dev/mapper/PRIMARY_BACKUP /media/kevin/PRIMARY_BACKUP
It needs to look like this:
root@len:/home/kevin# lsblk -f /dev/sdb
NAME FSTYPE LABEL UUID FSAVAIL FSUSE% MOUNTPOINT
└─sdb1 LVM2_mem bQlzkd-il4L-aZBq-wcOD-NTCA-Zwod-mwhm1J
├─lvmvolgroup-PRIMARY_MEDIA ext4 136f78a6-0aaf-47fc-9509-db182db94c41
├─lvmvolgroup-PRIMARY_ARCHIVE ext4 3ce12992-7189-4e6e-8088-b41201b88efc
└─lvmvolgroup-PRIMARY_BACKUP crypto_L efe57d86-a9a9-4279-8c21-33e5d11eb42d
└─PRIMARY_BACKUP ext4 413c3e6b-3cc1-4ed5-be6c-0d4518f740fb 139.1G 0% /home/kevi
Note that the PRIMARY_BACKUP device is ext4, whilst the lvmvolgroup-PRIMARY_BACKUP is crypto_L (ie crypto luks), which is correct.
Important: you have to open the device first using cryptosetup BEFORE you can apply the mkfs.ext4, as you are creating the file system on the device which belongs to the lvmvolgroup. It is not actually mounted in the OS at that point, it is only known to the luks cryptosetup system!
Another command for opening a LUKS volume is luksOpen:
root@len:/home/kevin# cryptsetup luksOpen /dev/lvmvolgroup/PRIMARY_BACKUP PRIMARY_BACKUP
Enter passphrase for /dev/lvmvolgroup/PRIMARY_BACKUP:
mount /dev/lvmvolgroup/PRIMARY_BACKUP /media/kevin/PRIMARY_BACKUP
You can use cryptsetup -v status to see the status for the mapping:
The LUKS volume can be dismounted and closed this way:
cryptsetup luksClose PRIMARY_BACKUP
if you try to close before unmounting, you get this:
root@yoga:~# cryptsetup luksClose
Device PRIMARY_BACKUP is still in use.
So, first unmount, then close LUKS!
root@len:/dev/mapper# blkid | grep PRIMARY_BACKUP
/dev/mapper/lvmvolgroup-PRIMARY_BACKUP: UUID=”efe57d86-a9a9-4279-8c21-33e5d11eb42d” TYPE=”crypto_LUKS”
How To Mount and Unmount LUKS Volumes
Note the difference between mount and unmount: you umount first then close cryptsetup,
To mount you open cryptsetup then mount.
NOTE also the difference between the mount path and cryptsetup path between opening:
cryptsetup uses /dev/mapper/lvmvolgroup-PRIMARY_BACKUP
whereas the mount command uses /dev/mapper/PRIMARY_BACKUP – ie NOT the logical volume designation!
cryptsetup open /dev/mapper/lvmvolgroup-PRIMARY_BACKUP PRIMARY_BACKUP
mount /dev/mapper/PRIMARY_BACKUP /media/kevin/PRIMARY_BACKUP
cryptsetup close /dev/mapper/PRIMARY_BACKUP PRIMARY_BACKUP
root@len:/home/kevin# dmsetup info -C
Name Maj Min Stat Open Targ Event UUID
lvmvolgroup-PRIMARY_BACKUP 253 2 L–w 1 1 0 LVM-K2t1AvpcbTMrrsVLj8FywZHQPB5WQKAI1KzVECV1YHxyc2QlJMUnW1MMq12rBx7T
PRIMARY_BACKUP 253 3 L–w 0 1 0 CRYPT-LUKS2-6fbfecd4fa2c480bbf5ecd108c418680-PRIMARY_BACKUP
lvmvolgroup-PRIMARY_MEDIA 253 0 L–w 0 1 0 LVM-K2t1AvpcbTMrrsVLj8FywZHQPB5WQKAINq13O1AixaoG1l5VzuHpVFVmjZ11XkIF
lvmvolgroup-PRIMARY_ARCHIVE 253 1 L–w 1 1 0 LVM-K2t1AvpcbTMrrsVLj8FywZHQPB5WQKAIgkipEkwcdtML6GLmeLXYjEhjlf36BjMZ
root@len:/home/kevin# ll /dev/mapper
drwxr-xr-x 2 root root 140 Aug 6 22:25 ./
drwxr-xr-x 23 root root 4920 Aug 6 22:25 ../
crw——- 1 root root 10, 236 Aug 6 2020 control
lrwxrwxrwx 1 root root 7 Aug 6 2020 lvmvolgroup-PRIMARY_ARCHIVE -> ../dm-1
lrwxrwxrwx 1 root root 7 Aug 6 22:25 lvmvolgroup-PRIMARY_BACKUP -> ../dm-2
lrwxrwxrwx 1 root root 7 Aug 6 2020 lvmvolgroup-PRIMARY_MEDIA -> ../dm-0
lrwxrwxrwx 1 root root 7 Aug 6 22:25 PRIMARY_BACKUP -> ../dm-3
root@len:/home/kevin# cryptsetup close /dev/mapper/lvmvolgroup-PRIMARY_BACKUP
Device /dev/mapper/lvmvolgroup-PRIMARY_BACKUP is still in use.