• We had to restore from a backup today after a failed software update. Backup was from 0000 EDT and restored it at 0800 EDT so we lost about 8hrs. Today is 07/20/2024. More info here.

RHEL6 volume encryption using LUKS



Few days ago I was trying the LUKS (Linux Unified Key Setup) volume encryption on RHEL. It worked pretty well, until I [re]boot the system (to mount the encrypted volume automatically from /etc/fstab) and I was presented with the famous Give root password for maintenance (or type Control-D to continue): screen. I figured it out sorta hard way, so it's mainly for the future reference and for those who experience[d] the same problem.

I tried on a virtualized system but the same thing can be done with any file-system - sda/vda/LVM etc. So, if the target file-system is /dev/vda6, this is should be done to prepare and map the file-syatem:

cryptsetup luksFormat /dev/vda6
cryptsetup luksOpen /dev/vda6 cryptVL

at this point, "/dev/mapper/cryptVL" will be created. The next step is:

mkfs.ext4 /dev/mapper/cryptVL
mount /dev/mapper/cryptVL /mntVL

to format and mount the file-system. Just to mention that /cryptVL is the directory, where I mounted the newly built encrypted file-system and that should created beforehand (the normal "mount" thing).

Up to this point, it will work just fine but if you put an entry like this:

/dev/mapper/cryptVL /mntVL ext4 defaults 1 2

in the "/etc/fstab" to mount this on boot, you are finished. Because /dev/mapper/cryptVL is not a permanent mapping, hence it doesn't survive a reboot.

To make it happen: After adding the "/etc/fstab" entry (and of course before [re]booting), you need to put a line in the "/etc/crypttab" following this format:

< name _of_the_block_device > < path/to/the/actual/device > < password | none > [ list of options ]

So, if "/dev/mapper/cryptVL" is the name of the resulting encrypted block device and "/dev/vda6" is the path to the actual device, the entry should be:
cryptVL /dev/vda6 none

If the third field is "none" the system will ask for the LUKS password during boot. For the password less booting, you need to put the password in a file like this:

dd if=/dev/random of=/root/luks.key bs=32 count=1
cryptsetup luksAddKey /dev/sdb1 /root/luks.key
echo "cryptVL /dev/vda6 /root/luks.key" > /etc/crypttab

(The path and the name of the key file could be anything of your choice but should be matched in every entry)

After that, if everything goes well, you should be booting into your encrypted device.

The worst case scenario

If you happen to manage to paralyzed your system already, you will see the after entering the "root password", you still won't be able to modify "/etc/fstab", even though root has rw permission. the only way to fix this is to boot into "single user" mode. To that: press any key in the grub-menu screen > press "a" to append > add "single" at the end of the line > predss "b" to boot.

But that's not enough. After booting into the system, you have to issue this:
mount -w -o remount /
to actually remount the root file-system in read-write mode. Now you will be able to comment out/delete the line from the /etc/fstab and the system will boot normally.

Hope it helps. cheers!!!

Members online