Volume encryption with cryptsetup plain mode

Edit online

Setting up volume encryption using cryptsetup plain mode entails generating secure keys and creating logical volumes.

Before you begin

Make sure that the software prerequisites are met as described in Software prerequisites. Note that the plain mode also works with cryptsetup versions prior to 2.0.3.

Based on the sample system environment as shown in Figure 1, the procedure documented here uses the first partition on a multipath SCSI disk /dev/mapper/disk1.

About this task

It is of advantage to store the secure keys in the secure key repository as shown in this procedure. This enables you to also open archived volumes (for example, provided you have re-enciphered these keys with each master key change). For more information, refer to Managing a secure key repository.

Procedure

  1. Use the zkey utility to generate a secure AES DATA key in a secure key repository.
    Issue the following command using the XTS cipher mode: 
    # zkey generate --name secure_xtskey1 --key-type CCA-AESDATA --keybits 256 --xts \
--volumes /dev/mapper/disk1:enc-disk1 --volume-type PLAIN \
--apqns 03.0039,04.0039

    In the example, the generated secure key is of type AES DATA (--key-type CCA-AESDATA) and is stored in the secure key repository. Secure keys of types AES CIPHER and EP11 AES are also supported in plain mode.

    The key to be wrapped is generated by random inside the cryptographic coprocessor and is thus never exposed in clear.

    The --key-type

    You can have a secure key per volume or share a secure key among volumes. In the previous example, the secure key named secure_xtskey1 is associated with volume /dev/mapper/disk1 in plain mode and uses the device mapper name enc-disk1.

    Do not encrypt multiple volumes with the same key. If, for certain reasons, you want to do this nevertheless, then you can specify the --volumes parameter as shown in this example: 
    --volumes /dev/mapper/disk1:enc-disk1,/dev/mapper/disk2:enc-disk2,...
    This associates all listed volumes with the same secure key.
    Note: You can also specify the --sector-size parameter with the plainOpen command. However, automatic opening of plain mode volumes during system startup might not work, depending on the used systemd version. Ensure that systemd supports the sector size option in /etc/crypttab before you create plain-mode encrypted volumes with a sector size different than the default (512 bytes).
  2. Use zkey cryptsetup to generate the command for creating an encrypted logical volume in plain format. 
    # zkey cryptsetup --volumes /dev/mapper/disk1
cryptsetup plainOpen --key-file '/etc/zkey/repository/secure_xtskey1.skey' 
--key-size 1024 --cipher paes-xts-plain64 /dev/mapper/disk1 enc-disk1
    In the generated cryptsetup command, plainOpen is used to open the volume and to assign a logical volume name to the opened volume. The new logical volume is created in /dev/mapper.
    The generated plainOpen command specifies:
    • The location and name of the secure key file.
    • The key size (in bits). For cipher mode XTS, the size of an AES DATA key is 128*8=1024.
    • The PAES cipher and its operation mode (in the example, XTS).
    • The name of the volume.
    • A name of your choice for the logical volume.
  3. Run the generated command.
    Either copy and paste the generated command into the command line or you use the --run option to execute it:
    # zkey cryptsetup --volumes /dev/mapper/disk1 --run
Executing: cryptsetup plainOpen --key-file '/etc/zkey/repository/secure_xtskey1.skey' 
--key-size 1024 --cipher paes-xts-plain64 /dev/mapper/disk1 enc-disk1

    You can check the result of this step with the command ls /dev/mapper/. Any I/O operation to or from /dev/mapper/enc-disk1 is then transparently encrypted or decrypted onto the /dev/mapper/disk1 volume. As of now, do not write to this volume directly.

  4. Open the volume during the system startup.
    Use the zkey crypttab command to generate an entry in /etc/crypttab to persistently configure an opening during system startup.
    # zkey crypttab --volumes /dev/mapper/disk1
enc-disk1  /dev/mapper/disk1  /etc/zkey/repository/secure_xtskey1.skey  
                              plain,cipher=paes-xts-plain64,size=1024,hash=plain
    Copy the generated crypttab entry into file /etc/crypttab to configure unlocking during system startup. The generated output must be in one line. Each line describes an encrypted volume and assigns the secure key to be used for encryption and decryption of the volume: 
    # /etc/crypttab
#
# See crypttab(5) for more information.
#
#
# Target  Source device     Key file                                 Options
enc-disk1 /dev/mapper/disk1 /etc/zkey/repository/secure_xtskey1.skey plain,cipher=paes-xts-plain64,
                                                                     size=1024,hash=plain
    The format of the /etc/crypttab file depends on your Linux™ distribution. See the crypttab man page for more details.
    Note: The /etc/crypttab file might not be located on an encrypted volume.

What to do next

Once you have opened an encrypted logical volume either with the cryptsetup command (step 2), or implicitly during system startup (step 4), you can use the opened volume /dev/mapper/enc-disk1 like any other block device. Typical next steps are:
  • If you want to manage your encrypted volumes using LVM, create LVM physical volumes and add them to an LVM volume group.
  • Create a file system on the encrypted logical volume.
  • Create a mount point and update /etc/fstab to later mount the file system on the encrypted logical volume or LVM logical volume.