Creating a volume for pervasive encryption
With cryptsetup, you can conveniently set up volume encryption. It formats the volume and performs the necessary device mapper setup tasks.
Before you begin
As a prerequisite, you require free disk devices or partitions on disk devices that are configured to be persistently available to your Linux® instance.
About this task
Also, you must define a passphrase for each volume that you want to encrypt. This passphrase encrypts the LUKS volume encryption key (LVEK) and you can use it for all interactive setup actions on the encrypted volume. In the infrastructure for protected volume encryption, the LVEK is a secure key. Because secure keys are already encrypted by a master key, these passphrases are of limited relevance to security.
For automated opening of the encrypted volume during system startup, you can use a key file containing some random data that fulfills the same purpose as a passphrase.
Procedure
Results
The result of this task is illustrated in Figure 1.
What to do next
- Create permissions for users to access data on the mounted file system.
- Now a user can start to read and write data on the mounted file system, which is transparently
encrypted or decrypted.
For example, issue:
$ echo ’what is secret’ > /crypted_lv1/mysecret $ ls /crypted_lv1 $ cat /crypted_lv1/mysecret