Creating and accessing an encrypted partition

Setting up disk encryption entails generating secure keys and creating logical volumes.

Before you begin

You require free disk partitions that are configured to be persistently available to your Linux instance. Make sure that the pkey and paes_s390 modules are loaded into the kernel.

Based on the sample system environment as shown in Figure 1, the procedure documented here uses the first partition on a multipath SCSI disk: /dev/mapper/mpathb-part1

Procedure

  1. Use the zkey utility to generate a secure key in a file. For example, issue the following command for the recommended XTS cipher mode: 
    # zkey generate /etc/secure_keys/xts-secure-key.sk --xts

    In the example, the generated secure key file is stored in the /etc/secure_keys/ directory.

    You can have a secure key per volume or share a secure key among volumes.

  2. Use the cryptsetup utility to create an encrypted logical volume. Use the plainOpen function to open (unlock) the partition and assign a logical volume name. This function creates a logical volume in /dev/mapper.
    When you access a partition, you need to specify:
    • The location and name of the secure key file.
    • The key size (in bits). For XTS, the key size is 1024.
    • The paes cipher and its operation mode (in the example, XTS).
    • The name of the partition.
    • A name of your choice for the logical volume.

    For example, if the name of the partition is mpathb-part1, and the assigned logical volume name is enc-data1, then you invoke the cryptsetup utility as follows:

    # cryptsetup plainOpen --key-file /etc/secure_keys/xts-secure-key.sk --key-size 1024 \ 
                       --cipher paes-xts-plain64 /dev/mapper/mpathb-part1 enc-data1

    You can check the result of this step with the command ls /dev/mapper/. Any I/O operation to or from /dev/mapper/enc-data1 will then be transparently encrypted or decrypted onto the /dev/mapper/mpathb-part1 partition. As of now, do not write to this partition directly.

  3. Unlock the volume during the boot process. Create an entry in /etc/crypttab to persistently configure an unlocking at boot time. Each line describes an encrypted volume and assigns the secure key to be used for encryption and decryption of the partition: 
    # /etc/crypttab
#
# See crypttab(5) for more information.
#
#
# Target  Source  device            Key file                          Options
enc-data1 /dev/mapper/mpathb-part1 /etc/secure_keys/xts-secure-key.sk cipher=paes-xts-plain64,size=1024,hash=plain
    The format of the /etc/crypttab file depends on your Linux distribution. See the crypttab man page for more details.

What to do next

Once you have opened an encrypted logical volume either with the cryptsetup utility (step 2), or implicitly during the boot process (step 3), you can use this volume like any other block device. Typical next steps are:
  • If you want to manage your encrypted disks using LVM, create LVM physical volumes and add them to an LVM volume group.
  • Create a file system on the encrypted logical volume.
  • Create a mount point and update /etc/fstab to later mount the file system on the encrypted logical volume or LVM logical volume.
Parent topic: Getting started with pervasive disk encryption