Setting up disk encryption entails generating secure keys and creating logical
volumes.
Before you begin
You require free disk partitions that are configured to be persistently available to your
Linux instance. Make sure that the pkey and paes_s390 modules are loaded into the kernel.
Based on the sample system environment as shown in Figure 1, the procedure
documented here uses the first partition on a multipath SCSI disk:
/dev/mapper/mpathb-part1
Procedure
- Use the zkey utility to generate a secure key
in a file. For example, issue the following command for the recommended XTS cipher mode:
# zkey generate /etc/secure_keys/xts-secure-key.sk --xts
In the example, the
generated secure key file is stored in the /etc/secure_keys/ directory.
You can have a secure key per volume or share a secure key among volumes.
- Use the cryptsetup utility to create an
encrypted logical volume. Use the plainOpen function to open (unlock)
the partition and assign a logical volume name. This function creates a logical volume in
/dev/mapper.
When you access a partition, you need to specify:
- The location and name of the secure key file.
- The key size (in bits). For XTS, the key size is 1024.
- The paes cipher and its operation mode
(in the example, XTS).
- The name of the partition.
- A name of your choice for the logical volume.
For example, if the name of the partition is mpathb-part1, and the
assigned logical volume name is enc-data1, then you invoke the cryptsetup utility as follows:
# cryptsetup plainOpen --key-file /etc/secure_keys/xts-secure-key.sk --key-size 1024 \
--cipher paes-xts-plain64 /dev/mapper/mpathb-part1 enc-data1
You can check the result of this step with the command ls /dev/mapper/. Any
I/O operation to or from /dev/mapper/enc-data1 will then be transparently
encrypted or decrypted onto the /dev/mapper/mpathb-part1 partition. As of now,
do not write to this partition directly.
- Unlock the volume during the boot process. Create an entry in /etc/crypttab to persistently configure an unlocking
at boot time. Each line describes an encrypted volume and assigns the secure key to be used for
encryption and decryption of the partition:
# /etc/crypttab
#
# See crypttab(5) for more information.
#
#
# Target Source device Key file Options
enc-data1 /dev/mapper/mpathb-part1 /etc/secure_keys/xts-secure-key.sk cipher=paes-xts-plain64,size=1024,hash=plain
The format of the /etc/crypttab file depends on your Linux distribution. See the crypttab man
page for more details.
What to do next
Once you have opened an encrypted logical volume either with the
cryptsetup utility (step
2), or implicitly during the boot process
(step
3), you can use this volume
like any other block device. Typical next steps are:
- If you want to manage your encrypted disks using LVM, create LVM physical volumes and add them to an LVM volume group.
- Create a file system on the encrypted logical volume.
- Create a mount point and update /etc/fstab to later mount the file system
on the encrypted logical volume or LVM logical
volume.