Encrypting volumes for sensitive data
To protect sensitive commercial or client data stored on your Instances, encryption is paramount. The repercussions of such data falling into unauthorized hands can be detrimental to your business. Encrypting the entire volume is the optimal strategy, alleviating concerns about individual folders. By using this method, all sensitive information can reside on an encrypted volume, fortified by an extra layer of security. This tutorial will walk you through the process of encrypting an additional volume using Cryptsetup with LUKS, a universally recognized on-disk format employed in various encryption tools.
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- An SSH key
- An Instance
- A Block Storage volume connected to the Instance
sudo
privileges or access to the root user
Installing Cryptsetup
- Connect to your Instance via SSH.
- Update the apt sources and the software already installed on the Instance:
apt update && apt upgrade -y
- Install Cryptsetup on the Instance:
apt install cryptsetup-bin
- Enter the command
lsblk
. This lists your volumes to help you determine which is the additional volume to encrypt:root@encrypted-disk:~# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT vda 252:0 0 46.6G 0 disk |-vda1 252:1 0 46.5G 0 part / `-vda15 252:15 0 100M 0 part /boot/efi vdb 252:16 0 46.6G 0 disk
In this example, the space of vdb
is not mounted and represents the additional volume of the Instance.
Encrypting the volume
-
Encrypt the volume vdb with Cryptsetup:
cryptsetup luksFormat /dev/vdb
A warning appears, reminding you that all data on the volume will be lost.
WARNING! ======== This will overwrite data on /dev/vdb irrevocably. Are you sure? (Type uppercase yes):
-
Type
YES
and press the Enter key, to confirm you want to overwrite the data.A message appears, asking you to configure a passphrase. A passphrase is the key to decrypt the data on the volume.
-
Type your passphrase and press Enter. For increased security, your passphrase should be a secure and random phrase. If required, you may use a Passphrase generator.
A message appears, asking you to verify your passphrase.
-
Type your passphrase again to confirm it, then press Enter on your keyboard to encrypt the disk.
Your volume is now encrypted.
Mapping the encrypted volume
-
Type the following command to create a mapping (
crypthome
) of the volume:cryptsetup luksOpen /dev/vdb crypthome
-
Enter your passphrase when requested, and press the Enter key on your keyboard:
Enter passphrase for /dev/vdb:
-
Run the following command to verify the status of the encrypted volume:
cryptsetup -v status crypthome
An output similar to the following appears:
/dev/mapper/crypthome is active. type: LUKS1 cipher: aes-xts-plain64 keysize: 256 bits key location: dm-crypt device: /dev/vdb sector size: 512 offset: 4096 sectors size: 97652154 sectors mode: read/write Command successful.
Formatting the encrypted volume
Start by writing zeros to the encrypted volume. This allocates zeros to block data, to ensure that it appears as random data. This provides protection against disclosure of usage patterns:
-
Install
pv
(if not already installed) by running the following command:apt install pv
-
Launch the following command to run
dd
:pv -tpreb /dev/zero | dd of=/dev/mapper/crypthome bs=128M
Once finished, a message similar to the following displays:
dd: error writing '/dev/mapper/crypthome': No space left on device <=> ] 46.6GiB 0:05:29 [ 144MiB/s] [ <=> ] 56+64649 records in 56+64648 records out 49997902848 bytes (50 GB, 47 GiB) copied, 331.56 s, 151 MB/s
-
Create a file system on the encrypted volume by running the following command:
mkfs.ext4 /dev/mapper/crypthome
An output similar to the following displays once the file system is created:
mke2fs 1.44.1 (24-Mar-2018) Creating filesystem with 12206519 4k blocks and 3055616 inodes Filesystem UUID: 80b43994-affd-4687-b7d2-8cfa91303694 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424 Allocating group tables: done Writing inode tables: done Creating journal (65536 blocks): done Writing superblocks and filesystem accounting information: done
Mounting the encrypted volume
-
Create a folder to mount the volume:
mkdir /mnt/crypthome
-
Mount the encrypted volume with the following command:
mount /dev/mapper/crypthome /mnt/crypthome/
-
Verify with
lsblk
that the volume is mounted:NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT vda 252:0 0 46.6G 0 disk |-vda1 252:1 0 46.5G 0 part / `-vda15 252:15 0 100M 0 part /boot/efi vdb 252:16 0 46.6G 0 disk `-crypthome 253:0 0 46.6G 0 crypt /mnt/crypthome
The encrypted volume is now mounted at
/mnt/crypthome
and you can transfer your sensitive data to the volume.
Unmounting the encrypted volume
-
Unmount the volume from your Instance:
umount /mnt/crypthome
-
Close the LUKS session with Cryptsetup:
cryptsetup luksClose crypthome
-
Verify that the volume has been unmounted with
lsblk
:NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT vda 252:0 0 46.6G 0 disk |-vda1 252:1 0 46.5G 0 part / `-vda15 252:15 0 100M 0 part /boot/efi vdb 252:16 0 46.6G 0 disk
As you can see, the following lines have disappeared:
vdb 252:16 0 46.6G 0 disk `-crypthome 253:0 0 46.6G 0 crypt /mnt/crypthome
Remounting the encrypted volume
-
Use Cryptsetup to open the LUKS session and enter the passphrase when prompted:
cryptsetup luksOpen /dev/vdb crypthome
-
Mount the volume in the Instance:
mount /dev/mapper/crypthome /mnt/crypthome
-
Verify that the volume appears with
lsblk
:NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT vda 252:0 0 46.6G 0 disk |-vda1 252:1 0 46.5G 0 part / `-vda15 252:15 0 100M 0 part /boot/efi vdb 252:16 0 46.6G 0 disk `-crypthome 253:0 0 46.6G 0 crypt /mnt/crypthome
As you can see, the following lines have reappeared. This means your encrypted volume is mounted again and you can use it to store or access your sensitive data:
vdb 252:16 0 46.6G 0 disk `-crypthome 253:0 0 46.6G 0 crypt /mnt/crypthome
Changing the LUKS passphrase
LUKS supports up to 8 passphrases for each encrypted volume. You may wish to change the passphrase of your encrypted volume, which you can do as follows:
-
Check if there is still space available by retrieving the LUKS headers:
cryptsetup luksDump /dev/vdb
The list of available key slots displays:
Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED
As you can see 7 slots are available for the volume.
-
Type the following command and enter any current passphrase:
cryptsetup luksAddKey /dev/vdb
When prompted, enter the new passphrase and its confirmation:
Enter new passphrase for key slot: Verify passphrase:
-
Verify that the new passphrase has been taken into account by retrieving the LUKS headers:
cryptsetup luksDump /dev/vdb
Scroll down to the list of available keys, the output should be similar to the following:
Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED
As you can see only 6 slots are available now, meaning that the new key has been configured.
-
Remove the old passphrase with the following command:
cryptsetup luksRemoveKey /dev/vdb
Enter the passphrase to delete and confirm by pressing Enter.
-
Verify that the key has been removed by retrieving the LUKS headers:
cryptsetup luksDump /dev/vdb
In the list of available key slots, 7 slots are available again.
Visit our Help Center and find the answers to your most frequent questions.
Visit Help Center