Hometutorials
encrypt volumes
Jump toUpdate content

Encrypting volumes for sensitive data

Reviewed on 14 March 2023Published on 04 February 2019
  • compute
  • encrypting
  • volumes
  • sensible-data

Encrypted volumes overview

To ensure the safety of sensitive commercial or client information stored on your Instances, it’s crucial to encrypt the data. The consequences of this information falling into the wrong hands could severely harm your business. The best approach is to encrypt the entire volume, eliminating the need to worry about individual folders. This way, you can store all your sensitive information on the encrypted volume, ensuring it’s protected by a layer of encryption. This tutorial will guide you on how to use Cryptsetup to encrypt an additional volume with LUKS, a platform-independent standard on-disk format used in various tools.

Security & Identity (IAM):

You may need certain IAM permissions to carry out some actions described on this page. This means:

  • you are the Owner of the Scaleway Organization in which the actions will be carried out, or
  • you are an IAM user of the Organization, with a policy granting you the necessary permission sets
Requirements:

Installing Cryptsetup

  1. Connect to your Instance via SSH
  2. Update the apt sources and the software already installed on the Instance:
    apt update && apt upgrade -y
  3. Install Cryptsetup on the Instance:
    apt install cryptsetup-bin
  4. Enter the command lsblk. This lists your volumes to help you to determine which is the additional volume to encrypt:
    root@encrypted-disk:~# lsblk
    NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
    vda 252:0 0 46.6G 0 disk
    |-vda1 252:1 0 46.5G 0 part /
    `-vda15 252:15 0 100M 0 part /boot/efi
    vdb 252:16 0 46.6G 0 disk

In this example the space of vdb is not mounted and represents the additional volume of the Instance.

Note:

The name of your additional volume may be different, eg sda or other, depending on the Instance type and OS. Replace with the name corresponding to your volume where necessary.

Encrypting the volume

  1. Encrypt the volume vdb with Cryptsetup:

    cryptsetup luksFormat /dev/vdb
    Tip:

    On low memory Instances your may run into out of memory (OOM) errors when running cryptsetup luks{Format,Open} commands on large volumes. To avoid them, add --pbkdf pbkdf2 to your command:

    cryptsetup luksFormat --pbkdf pbkdf2 /dev/vdb

    A warning appears, reminding you that all data on the volume will be lost.

    WARNING!
    ========
    This will overwrite data on /dev/vdb irrevocably.
    Are you sure? (Type uppercase yes):
  2. Type YES and press the Enter key, to confirm you want to overwrite the data.

    Important:

    Make sure you have a backup of your data on this volume before you launch Cryptsetup. Your data will be irrevocably overwritten and lost.

    A message appears, asking you to configure a passphrase. A passphrase is the key to decrypt the data on the volume.

  3. Type your passphrase and press Enter. For increased security, your passphrase should be a secure and random phrase. If required, you may use a Passphrase generator.

    A message appears, asking you to verify your passphrase.

  4. Type your passphrase again to confirm it, then press Enter on your keyboard to encrypt the disk.

    Important:

    If you forget your passphrase, you will not be able to recover your data. Make sure that you store your password securely.

Your volume is now encrypted.

Mapping the encrypted volume

  1. Type the following command to create a mapping (crypthome) of the volume:

    cryptsetup luksOpen /dev/vdb crypthome
  2. Enter your passphrase when requested, and press the Enter key on your keyboard:

    Enter passphrase for /dev/vdb:
  3. Run the following command to verify the status of the encrypted volume:

    cryptsetup -v status crypthome

    An output similar to the following appears:

    /dev/mapper/crypthome is active.
    type: LUKS1
    cipher: aes-xts-plain64
    keysize: 256 bits
    key location: dm-crypt
    device: /dev/vdb
    sector size: 512
    offset: 4096 sectors
    size: 97652154 sectors
    mode: read/write
    Command successful.

Formatting the encrypted volume

Start by writing zeros to the encrypted volume. This allocates zeros to block data, to ensure that it appears as random data. This provides protection against disclosure of usage patterns:

  1. Install pv (if not already installed) by running the following command:

    apt install pv
  2. Launch the following command to run dd:

    pv -tpreb /dev/zero | dd of=/dev/mapper/crypthome bs=128M
    Important:

    Depending on the size of your volume this may take some hours to finish.

    Once finished, a message similar to the following displays:

    dd: error writing '/dev/mapper/crypthome': No space left on device <=> ]
    46.6GiB 0:05:29 [ 144MiB/s] [ <=> ]
    56+64649 records in
    56+64648 records out
    49997902848 bytes (50 GB, 47 GiB) copied, 331.56 s, 151 MB/s
  3. Create a filesystem on the encrypted volume by running the following command:

    mkfs.ext4 /dev/mapper/crypthome

    An output similar to the following displays once the filesystem is created:

    mke2fs 1.44.1 (24-Mar-2018)
    Creating filesystem with 12206519 4k blocks and 3055616 inodes
    Filesystem UUID: 80b43994-affd-4687-b7d2-8cfa91303694
    Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
    4096000, 7962624, 11239424
    Allocating group tables: done
    Writing inode tables: done
    Creating journal (65536 blocks): done
    Writing superblocks and filesystem accounting information: done

Mounting the encrypted volume

  1. Create a folder to mount the volume:

    mkdir /mnt/crypthome
  2. Mount the encrypted volume with the following command:

    mount /dev/mapper/crypthome /mnt/crypthome/
  3. Verify with lsblk that the volume is mounted:

    NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
    vda 252:0 0 46.6G 0 disk
    |-vda1 252:1 0 46.5G 0 part /
    `-vda15 252:15 0 100M 0 part /boot/efi
    vdb 252:16 0 46.6G 0 disk
    `-crypthome 253:0 0 46.6G 0 crypt /mnt/crypthome

    The encrypted volume is now mounted at /mnt/crypthome and you can transfer your sensitive data to the volume.

Unmounting the encrypted volume

  1. Unmount the volume from your Instance:

    umount /mnt/crypthome
  2. Close the LUKS session with Cryptsetup:

    cryptsetup luksClose crypthome
  3. Verify that the volume has been unmounted with lsblk:

    NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
    vda 252:0 0 46.6G 0 disk
    |-vda1 252:1 0 46.5G 0 part /
    `-vda15 252:15 0 100M 0 part /boot/efi
    vdb 252:16 0 46.6G 0 disk

    As you can see, the following lines have disappeared:

    vdb 252:16 0 46.6G 0 disk
    `-crypthome 253:0 0 46.6G 0 crypt /mnt/crypthome

Remounting the encrypted volume

  1. Use Cryptsetup to open the LUKS session and enter the passphrase when prompted:

    cryptsetup luksOpen /dev/vdb crypthome
  2. Mount the volume in the Instance:

    mount /dev/mapper/crypthome /mnt/crypthome
  3. Verify that the volume appears with lsblk :

    NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
    vda 252:0 0 46.6G 0 disk
    |-vda1 252:1 0 46.5G 0 part /
    `-vda15 252:15 0 100M 0 part /boot/efi
    vdb 252:16 0 46.6G 0 disk
    `-crypthome 253:0 0 46.6G 0 crypt /mnt/crypthome

    As you can see, the following lines have reappeared. This means your encrypted volume is mounted again and you can use it to store or access your sensitive data:

    vdb 252:16 0 46.6G 0 disk
    `-crypthome 253:0 0 46.6G 0 crypt /mnt/crypthome

Changing the LUKS passphrase

LUKS supports up to 8 passphrases for each encrypted volume. You may wish to change the passphrase of your encrypted volume, which you can do as follows:

  1. Check if there is still space available by retrieving the LUKS headers:

    cryptsetup luksDump /dev/vdb

    The list of available key slots displays:

    Key Slot 1: DISABLED
    Key Slot 2: DISABLED
    Key Slot 3: DISABLED
    Key Slot 4: DISABLED
    Key Slot 5: DISABLED
    Key Slot 6: DISABLED
    Key Slot 7: DISABLED

    As you can see 7 slots are available for the volume.

  2. Type the following command and enter any current passphrase:

    cryptsetup luksAddKey /dev/vdb

    When prompted, enter the new passphrase and its confirmation:

    Enter new passphrase for key slot:
    Verify passphrase:
  3. Verify that the new passphrase has been taken into account by retrieving the LUKS headers:

    cryptsetup luksDump /dev/vdb

    Scroll down to the list of available keys, the output should be similar to the following:

    Key Slot 2: DISABLED
    Key Slot 3: DISABLED
    Key Slot 4: DISABLED
    Key Slot 5: DISABLED
    Key Slot 6: DISABLED
    Key Slot 7: DISABLED

    As you can see only 6 slots are available now, meaning that the new key has been configured.

  4. Remove the old passphrase with the following command:

    cryptsetup luksRemoveKey /dev/vdb

    Enter the passphrase to delete and confirm by pressing Enter.

  5. Verify that the key has been removed by retrieving the LUKS headers:

    cryptsetup luksDump /dev/vdb

    In the list of available key slots, 7 slots are available again.