Encrypting Volumes for Sensitive Data

Reviewed on 10 May 2021 • Published on 04 February 2019

compute

Encrypted Volumes Overview

When storing data on your instances you may notice that some of the data might be in the form of sensitive company or client information. These data falling in the wrong hands may cause serious damage to your business. Therefore it is recommended to encrypt sensitive data stored on a volume of your instance. Encrypting the whole volume has the advantage that you do not have to worry if some folder is encrypted or not. You simply store all sensible information on the encrypted volume and you know that the data is safe under a layer of encryption. This tutorial explains how to configure Cryptsetup to encrypt an additional volume with LUKS, a platform-independent standard on-disk format for use in various tools.

Requirements:

You have an account and are logged into the Scaleway Console
You have configured your SSH Key
You have created an Instance
You have a second volume connected to the Instance
You have sudo privileges or access to the root user.

Installing Cryptsetup

Before encrypting the additional volume of the instance, update the apt sources and the software already installed on the instance:
```
apt update && apt upgrade -y
```
Install Cryptsetup on the instance:
```
apt install cryptsetup-bin
```

Use lsblk to dertermine which volume to encrypt:

root@encrypted-disk:~# lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
vda     252:0    0 46.6G  0 disk
|-vda1  252:1    0 46.5G  0 part /
`-vda15 252:15   0  100M  0 part /boot/efi
vdb     252:16   0 46.6G  0 disk

In this example the space of vdb is not mounted and represents the additional volume of the instance.

Note:

The name of your additional volume may be different depending on the instance type and the OS running on your instance. Replace is with the name corresponding to your volume if needed.

Encrypting the Volume

Encrypt the volume vdb with Cryptsetup:
```
cryptsetup luksFormat /dev/vdb
```
Tip:
On low memory Instances your may run into out of memory (OOM) errors when runnig cryptsetup luks{Format,Open} commands on large volumes. To avoid them, add --pbkdf pbkdf2 to your command:
```
cryptsetup luksFormat --pbkdf pbkdf2 /dev/vdb
```
A warning will appear on your screen, reminding you that all data on the volume will be lost. Confirm it by typing YES on your keyboard, followed by pressing the Enter key:
```
WARNING!
========
This will overwrite data on /dev/vdb irrevocably.

Are you sure? (Type uppercase yes):
```
Important:
Make sure to have a backup of your data on this volume before you launch Cryptsetup. Your data will be irrevocably overwritten and lost.
When asked configure a passphrase. A passphrase is the key to decrypt the data on the volume. Choose a secure and random phrase for increased security. If required, you may use a Passphrase generator. Confirm by pressing Enter on your keyboard.
Repeat the passphrase to confirm it, then press Enter on your keyboard to encrypt the disk.
Important:
If you forget your passphrase, you will not be able to recover your data. Make sure to keep it in a secure environment.

Your volume is now encrypted.

Mapping the Encrypted Volume

Type the following command to create a mapping (crypthome) of the volume:
```
cryptsetup luksOpen /dev/vdb crypthome
```
Enter your passphrase when requested, followed by pressing the Enter key on your keyboard:
```
Enter passphrase for /dev/vdb:
```

Run the following command to verify the status of the encrypted volume:

cryptsetup -v status crypthome

An output like the following should appear:

/dev/mapper/crypthome is active.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  key location: dm-crypt
  device:  /dev/vdb
  sector size:  512
  offset:  4096 sectors
  size:    97652154 sectors
  mode:    read/write
Command successful.

Formatting the Encrypted Volume

Start by writing zeros to your encrypted volume. This will allocate block data with zeros to ensure that this will be seen as random data. It provides protection against disclosure of usage patterns.
If pv is not installed on your instance, install it via apt by running the following command:
```
apt install pv
```
Then launch the following command to run dd:
```
pv -tpreb /dev/zero | dd of=/dev/mapper/crypthome bs=128M
```
Important:
Depending on the size of your volume this may take some hours to finish.
Once finished you will see a message like the following in your terminal:
```
dd: error writing '/dev/mapper/crypthome': No space left on device                        <=>                                                 ]
46.6GiB 0:05:29 [ 144MiB/s] [                                                               <=>                                               ]
56+64649 records in
56+64648 records out
49997902848 bytes (50 GB, 47 GiB) copied, 331.56 s, 151 MB/s
```

Now create a filesystem on the encrypted volume by running the following command:

mkfs.ext4 /dev/mapper/crypthome

You will see an output like the following once the filesystem is created:

mke2fs 1.44.1 (24-Mar-2018)
Creating filesystem with 12206519 4k blocks and 3055616 inodes
Filesystem UUID: 80b43994-affd-4687-b7d2-8cfa91303694
Superblock backups stored on blocks:
  32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
  4096000, 7962624, 11239424

Allocating group tables: done
Writing inode tables: done
Creating journal (65536 blocks): done
Writing superblocks and filesystem accounting information: done

Mounting the Encrypted Volume

Create a folder to mount the volume:
```
mkdir /mnt/crypthome
```
Mount the encrypted volume with the following command:
```
mount /dev/mapper/crypthome /mnt/crypthome/
```

Verify with lsblk if the volume is mounted:

NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
vda         252:0    0 46.6G  0 disk
|-vda1      252:1    0 46.5G  0 part  /
`-vda15     252:15   0  100M  0 part  /boot/efi
vdb         252:16   0 46.6G  0 disk
`-crypthome 253:0    0 46.6G  0 crypt /mnt/crypthome

The encrypted volume is now mounted at /mnt/crypthome and you can transfer your sensitive data to the volume.

Unmounting the Encrypted Volume

Unmount the volume from your instance:
```
umount /mnt/crypthome
```
Close the LUKS session with Cryptsetup:
```
cryptsetup luksClose crypthome
```

Verify that the volume has been unmounted with lsblk:

NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
vda     252:0    0 46.6G  0 disk
|-vda1  252:1    0 46.5G  0 part /
`-vda15 252:15   0  100M  0 part /boot/efi
vdb     252:16   0 46.6G  0 disk

As you can see, the following lines are disappeared:

vdb         252:16   0 46.6G  0 disk
`-crypthome 253:0    0 46.6G  0 crypt /mnt/crypthome

Remounting the Encrypted Volume

Use Cryptsetup to open the LUKS session and enter the passphrase when prompted:
```
cryptsetup luksOpen /dev/vdb crypthome
```

Mount the volume in the instance:

mount /dev/mapper/crypthome /mnt/crypthome

Verify with lsblk if the volume appears:

NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
vda         252:0    0 46.6G  0 disk
|-vda1      252:1    0 46.5G  0 part  /
`-vda15     252:15   0  100M  0 part  /boot/efi
vdb         252:16   0 46.6G  0 disk
`-crypthome 253:0    0 46.6G  0 crypt /mnt/crypthome

As you can see, the following lines appear again. This means your encrypted volume is mounted again and you can use it to store or access your sensitive data:

vdb         252:16   0 46.6G  0 disk
`-crypthome 253:0    0 46.6G  0 crypt /mnt/crypthome

Changing the LUKS Passphrase

LUKS supports up to 8 passphrases for each encrypted volume. In case you want to change the passphrase of your encrypted volume, start by checking if there is still space available by retrieving the LUKS headers:
```
cryptsetup luksDump /dev/vdb
```
The list of available key slots is displayed:
```
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
```
As you can see 7 slots are available for the volume.
Type the following command and enter any current passphrase:
```
cryptsetup luksAddKey /dev/vdb
```
When prompted, enter the new passphrase and its confirmation:
```
Enter new passphrase for key slot:
Verify passphrase:
```
Verify that the new passphrase has been taken into account by retrieving the LUKS headers:
```
cryptsetup luksDump /dev/vdb
```
Scroll down to the list of available keys, the output should be similar to the following:
```
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
```
As you can see only 6 slots are available now, meaning that the new key has been configured.
You can now remove the old passphrase by typing:
```
cryptsetup luksRemoveKey /dev/vdb
```
Enter the passphrase to delete and confirm by pressing on Enter.
Verify that the key has been removed by retrieving the LUKS headers:
```
cryptsetup luksDump /dev/vdb
```
In the list of available key slots you will notice that 7 slots are available again.