In this post, we will explore the powerful encryption specification known as the Linux Unified Key Setup (LUKS), originally created by Clemens Fruhwirth in 2004. LUKS is designed to secure block devices, making it suitable for encrypting various filesystems, even including swap partitions. We’ll delve into how you can leverage LUKS to enhance the security of your Oracle Linux distribution, which has been distributed by Oracle since late 2006. Discover the key benefits and steps to encrypting your drives with LUKS on Oracle Linux in this post.
Encryption is a crucial aspect of modern data security. It helps protect sensitive information from unauthorized access and breaches. One effective method for encrypting drives on Oracle Linux is to use the Linux Unified Key Setup (LUKS) specification. LUKS allows you to encrypt entire block devices, ensuring that data remains confidential even if the device falls into the wrong hands.
Recent data breaches, such as the “Mother of all Breaches,” which exposed 26 billion records from various websites, highlight the importance of data security. Encrypting drives with LUKS would have made it extremely difficult for attackers to access and misuse this data.
Additionally, ransomware attacks pose a significant threat to organizations worldwide. Encrypting drives can act as a preventive measure, making it harder for ransomware to compromise and encrypt critical files.
The first example involves encrypting the disk /dev/sdb99. This step is followed by typing ‘YES’ in capital letters to confirm the encryption and entering a passphrase that must comply with a minimum of 8 characters, including 1 digit, 1 uppercase letter, 1 special character, and a non-dictionary based word.
~]$ sudo cryptsetup -y -v luksFormat /dev/sdb99 WARNING! ======== This will overwrite data on /dev/sd99 irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /dev/sdb99: Verify passphrase: Key slot 0 created. Command successful.
The next step consists of opening this encrypted volume, which requires using a name as a target. I will use ‘techdatabasket’ as shown below:
~]$ sudo cryptsetup -v luksOpen /dev/sdb99 techdatabasket Enter passphrase for /dev/sdb99: Key slot 0 unlocked. Command successful.
The device /dev/sdb99 now indicates ‘crypto_LUKS’ as its file system type and displays the mapped volume ‘techdatabasket’ for the encrypted device:
~]$ lsblk -f NAME FSTYPE LABEL UUID MOUNTPOINT ….. sdb └─sdb99 crypto_LUKS xxxxxxxxxxxxxxxxxxx └─techdatabasket
The next step involves formatting the encrypted volume before adding data to it. There are many different file systems to choose from, so the choice is yours. Subsequently, you will create a file system and, as a result, establish a mount point for mounting the volume
~]$ sudo mkdir -p /u01/techdatabase_storage
~]$ sudo mount -v /dev/mapper/techdatabasket p /u01/techdatabase_storage
mount: /u01/techdatabase_storage does not contain SELinux labels.
You just mounted an file system that supports labels which does not
contain labels, onto an SELinux box. It is likely that confined
applications will generate AVC messages and not be allowed access to
this file system. For more details see restorecon(8) and mount(8).
mount: /dev/mapper/techdatabasket mounted on /u01/techdatabase_storage.
As it is visible, the output displayed an SELINUX warning. To address this issue, the command ‘sudo restorecon -vvRF /u01/techdatabase_storage’ is executed, followed by the mount command once again.
~]$ sudo restorecon -vvRF /u01/techdatabase_storage Relabeled /u01/techdatabase_storage from system_u:object_r:unlabeled_t:s0 to system_u:object_r:default_t:s0 ~]$ sudo mount -v -o remount /u01/techdatabase_storage mount: /dev/mapper/techdatabasket mounted on /u01/techdatabase_storage
~]$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT … sdb 8:16 0 50G 0 disk └─sdb99 8:17 0 2G 0 part └─techdatabasket 252:2 0 2G 0 crypt /u01/techdatabase_storage
It is possible to display LUKS volume details:
~]$ sudo cryptsetup luksDump /dev/sdb99 LUKS header information Version: 2 Epoch: 3 Metadata area: 16384 [bytes] Keyslots area: 16744448 [bytes] UUID: xxxxxxxxxxxxxxxx Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: 16777216 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 512 [bytes] Keyslots: 0: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: argon2i Time cost: 11 Memory: 1048576 Threads: 4 Salt: xxxxxxxxxxxxxx AF stripes: 4000 AF hash: sha256 Area offset:32768 [bytes] Area length:258048 [bytes] Digest ID: 0 Tokens: Digests: 0: pbkdf2 Hash: sha256 Iterations: 254015 Salt: xxxxxxxxxxxxxxxxx Digest: e4 74 dc 99 f0 04 98 dd 60 6f 06 2a fa c4 5b 8b 17 17 39 a9 f7 63 6e 61 6a 03 03 ac 34 9a d3 7f
Overall, encrypting data with Linux Unified Key Setup (LUKS) can help prevent data breaches, ensuring confidentiality, protection from unauthorized access, and the security of sensitive files. It also aids in compliance with data protection regulations and provides defense against ransomware attacks. This approach safeguards your data and, consequently, prevents data breaches. Oracle offers numerous technologies and features to enhance system security. Don’t wait any longer; keep your system safe with the best tools available in the market.
References:
- Winder, D. (2024, January 23). Massive 26 Billion Record Leak: Dropbox, LinkedIn, Twitter, and More Named. Forbes. https://www.forbes.com/sites/daveywinder/2024/01/23/massive-26-billion-record-leak-dropbox-linkedin-twitterx-all-named/?sh=d6e60e5ab58e
- Oracle Corporation. (n.d.). Oracle Linux Learning Library: Linux Unified Key Setup (LUKS) – Introduction. https://docs.oracle.com/en/learn/ol-luks/#introduction
- Oracle Corporation. (n.d.). Using Encrypted Block Devices. Oracle Linux 8 Documentation. https://docs.oracle.com/en/operating-systems/oracle-linux/8/stordev/stordev-UsingEncryptedBlockDevices.html#about-blk-dev
Hi! I am Bruno, a Brazilian born and bred. Former Oracle ACE, Computer Scientist, MSc in Data Science, over ten years of experience in companies such as IBM, Epico Tech, and Playtech based in three different countries (Brazil, Hungary, and Sweden) and joined projects remotely in many others. I am super excited to show you my interest in Databases, Cloud, Data Science, Data Engineering, Bigdata, AI, Programming, Software Engineering, and data in general.
(Continue reading)