Creating and Mounting an Encrypted Filesystem

30 minutes
  • 5 Learning Objectives

About this Hands-on Lab

Understanding the steps needed to create and mount an encrypted filesystem is valuable, in order to keep data secure. In this hands-on lab, we will work with filesystem utilities to create a partition, encrypt it, and format it to make it available for mounting as an encrypted filesystem. At the conclusion, we will verify that the encrypted filesystem is ready for daily use by decrypting it, mounting it, using it, unmounting it, and then encrypting it again.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Install cryptsetup Software Package

Use yum to install the cryptsetup package:

sudo -i
yum -y install cryptsetup
Create a Partition Using All Space on the /dev/xvdg Device

Use fdisk to create a new default partition:

fdisk /dev/nvme1n1

Press n and use all the defaults to create a new partition:

Command (m for help): n
Partition Type: p
Partition number (1-4, default 1): Press Enter to accept the default
First sector: Press Enter to accept the default
Last sector: Press Enter to accept the default

Press w to write the changes to the partition table and exit:

Command (m for help): w
Use cryptsetup luksFormat to Format the Partition to be Encrypted

Format the /dev/nvme1n1p1 partition to be encrypted with the passphrase TALK3nkrpTED:

cryptsetup -y luksFormat /dev/nvme1n1p1
Open the Encrypted Device, Create an ext4 Filesystem, Close the Encrypted Device, and then Create the /mnt/keys Directory

Use cryptsetup luksOpen to decrypt the device and view its symlink in the /dev/mapper directory with the ls command. Use mkfs to create an ext4 filesystem, and mkdir to create the /mnt/keys directory:

cryptsetup luksOpen /dev/nvme1n1p1 cryptvol

Use the passphrase TALK3nkrpTED:

ls -l /dev/mapper
mkfs -t ext4 /dev/mapper/cryptvol
cryptsetup luksClose cryptvol
mkdir /mnt/keys/
Demonstrate the Daily Use of the Encrypted Partition by Opening, Mounting, Accessing, Unmounting, and Closing It

For daily use, run cryptsetup (using luksOpen) to decrypt the partition and luksClose to encrypt it. When the partition is decrypted, it can be mounted, and it should be unmounted before it is closed or encrypted. Use touch to create an /mnt/keys/access file, and ls to display it:

cryptsetup luksOpen /dev/nvme1n1p1 cryptvol

Use the passphrase TALK3nkrpTED, then:

mount /dev/mapper/cryptvol /mnt/keys
touch /mnt/keys/access
ls -l /mnt/keys/
umount /mnt/keys
cryptsetup luksClose cryptvol

Additional Resources

One of the developers in our organization is going to be working on a server with sensitive data that is covered by various compliance regulations. Our corporate security policy states that user information must be on encrypted partitions.

We will be creating a new partition from an additional disk provisioned to this system, 5 GB in size. Once we create the partition, we will need to take steps to secure the contents that will be placed on it. Using the appropriate encryption steps, we will format the filesystem and provide the necessary configuration to make it available with the right cryptsetup encryption/decryption commands using the passphrase TALK3nkrpTED.

We can not configure this partition to be mounted on boot. It will need to remain a manual mount/unmount process. The developer has asked for the mount point to be a directory called /mnt/keys. Once we verify the encryption and decryption work, and protect the filesystem, we can turn it back over to the development team.

NOTE: The lab block device has changed to /dev/nvme1n1. In the lab, the /dev/nvme1n1p1 partition is created on the block device /dev/nvme1n1.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?