Note: This is to create a new partition that is encrypted. Do not do this on an existing partion, because you will lose all the data on the partition.<\/p>\n
Note: I added a summarization to the end of this post to provide a bit more clarity about the volume names, etc.<\/p>\n
Add the disk to the system and identify it. I used the following:
\nSee if it is there already:<\/p>\n
# fdisk -l<\/p><\/blockquote>\n
If not, scan for it on all your buses:<\/p>\n
# echo “- – -” > \/sys\/class\/scsi_host\/host0\/scan
\n# echo “- – -” > \/sys\/class\/scsi_host\/host1\/scan
\n# echo “- – -” > \/sys\/class\/scsi_host\/host2\/scan <\/p><\/blockquote>\nCheck again:<\/p>\n
# fdisk -l<\/p><\/blockquote>\n
Create a volume:
\nAdd the physical disk:<\/p>\n# pvcreate \/dev\/sdb<\/p><\/blockquote>\n
Create a volume group;<\/p>\n
# vgcreate centos_test \/dev\/sdb<\/p><\/blockquote>\n
Activate the volume group:<\/p>\n
# vgchange -a y centos_test <\/p><\/blockquote>\n
Create the volume:<\/p>\n
# lvcreate -l 100%FREE -n test centos_test<\/p><\/blockquote>\n
Write random data to the partition. This is important when reusing a volume.<\/p>\n
# shred -v –iterations=1 \/dev\/centos_test\/test<\/p><\/blockquote>\n
Install cryptsetup:<\/p>\n
# yum install cryptsetup<\/p><\/blockquote>\n
Initialize the volume and set the passphrase:<\/p>\n
# cryptsetup –verbose –verify-passphrase luksFormat \/dev\/centos_test\/test<\/p><\/blockquote>\n
Open the volume and setup the mapping:<\/p>\n
# cryptsetup luksOpen \/dev\/centos_test test <\/p><\/blockquote>\n
Create the filesystem:<\/p>\n
# mkfs.ext3 \/dev\/mapper\/centos_test-test <\/p><\/blockquote>\n
Mount it:<\/p>\n
# mount \/dev\/mapper\/centos_test-test \/mnt <\/p><\/blockquote>\n
Add the volume to be mounted at boot to the crypttab file:
\n# vi \/etc\/crypttab
\n…
\ncentos_test-test \/dev\/centos_test\/test none
\n…<\/p>\nAdd the mount to the fstab:<\/p>\n
# vi \/etc\/fstab
\n…
\n\/dev\/mapper\/centos_test-test \/mnt ext3 defaults 1 2
\n…<\/p><\/blockquote>\nRestore selinux context:<\/p>\n
# \/sbin\/restorecon -v -R \/mnt <\/p><\/blockquote>\n
I was not getting prompted for the passphrase at boot. So, I had to boot into single user mode. When I did, I was prompted for the passphrase and the partition mounted fine. I needed to do remove the rhgb parameter from the boot parameters to be prompted when booting into multi-user mode:<\/p>\n
# cd \/etc\/default<\/p><\/blockquote>\n
Remove the rhgb parameter from kernel parameters.<\/p>\n
# vi grub <\/p><\/blockquote>\n
I removed the rhgb parameter from this line:<\/p>\n
GRUB_CMDLINE_LINUX=”rd.lvm.lv=centos\/swap vconsole.font=latarcyrheb-sun16 crashkernel=auto vconsole.keymap=us rd.lvm.lv=centos\/root quiet”<\/p><\/blockquote>\n
Update grub with the new settings:<\/p>\n
# grub2-mkconfig -o \/boot\/grub2\/grub.cfg <\/p><\/blockquote>\n
When you reboot, you will be prompted for the passphrase you set when prompted in the cryptsetup.<\/p>\n
# shutdown -r now<\/p><\/blockquote>\n
Here is a short summary. Pay particular attention to the luksOpen and mount command and the format of the crypttab and fstab files. Hopefully, these names will make it easier to keep straight.:<\/p>\n
# fdisk -l
\n# fdisk \/dev\/sdb
\n# shred -v –iterations=1 \/dev\/sdb
\n# pvcreate \/dev\/sdb
\n# vgcreate vgtest \/dev\/sdb
\n# vgchange -a y vgtest
\n# lvcreate -l 100%FREE -n lvtest vgtest
\n# shred -v –iterations=1 \/dev\/vgtest\/lvtest
\n# cryptsetup –verbose –verify-passphrase luksFormat \/dev\/vgtest\/lvtest
\n# cryptsetup luksOpen \/dev\/mapper\/vgtest-lvtest<\/strong> lvtest
\n# mkfs -t ext4 \/dev\/mapper\/lvtest
\n# mount \/dev\/mapper\/lvtest<\/strong> \/mnt<\/p>\n# vi \/etc\/crypttab
\n…
\nlvtest\t\/dev\/mapper\/vgtest-lvtest<\/strong>\tnone
\n…<\/p>\n# vi \/etc\/fstab
\n…
\n\/dev\/mapper\/lvtest<\/strong>\t\/mnt\text4\tdefaults\t1 2
\n…\n<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"Note: This is to create a new partition that is encrypted. Do not do this on an existing partion, because you will lose all the data on the partition. Note: I added a summarization to the end of this post to provide a bit more clarity about the volume names, etc. Add the disk to [&hellip<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1349","post","type-post","status-publish","format-standard","hentry","category-documentation"],"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1349","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1349"}],"version-history":[{"count":7,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1349\/revisions"}],"predecessor-version":[{"id":1363,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1349\/revisions\/1363"}],"wp:attachment":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}