RH413 Unit 3 Create

There are two major reasons for allocating fire systems separately: containment and mounting with more restrictive mount options.Containment reduces the impact a file systems has on the rest of the system if it fills up. For example, if a program has an error and creates several large temporary file in /tmp , it should not prevent system logging or keep users from saving files in their home directories.

Encryption at installation:

kickstart configuration:

part /home --fstype=ext4 --size=10000 --onpart=vda2 --encrypted --passphrase=PASSPHRARE

Encryption Post-installation:

• Create a LVM:

pvcreate /dev/sdb1 vgcreate storage /dev/sdb1 Volume group "storage" successfully created lvcreate -l 100%FREE -n luks-test storage Tips: we don’t need to create a file system.

• Encrypt the block device and assign it a password:

cryptsetup luksFormat /dev/storage/luks-test WARNING! This will overwrite data on /dev/storage/luks-test irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase:

• Unlock the encrypted volume and assign it a logical name: cryptsetup luksOpen /dev/storage/luks-test luks Enter passphrase for /dev/storage/luks-test: luks is the logical name.
• Create a filesystem in the decrypted volume: mkfs.ext4 /dev/mapper/luks mke2fs 1.42.9 (28-Dec-2013) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 65152 inodes, 260608 blocks 13030 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=268435456 8 block groups 32768 blocks per group, 32768 fragments per group 8144 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376

Allocating group tables: done Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: done

• Mount it: mkdir /mnt/luks mount /dev/mapper/luks /mnt/luks/
• When finished, unmount the filesystem then lock the encrypted volume. cryptsetup luksClose luks

Persistently Mount Encrypted Partitions

• Locate or generate a key file.This is a typically created with random data on the server and kept on a separate storage device.Make sure it is own by root and the mode is 600

dd if=/dev/urandom of=/root/luks.passwd bs=4096 count=1 chmod 600 /root/luks.passwd

• Add the key file for LUKS using the following command: cryptsetup luksAddKey /dev/storage/luks-test /root/luks.passwd Enter any existing passphrase:
• Create an /etc/crypttab entry for the volume./etc/crypttab contains a list of devices to be

unlocked during system root. name /dev/vdaN /path/to/password/file such as: luks /dev/storage/luks-test /root/luks.passwd

1.name: Name device mapper will use for the device 2.the underlying “Locked” device 3.the absolute pathname to the password file used to unlock the device

• Edit /etc/fstab /dev/mapper/name /mnt/xx ext4 defaults 1 2 such as: /dev/mapper/luks /mnt/luks ext4 defaults 1 2

references:

cryptsetup(8) crypttab(5)