Created
July 25, 2016 18:12
-
-
Save huyanhvn/1109822a989914ecb730383fa0f9cfad to your computer and use it in GitHub Desktop.
Enable LUKS disk encryption with a key file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create strong LUKS key | |
| openssl genrsa -out /root/luks.key 4096 | |
| chmod 400 /root/luks.key | |
| # Fill random data to the device | |
| shred -v --iterations=1 /dev/xvdb | |
| # Format device | |
| echo "YES" | cryptsetup luksFormat /dev/xvdb --key-file /root/luks.key | |
| # Open device | |
| cryptsetup luksOpen /dev/xvdb data1 --key-file /root/luks.key | |
| # Format device | |
| mkfs.ext4 /dev/mapper/data1 | |
| # Mount | |
| mount /dev/mapper/data1 /data1 | |
| # Persist at boot | |
| Add to /etc/crypttab: data1 /dev/xvdb /root/luks.key luks | |
| Add to /etc/fstab: /dev/mapper/data1 /data1 ext4 defaults 1 2 | |
| # Restore default SELinux contexts: | |
| /sbin/restorecon -v -R /data1 | |
| # Verify | |
| cryptsetup -v isLuks /dev/xvdb | |
| df -h /data1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for the script.
You can also do:
cryptsetup -q luksFormat /dev/xvdb --key-file /root/luks.keyJust to make it a bit more reliable.