If you are using the Linux operating system, you can secure your data by configuring disk encryption to encrypt whole disks (including removable media), partitions, software RAID volumes, logical volumes, as well as your NoSQL files.
dm-crypt
is the Linux kernel's device mapper crypto target which provides transparent disk encryption subsystem in the Linux kernel using the kernel crypto API.
Cryptsetup
is the command line tool to interface with dm-crypt
for creating, accessing and managing encrypted devices. The most commonly used encryption is Cryptsetup
for the Linux Unified Key Setup (LUKS) extension, which stores all of the needed setup information for dm-crypt
on the disk itself and abstracts partition and key management in an attempt to improve ease of use.
This topic demonstrates how to convert a normal disk to a dm-crypt
enabled disk and vice versa using the command-line interface.
Assume that you have the following disks in your Linux system. The df -h
command displays the amount of available disk space for each disk.
$df -h/dev/nvme0n1 2.9T 76G 2.7T 3% /ons/nvme0n1/dev/nvme1n1 2.9T 76G 2.7T 3% /ons/nvme1n1...
If you nominate disk /dev/nvme0n1
to store databases, then you should encrypt this disk to secure the data within it.
Normal disk to a dm-crypt enabled disk:
Execute the following commands to convert a normal disk to a dm-crypt
enabled disk:
-
Unmount the file system on the disk.
sudo umount -l /dev/nvme0n1
-
Generate the key to be used by
luksFormat
.sudo dd if=/dev/urandom of=/home/opc/key0.key bs=1 count=4096
-
Initialize a LUKS partition and set the initial key.
sudo /usr/sbin/cryptsetup -q -s 512 \luksFormat /dev/nvme0n1 /home/opc/key0.key
-
Open the LUKS partition on disk/device and set up a mapping name.
sudo /usr/sbin/cryptsetup --allow-discards \luksOpen -d /home/opc/key0.key /dev/nvme0n1 dm-nvme0n1
-
Create an
ext4
file system on the disk.sudo /sbin/mkfs.ext4 /dev/mapper/dm-nvme0n1
-
Set parameters for the
ext4
file system.sudo /usr/sbin/tune2fs -e remount-ro /dev/mapper/dm-nvme0n1
-
Mount the file system to a specified directory.
sudo mount /dev/mapper/dm-nvme0n1 /ons/nvme0n1
dm-crypt enabled disk to normal disk:
If you want to convert the encrypted disk back to its normal state, execute the following steps:
-
Unmount the file system on the disk.
sudo umount -l /ons/nvme0n1
-
Remove luks mapping.
sudo /usr/sbin/cryptsetup luksClose /dev/mapper/dm-nvme0n1
-
Create an
ext4
file system on the disk.sudo /sbin/mkfs.ext4 /dev/nvme0n1
-
Mount the file system on a specified directory.
sudo mount /dev/nvme0n1 /ons/nvme0n1
Note:
If you convert a normal disk to a dm-crypt
enabled disk or convert a dm-crypt
enabled disk to a normal disk, you cannot bring the disk back to its previous state without losing its data. This is because the mkfs.ext4
command will format the disk. Therefore, all the data stored in the disk will be lost.