One of the most requested requirements from a security point of view is to have encryption-at-rest. This is not only mandatory for a cloud infrastructure, but for laptops as well.
Regardless of your platform, your data should be always encrypted at rest. All it takes is 10 minutes to have an LVM partition with LUKS encryption.
LVM ready
Be careful here, as the following steps could destroy data. Assuming you have LVM tools and a disk with a partition ready, let’s get started.
# vgcreate plextor /dev/sdb1
# pvcreate /dev/sdb1
# lvcreate -L 30G --name data plextor
Encryption
At this point we need to setup a cryptographic volume.
# cryptsetup luksFormat /dev/plextor/data
# cryptsetup open /dev/plextor/data data_crypt
# mkfs -t ext4 /dev/mapper/data_crypt
Auto-mount
Now it’s possible to mount /dev/mapper/data_crypt. However you have to do the cryptsetup open everytime. By defining a /etc/crypttab with the underlying encrypted volume, and an entry to /etc/fstab we can achieve that.
/etc/crypttab
data_crypt UUID="14bf7ac0-3e74-4b45-9a20-80963e6fadac" none luks
/etc/fstab
/dev/mapper/data_crypt /mnt/data ext4 defaults 0 0
It’s important to notice that the UUID to be used here is that of one the encrypted volume, not the raw device.
$ sudo blkid
/dev/sdb1: UUID="2Qoc6T-WEyT-IMCp-00JX-wWDp-7ibl-AfVRyX" TYPE="LVM2_member" PARTUUID="4a4b8247-01"
/dev/mapper/sessionm_crypt: UUID="14bf7ac0-3e74-4b45-9a20-80963e6fadac" BLOCK_SIZE="4096" TYPE="ext4"
It’s also possible to get the UUID by running $ sudo cryptsetup luksDump /dev/mapper/_data_crypt
You can test everything is working propperly by running cryptdisks_start. The last two tricks thanks to this great source.