Skip to content

Instantly share code, notes, and snippets.

@huyanhvn
Created July 25, 2016 18:12
Show Gist options
  • Save huyanhvn/1109822a989914ecb730383fa0f9cfad to your computer and use it in GitHub Desktop.
Save huyanhvn/1109822a989914ecb730383fa0f9cfad to your computer and use it in GitHub Desktop.
Enable LUKS disk encryption with a key file
# Create strong LUKS key
openssl genrsa -out /root/luks.key 4096
chmod 400 /root/luks.key
# Fill random data to the device
shred -v --iterations=1 /dev/xvdb
# Format device
echo "YES" | cryptsetup luksFormat /dev/xvdb --key-file /root/luks.key
# Open device
cryptsetup luksOpen /dev/xvdb data1 --key-file /root/luks.key
# Format device
mkfs.ext4 /dev/mapper/data1
# Mount
mount /dev/mapper/data1 /data1
# Persist at boot
Add to /etc/crypttab: data1 /dev/xvdb /root/luks.key luks
Add to /etc/fstab: /dev/mapper/data1 /data1 ext4 defaults 1 2
# Restore default SELinux contexts:
/sbin/restorecon -v -R /data1
# Verify
cryptsetup -v isLuks /dev/xvdb
df -h /data1
@atb00ker
Copy link

Thanks for the script.

echo "YES" | cryptsetup luksFormat /dev/xvdb --key-file /root/luks.key

You can also do:
cryptsetup -q luksFormat /dev/xvdb --key-file /root/luks.key

Just to make it a bit more reliable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment