How to Manage Disk Encryption with LUKS and cryptsetup on RHEL 7

How to Manage Disk Encryption with LUKS and cryptsetup on RHEL 7

Protecting sensitive data at rest is a fundamental security requirement for any enterprise system. Linux Unified Key Setup (LUKS) is the standard disk encryption specification on Linux, and cryptsetup is the command-line tool used to create and manage LUKS-encrypted volumes on RHEL 7. Whether you are encrypting a secondary data disk, a partition containing a database, or preparing a system for compliance with regulations such as PCI-DSS or HIPAA, LUKS provides a robust, kernel-integrated encryption layer using the AES cipher with configurable key lengths. This tutorial walks you through the full lifecycle of a LUKS-encrypted volume: installation, formatting, mounting at boot, managing passphrases, and performing disaster recovery with header backups.

Prerequisites

• RHEL 7 system with root or sudo privileges
• An unformatted block device or partition available for encryption (e.g., /dev/sdb or /dev/sdb1) — all data on it will be destroyed
• Basic familiarity with Linux partitioning and the fstab file
• Active RHEL subscription for package installation

Step 1: Install cryptsetup

The cryptsetup package provides all the tools needed to create and manage LUKS volumes. Install it using yum:

sudo yum install -y cryptsetup

Verify the installation and check the version:

cryptsetup --version

You should see output such as cryptsetup 1.7.4 or later. The kernel module dm-crypt is loaded automatically when needed, but you can confirm it is available:

modinfo dm-crypt

Step 2: Format a Partition with LUKS

Before formatting, identify the target block device. Use lsblk to list all available devices and confirm the device name:

lsblk

In this example, /dev/sdb is a clean 20 GB disk with no partitions. You can encrypt the raw disk or a partition. Create a partition first if desired:

sudo fdisk /dev/sdb
# Inside fdisk: n (new), p (primary), 1, default start, default end, w (write)

Now format the partition with LUKS. This command initializes the LUKS header and sets the initial passphrase. All data will be destroyed.

sudo cryptsetup luksFormat /dev/sdb1

You will be prompted to type YES in uppercase, then enter and confirm a passphrase. For automated environments, you can specify a key file instead:

sudo cryptsetup luksFormat --key-file /root/luks-keyfile /dev/sdb1

To create a key file with strong random bytes:

sudo dd if=/dev/urandom of=/root/luks-keyfile bs=512 count=8
sudo chmod 400 /root/luks-keyfile

Step 3: Open and Close a LUKS Volume

To use the encrypted partition you must open (unlock) it, which creates a device mapper entry under /dev/mapper/. The name you supply (mydata here) becomes the mapper device name:

sudo cryptsetup luksOpen /dev/sdb1 mydata

Enter the passphrase when prompted. The unlocked device is now accessible at:

/dev/mapper/mydata

Create a filesystem on the mapped device:

sudo mkfs.xfs /dev/mapper/mydata

Mount the filesystem:

sudo mkdir -p /mnt/securedata
sudo mount /dev/mapper/mydata /mnt/securedata

To close (lock) the volume, unmount first then close:

sudo umount /mnt/securedata
sudo cryptsetup luksClose mydata

Step 4: Automate Unlocking at Boot with /etc/crypttab

To have the system unlock the LUKS volume automatically at boot, add an entry to /etc/crypttab. First obtain the UUID of the LUKS device:

sudo cryptsetup luksUUID /dev/sdb1

Example output: a1b2c3d4-e5f6-7890-abcd-ef1234567890

Edit /etc/crypttab:

sudo vi /etc/crypttab

Add a line in the format: name UUID=<uuid> key-file-or-none options

For password prompt at boot (interactive unlock):

mydata  UUID=a1b2c3d4-e5f6-7890-abcd-ef1234567890  none

For automatic unlock using a key file:

mydata  UUID=a1b2c3d4-e5f6-7890-abcd-ef1234567890  /root/luks-keyfile

The third field is the path to the key file, or none to prompt interactively at boot.

Step 5: Add /etc/fstab Entry for Persistent Mounting

Once /etc/crypttab is configured, add the mapper device to /etc/fstab so the decrypted volume is mounted after unlock:

sudo vi /etc/fstab

Add:

/dev/mapper/mydata  /mnt/securedata  xfs  defaults,x-systemd.requires=dev-mapper-mydata.device  0 0

Verify the configuration without rebooting:

sudo systemctl daemon-reload
sudo systemctl start dev-mapper-mydata.device
sudo mount /mnt/securedata

Step 6: Add and Remove Passphrases with luksAddKey and luksRemoveKey

LUKS supports up to 8 key slots, allowing multiple passphrases or key files to unlock the same volume. This is useful for administrative access or rotation.

Add an additional passphrase (you will be prompted for the existing passphrase first, then the new one):

sudo cryptsetup luksAddKey /dev/sdb1

Add a key file as an additional unlock method:

sudo cryptsetup luksAddKey /dev/sdb1 /root/luks-backup-keyfile

Remove a passphrase (you will be prompted to enter the passphrase to remove):

sudo cryptsetup luksRemoveKey /dev/sdb1

View key slot status to see which slots are in use:

sudo cryptsetup luksDump /dev/sdb1 | grep "Key Slot"

Step 7: Inspect Volume Details with luksDump

The luksDump subcommand displays the LUKS header metadata including cipher, key size, UUID, and key slot status:

sudo cryptsetup luksDump /dev/sdb1

Sample output:

LUKS header information for /dev/sdb1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      ...
UUID:           a1b2c3d4-e5f6-7890-abcd-ef1234567890

Key Slot 0: ENABLED
  Iterations:         105436
  Salt:               ...
  Key material offset:8
  AF stripes:         4000
Key Slot 1: DISABLED
...

Step 8: Backup and Restore the LUKS Header

The LUKS header contains encryption metadata and key slot information. If the header is corrupted (due to a disk error or accidental overwrite), the encrypted data becomes permanently inaccessible. Always back up the header after formatting or changing keys.

Back up the header to a file:

sudo cryptsetup luksHeaderBackup /dev/sdb1 --header-backup-file /root/sdb1-luks-header.bak

Store this backup file securely — ideally on a separate system or encrypted storage. Restore the header from a backup:

sudo cryptsetup luksHeaderRestore /dev/sdb1 --header-backup-file /root/sdb1-luks-header.bak

You will be prompted to confirm since this overwrites the current header.

Step 9: Verify Encryption and Check Device Status

Once a volume is open, check its status:

sudo cryptsetup status mydata

Output shows the cipher, key size, device, and offset:

/dev/mapper/mydata is active.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  device:  /dev/sdb1
  offset:  4096 sectors
  size:    41938944 sectors
  mode:    read/write

Confirm that device mapper is using the dm-crypt target:

sudo dmsetup table mydata

Conclusion

LUKS and cryptsetup on RHEL 7 provide a production-grade, standards-compliant solution for encrypting data at rest. You have learned how to install cryptsetup, format a partition with a LUKS container, open and close encrypted volumes, configure automatic unlock via /etc/crypttab, manage multiple passphrases with key slots, and protect against header corruption using header backups. The combination of /etc/crypttab and /etc/fstab integrates seamlessly with systemd to ensure encrypted volumes are unlocked and mounted in the correct boot order. For systems subject to data security regulations, LUKS encryption is an essential layer that complements filesystem permissions, SELinux, and network security controls.