Dear Friends ,

After Installation of Redhat Linux 5.4 , I want to encrypt one of the file system like , /dev/sda2 .

[root@localhost ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 6.2G 2.6G 3.3G 44% /
/dev/sda2 4.8G 138M 4.4G 4% /disk2
/dev/sda3 4.8G 138M 4.4G 4% /disk3
tmpfs 1006M 0 1006M 0% /dev/shm

But when I give the below command then it shows "command Fails" error ?

[root@localhost ~]# cryptsetup luksFormat --verbose --cipher=aes-xts-plain64 --key-size 512 --hash=sha512 ----verify-passphrase /dev/sda2

WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command failed.

A good start would be to read the prompt the command gave you - twice.

Do the same command with "-v" option to get verbose output, and then post that here.

I got the same error using '-v' :


-----------------

[root@localhost ~]# cryptsetup luksFormat --verbose -v --cipher=aes-xts-plain64 --key-size 512 --hash=sha512 --verify-p
assphrase /dev/sda2

WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command failed.[root@localhost ~]#

--------------------------

(A) You can't run luksFormat on a partition that contains a currently mounted filesystem.

(B) luksFormat will destroy the existing filesystem on the partition. The first 1 or 2 megabytes of the filesystem will be overwritten.

There is a separate tool, cryptsetup-reencrypt, that can, under certain conditions, convert and existing unencrypted filesystem to an encrypted one. Read the manpage. Shrinking the existing filesystem slightly to make room for the LUKS header is a requirement. The process is slow, and will not tolerate hardware or kernel failures (You will lose your data unrecoverably.).

Dear rknichols, Thx a lot .

I follow the below steps :

1) Firstly I try to do this :

[root@localhost ~]# cryptsetup luksFormat --verbose -v --cipher=aes-xts-plain64 --key-size 512 --hash=sha512 --ver
ify-passphrase /dev/sda2

WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Failed to setup dm-crypt key mapping.
Check kernel for support for the aes-xts-plain64 cipher spec and verify that /dev/sda2 contains at least 508 sectors.
Failed to write to key storage.
Command failed.

>> But it shows aes-xts-plain64 cipher error . do you please tell me why it shows ?

2) After that , I give the same comand without 'aes-xts-plain64' :

[root@localhost ~]# cryptsetup luksFormat --verbose --hash=sha512 --verify-passphrase /dev/sda2

WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

>> Is it right to do ?

3) Now I need to mount the /dev/sda2 filesyatem but got the below error :


[root@localhost ~]# mount /dev/sda2
mount: can't find /dev/sda2 in /etc/fstab or /etc/mtab

[root@localhost ~]# mount -a
mount: special device LABEL=/disk1 does not exist

-----------------------------my fstab entry-------------

[root@localhost ~]# cat /etc/fstab
LABEL=/ / ext3 defaults 1 1
LABEL=/disk2 /disk2 ext3 defaults 1 2
LABEL=/disk1 /disk1 ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
LABEL=SWAP-sda5 swap swap defaults 0 0
-------------------------------------------------------------------------------

If my encryption is done in right way , then How I can mount this filesystem ?

Apparently, your kernel lacks support for aes-xts-plain64.You successfully created a LUKS container, but destroyed the filesystem that was previously in that partition. You were warned about that repeatedly. Hope you have good backups.

You can't. There is no filesystem there any more. You should be able to recover part of it from the remains by running "fsck.ext3 /dev/sda2", but a lot will end up in the lost+found directory and some will be unrecoverable.

The proper sequence for doing this is:

1. Save all of the files from the existing filesystem somewhere else.
2. Run "cryptsetup luksFormat --verbose -v --cipher=aes-xts-plain64 --key-size 512 --hash=sha512 --verify-passphrase /dev/sda2".
3. Open the LUKS container by running "cryptsetup luksOpen /dev/sda2 some_name".
4. Create a new filesystem: "mkfs.ext3 -L /disk1 /dev/mapper/some_name".
5. Mount the filesystem: "mount /disk1".
6. Restore your data to the filesystem on /disk1.

Arranging for that LUKS container to be handled properly when the system boots can vary across different Linux distributions. You should probably modify the fstab entry to allow booting without that filesystem mounted:

Thx a lot rknichols .

I successfully followed your steps but finally I got stack during restarting the OS . Here I mention the output :

1) [root@localhost ~]# cryptsetup luksFormat --verbose -v --key-size 256 --hash=sha512 --verify-passphrase /dev/sda3

WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

2) [root@localhost ~]# cryptsetup luksOpen /dev/sda3 endisk
Enter LUKS passphrase for /dev/sda3:
key slot 0 unlocked.
Command successful.

3) [root@localhost ~]# mkfs.ext3 -L /disk2 /dev/mapper/endisk
mke2fs 1.39 (29-May-2006)
Filesystem label=/disk2
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
396800 inodes, 792952 blocks
39647 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=813694976
25 block groups
32768 blocks per group, 32768 fragments per group
15872 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912

Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

4) Also I successfully mount the filesystem and give the below line added on '/etc/fstab' file :

LABEL=/disk2 /disk2 ext3 nofail 1 2

Now during restart the O/S I got the below error :

-----------------------------------------------------------
Checking Filesystem
fsck.ext3: Unable to resolve 'LABEL=/disk2' ---[FAILED]
kernel alive
***an error occurred during the FS check
---------------------------------------------


In this stage , can u please help me ?

See the manpage for crypttab. In /etc/crypttab, you will need a line likewhere the UUID matches what is returned by "cryptsetup luksUUID /dev/sda3". Using "none" in the password field will cause a prompt for the password during boot.

Note that RHEL 5.4 is really old (latest version is 5.11), and even 5.11 goes EOL in just a few months and will then be completely unsupported.