Regarding File System Encryption !!!

shipon_97 · 12-26-2016, 07:33 AM

Dear Friends ,

I am using Redhat 6.5 and want to enable filesystem encryption. In this case , I enabled encryption one of a disk during OS installation . Now I have the following 2 question :

1) If I enable 'encrypt' for a Filesystem during OS installation which types of encryption is used ?

2) And How can I reset encryption password for this scenario ?

Waiting for kind reply ..

AwesomeMachine · 12-27-2016, 12:13 AM

The password is fixed. You can't change it. The encryption algorithm is whatever the distro uses. That should be documented.

rknichols · 12-27-2016, 09:56 AM

Of course you can change it. The encryption framework is LUKS, and the manpage for cryptsetup shows you how to add and delete passwords. (You can have up to 8 passwords or key files.)

shipon_97 · 12-28-2016, 04:02 AM

Thx Nichols.

See the below output :

------------------------------------------------------
[root@localhost ~]# df -H
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 8.7G 2.3G 6.0G 28% /
tmpfs 1.1G 0 1.1G 0% /dev/shm

/dev/dm-0 4.1G 8.2M 3.9G 1% /disk1
/dev/mapper/ncdisk 4.1G 8.2M 3.9G 1% /ncdisk
-------------------------------------------------------

Here ,

/disk1 (/dev/sda1) is encrypted during OS installation and /ncdisk is created by manually by the cryptsetup command with LUKS.
My question was ,

How I found Which encryption was used '/disk1' partition and how can I change encrypt password ?

>> When I use 'cryptsetup' command for '/disk1'---->(/dev/sda1),it shows, it's not a valid LUKS device .

[root@localhost ~]# cryptsetup luksDump /dev/sda1
Device /dev/sda1 is not a valid LUKS device.

IF 'AwesomeMachine' is right then How I can change the password for lost case .

rknichols · 12-28-2016, 12:55 PM

The output from "lsblk -f" (run as root) would be helpful here.

sundialsvcs · 12-28-2016, 04:41 PM

Now, if it were me, I would not bother to use software disk encryption. Purchase a disk drive (or controller) which has on-board (hardware) encryption capability. In my experience (and, "Your Mileage May Vary™"), software encryption exacts a serious performance penalty for a machine that actually has work to do.

Also, it is often the case that only a small amount of data needs to be encrypted, and there are "encrypted folder" technologies available for these purposes. (Basically, you "mount" the encrypted folder.) These are much more targeted such that the overhead of software encryption is much more manageable: you're only encrypting what you really need to. (And, these should not be, say, "MySQL databases" or anything that's going to get a lot of activity. "A folder of confidential documents," say ...)

shipon_97 · 12-29-2016, 01:05 AM

Thanx nichols . I can change the password .