CentOS Encryption

TurnToJPG -->

Disk Configuration

Specify the disk like following, notice we don’t activate the swap partition.

Select the disk and do the following configuration:


Boot partition, should be 400MiB:


Root partition, should contains all of the left space:



Refers to:


Generate the secret key file:

# dd if=/dev/sdb of=luks-secret.key bs=1 count=4096
# cryptsetup luksAddKey /dev/sda2 luks-secret.key --key-slot 1

Modify Dracut:

# ls  /dev/disk/by-id | grep usb
usb-SanDisk_Cruzer_Orbit_4C532000050606114400-0:0 -> ../../sda
usb-SanDisk_Cruzer_Orbit_4C532000050606114400-0:0-part1 -> ../../sda1

Remember the id of sda, later we will use it for updating cryptroot-ask.sh file:

# vim /usr/lib/dracut/modules.d/90crypt/cryptroot-ask.sh
info "luksOpen $device $luksname $luksfile $luksoptions"

+++ # Unlock with USB key
+++ sleep 3
+++ udevsettle
+++ usbkey=/dev/disk/by-id/usb-SanDisk_Cruzer_Orbit_4C532000050606114400-0\:0
+++ if [ -e $usbkey ]; then
+++   ask_passphrase=0
+++   echo "USB Key detected - unlocking partition $device ..."
+++   dd if=$usbkey bs=1 count=4096 | cryptsetup luksOpen $device $luksname --key-file=-
+++ fi


Notice the prefixed +++ is the added lines to this file.

Also because the program dd is not loaded by default in CentOS, we need add following line into /usr/lib/dracut/modules.d/90crypt/module-setup.sh:

# vim /usr/lib/dracut/modules.d/90crypt/module-setup.sh
install() {
+++    inst /usr/bin/dd

We need to modify /etc/dracut.conf to stop systemd from running the decryption process:

# dracut modules to omit

# dracut modules to add to the default

Create the new initramfs via dracut -f, now insert the usb disk, the decryption will be automatically executed, enjoy your own usb disk encrypted system!


For automatically dracut after system upgrading:

# mkdir -p /root/archive
# mkdir -p /root/scripts
# cp /usr/lib/dracut/modules.d/90crypt/cryptroot-ask.sh  /root/archive
# cp /usr/lib/dracut/modules.d/90crypt/module-setup.sh /root/archive
# vim /root/scripts/update-dracut
    cp /root/archive/cryptroot-ask.sh /usr/share/dracut/modules.d/90crypt/
    cp /root/archive/module-setup.sh /usr/share/dracut/modules.d/90crypt/
    dracut -f
    exit 0
# chmod 777 /root/scripts/update-dracut

Disable Kernel Update

For we make the updates to initramfs, we’d better disable kernel update for CentOS.

$ sudo vim /etc/yum.conf

Now via yum update you won’t get your kernel related packages update.

LVM Based Encryption

If you use lvm based, then do following things:

# cat /etc/crypttab 
luks-189e8c45-2c62-4c08-acb6-b3264c435fd1 UUID=189e8c45-2c62-4c08-acb6-b3264c435fd1 none 
# blkid
/dev/sda1: LABEL="XENSERVER-6" UUID="5CD6-02A1" TYPE="vfat" 
/dev/sdb1: UUID="d13618c7-b166-4135-8cae-1c5b8c5110fc" TYPE="xfs" 
/dev/sdb2: UUID="tZyuzH-wIpt-MtQv-gWsJ-Ld69-zjtQ-TfbL6z" TYPE="LVM2_member" 
/dev/mapper/cl-00: UUID="189e8c45-2c62-4c08-acb6-b3264c435fd1" TYPE="crypto_LUKS" 
/dev/mapper/luks-189e8c45-2c62-4c08-acb6-b3264c435fd1: UUID="f7a6d197-5afd-46e1-8a69-408de5278405" TYPE="xfs" 

Then your command should be like:

# cryptsetup luksAddKey /dev/mapper/cl-00 luks-secret.key --key-slot 1

Make sure the partition is the same as the one you looked as crypto_LUKS.