Encrypt-at-Rest on Storage VPS: LUKS with Automated Unlock Strategy
In this guide, you will learn to encrypt storage VPS with LUKS and an automated unlock strategy. LUKS is the standard method for encrypting disk drives and storage volumes on Linux systems.
Using encryption-at-rest on a High Storage VPS keeps your stored data private, while still letting the server reboot and mount the disk automatically. You can follow this guide to encrypt a second drive with LUKS and set up a secure local keyfile so it can unlock itself during boot.
Table of Contents
Prerequisites to Encrypt Storage VPS with LUKS
To encrypt storage VPS with LUKS, your server must be running a modern Linux operating system, such as Ubuntu, Debian, AlmaLinux, or Rocky Linux. We highly recommend using a Storage VPS from a reliable provider like PerLod Hosting for optimal performance.
Also, you will need:
- root privileges.
- The cryptsetup package is installed on your system.
- An unformatted secondary block device attached to your VPS. In this guide, we use /dev/vdb.
Once you are done, proceed to the following steps to encrypt storage VPS with LUKS.
Format the Storage Volume with LUKS
The first step is to format the secondary block device with a LUKS header. To do this, you can run the command below:
cryptsetup luksFormat /dev/vdbYou will be prompted to create an initial, manual recovery passphrase.
Once you have finished formatting, you must decrypt and map the volume to a virtual device. You can open the LUKS device and map it to secure_storage:
cryptsetup luksOpen /dev/vdb secure_storageCreate an EXT4 Filesystem and Mount the Encrypted Volume
At this point, you have unlocked and mapped the volume to /dev/mapper/secure_storage. Now you must create a filesystem on it before it can store data.
Create the EXT4 filesystem with the following command:
mkfs.ext4 /dev/mapper/secure_storageThen, create a target directory, and mount the volume by running the commands below:
mkdir -p /mnt/data
mount /dev/mapper/secure_storage /mnt/dataCreate and Secure the LUKS Keyfile
To let the server unlock the drive automatically, you must generate a random keyfile from LUKS. Also, this file must be protected with strict permissions, so only the root user can read it.
Generate a 4KB random keyfile from LUKS with the command below:
dd if=/dev/urandom of=/root/luks-volume.key bs=1024 count=4Restrict permissions to root only with the following command:
chmod 0400 /root/luks-volume.keyLink the Keyfile to the LUKS Encrypted Drive
You need to add the keyfile to the LUKS drive so it can unlock the volume. When you run this command, it will ask for the password you set in Step 1 to confirm the change.
Add the keyfile to the LUKS authorized keys with the command below:
cryptsetup luksAddKey /dev/vdb /root/luks-volume.keyConfigure crypttab for Automated Unlocking
During boot, the system reads /etc/crypttab to know which encrypted volumes to unlock and how to unlock them. You can use the drive’s unique ID (UUID) instead of /dev/vdb. This prevents boot errors if the system ever changes the drive letters.
Find the UUID of your storage volume:
blkid /dev/vdbOpen /etc/crypttab with your desired text editor:
nano /etc/crypttabAdd the following line to /etc/crypttab with your actual UUID:
secure_storage UUID=YOUR-UUID-HERE /root/luks-volume.key luksConfigure Automatic Volume Mounting
Once crypttab unlocks the volume, /etc/fstab handles mounting the decrypted filesystem to your desired directory. You can open the /etc/fstab with your desired text editor:
nano /etc/fstabTo ensure the unlocked mapper device mounts on boot, add the following line to the /etc/fstab file:
/dev/mapper/secure_storage /mnt/data ext4 defaults 0 2Test the LUKS Configuration
Before you reboot your server, it is recommended to test your configuration to prevent potential lockouts. You can unmount the directory, close the LUKS device, and then attempt to reopen it using only the keyfile to ensure the automation works correctly.
Unmount and lock the volume with the commands below:
umount /mnt/data
cryptsetup luksClose secure_storageTest unlocking with the keyfile:
cryptsetup luksOpen --key-file /root/luks-volume.key /dev/vdb secure_storageAlso, test automatic mounting from fstab:
mount -aIf the mount -a command succeeds without errors, your automated unlock strategy is fully operational.
FAQs
Does LUKS encryption slow down the Storage VPS?
Modern servers are built to handle encryption effortlessly. You won’t notice any performance drop, and your file transfers will stay fast.
Can I unlock the LUKS drive with the manual password?
Yes. LUKS lets you use multiple passwords. If your keyfile ever gets deleted, you can still unlock the drive using the manual password.
Can I change the LUKS password or keyfile without formatting the drive?
Yes. You can add, remove, or change passwords and keyfiles at any time using cryptsetup commands without losing or moving your existing data.
Conclusion
By following these steps, you have successfully encrypt storage VPS with LUKS configuration. This keeps your data safe from physical theft while allowing your server to reboot and mount the drive automatically. This setup on your High Storage VPS gives you strong security without any extra tasks. Just be sure to save your manual password offline, so you can always access your data if the keyfile is lost.
We hope you enjoy this guide. Subscribe to our X and Facebook channels to get the latest updates and articles.
For further reading:
