Tutorial

How to Create an Encrypted File System on a DigitalOcean Block Storage Volume

How to Create an Encrypted File System on a DigitalOcean Block Storage Volume

Introduction

DigitalOcean Volumes are scalable, SSD-based block storage devices. Volumes allow you to create and expand your infrastructure’s storage capacity without needing to resize your Droplets.

Volumes are encrypted at rest, which means that the data on a Volume is not readable outside of its storage cluster. When you attach a Volume to a Droplet, the Droplet is presented with a decrypted block storage device and all data is transmitted over isolated networks.

For additional security, you can also create a file system in a LUKS encrypted disk on your Volume. This means that the disk will need to be decrypted by the operating system on your Droplet in order to read any data.

This tutorial covers how to:

  • Create a passphrase-protected encrypted disk on your Volume containing a file system.
  • Manually mount the encrypted file system for use, then unmount and relock it when you’re done.
  • Automatically mount the file system when the Droplet boots.

Prerequisites

To follow this tutorial, you will need:

Warning: This process is destructive to any data on the Volume. Be sure to either start with a new Volume or back up your data before reformatting an existing Volume.

Step 1 — Creating the Encrypted Disk

cryptsetup is a utility used to manage LUKS volumes in addition to other encrypted formats. To begin, use cryptsetup to initialize an encrypted disk on your Volume.

  1. sudo cryptsetup -y -v luksFormat /dev/disk/by-id/scsi-0DO_Volume_volume-lon1-01

Make sure to replace volume-lon1-01 with the name of your Volume. The -y flag will require you to enter your passphrase twice when you’re prompted to create it. The -v flag adds additional human-readable output to verify the success of the command.

The output will ask you to confirm overwriting the data on the Volume. Type YES in all caps, then press ENTER to continue.

Output
WARNING! ======== This will overwrite data on /dev/disk/by-id/scsi-0DO_Volume_volume-lon1-01 irrevocably. Are you sure? (Type uppercase yes): YES

Next, the output will prompt you to create a passphrase for the encrypted disk. Enter a unique, strong passphrase and verify it by entering it a second time. This passphrase is not recoverable, so keep it recorded in a safe place.

Output
. . . Enter passphrase: Verify passphrase: Command successful.

If you need to, you can change this passphrase in the future with the cryptsetup luksChangeKey command. You can also add up to 8 additional passphrases per device with cryptsetup luksAddKey.

At this point, your disk is created and encrypted. Next, decrypt it and map it to a label for easier referencing. Here, we’re labeling it secure-volume, but you can label it with anything you like.

  1. sudo cryptsetup luksOpen /dev/disk/by-id/scsi-0DO_Volume_volume-lon1-01 secure-volume

You’ll be prompted for the passphrase. Once you enter it, the Volume will now be mapped to /dev/mapper/secure-volume.

To make sure everything worked, verify the details of the encrypted disk.

  1. cryptsetup status secure-volume

You’ll see output like this indicating the Volume label and type.

Output
/dev/mapper/secure-volume is active. type: LUKS1 cipher: aes-xts-plain64 keysize: 256 bits device: /dev/sda offset: 4096 sectors size: 209711104 sectors mode: read/write

At this point, you have a passphrase-protected encrypted disk. The next step is to create a file system on that disk so the operating system can use it to store files.

Step 2 — Creating and Mounting the File System

Let’s first take a look at the current available disk space on the Droplet.

  1. df -h

You’ll see output similar to this, depending on your Droplet configuration:

Output
Filesystem Size Used Avail Use% Mounted on udev 2.0G 0 2.0G 0% /dev tmpfs 396M 5.6M 390M 2% /run /dev/vda1 78G 877M 77G 2% / tmpfs 2.0G 0 2.0G 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup /dev/vda15 105M 3.4M 101M 4% /boot/efi tmpfs 396M 0 396M 0% /run/user/1000

Right now, /dev/mapper/secure-volume doesn’t show up on this list because the Volume isn’t yet accessible to the Droplet. To make it accessible, we need to create and mount the file system.

Use the mkfs.xfs utility (make file system) to create an XFS file system on the volume.

  1. sudo mkfs.xfs /dev/mapper/secure-volume

Once the file system is created, you can mount it, which means making it available to the operating system on your Droplet.

Create a mount point, which is where the file system will be attached. A good recommendation for a mount point is an empty directory in the /mnt directory, so we’ll use /mnt/secure.

  1. sudo mkdir /mnt/secure

Then mount the file system.

  1. sudo mount /dev/mapper/secure-volume /mnt/secure

To make sure it worked, check the available disk space on your Droplet again.

  1. df -h

You’ll now see /dev/mapper/secure-volume listed.

Output
Filesystem Size Used Avail Use% Mounted on udev 2.0G 0 2.0G 0% /dev tmpfs 396M 5.6M 390M 2% /run /dev/vda1 78G 877M 77G 2% / tmpfs 2.0G 0 2.0G 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup /dev/vda15 105M 3.4M 101M 4% /boot/efi tmpfs 396M 0 396M 0% /run/user/1000 /dev/mapper/secure-volume 100G 33M 100G 1% /mnt/secure

This means your encrypted file system is attached and available for use.

When you no longer need to access the data on the Volume, you can unmount the file system and lock the encrypted disk.

  1. sudo umount /mnt/secure
  2. sudo cryptsetup luksClose secure-volume

You can verify with df -h that the file system is no longer available. In order to make the data on the Volume accessible again, you would run through the steps to open the disk (cryptsetup luksOpen ...), create a mount point, and mount the file system.

To avoid going through this manual process every time you want use the Volume, you can instead configure the file system to mount automatically when your Droplet boots.

Step 3 — Automatically Mounting the File System on Boot

The encrypted disk can have up to 8 passphrases. In this final step, we’ll create a key and add it as a passphrase, then use that key to configure the Volume to be decrypted and mounted as the Droplet is booting.

Create a key file at /root/.secure_key. This command will make a 4 KB file with random contents:

  1. sudo dd if=/dev/urandom of=/root/.secure-key bs=1024 count=4

Adjust the permissions of this key file so it’s only readable by the root user.

  1. sudo chmod 0400 /root/.secure-key

Then add the key as a passphrase for the encrypted disk.

  1. cryptsetup luksAddKey /dev/disk/by-id/scsi-0DO_Volume_volume-lon1-01 /root/.secure-key

You’ll be prompted for a passphrase. You can enter the one you set when you first created the encrypted disk.

/etc/crypttab is a configuration file that defines encrypted disks to set up when the system starts. Open this file with nano or your favorite text editor.

  1. sudo nano /etc/crypttab

Add the following line to the bottom of the file to map the Volume at boot.

/etc/crypttab
. . .
secure-volume /dev/disk/by-id/scsi-0DO_Volume_volume-lon1-01 /root/.secure-key  luks

The format of the lines in /etc/crypttab is device_name device_path key_path options. Here, the device name is secure-volume (or the name you chose instead), the path is /dev/disk/by-id/..., the key file is what we just created at /root/.secure_key, and the options specify luks encryption.

Save and close the file.

/etc/fstab is a configuration file to automate mounting. Open this file for editing.

  1. sudo nano /etc/fstab

Add the following line to the bottom of the file to automatically mount the disk at boot.

/etc/fstab
. . .
/dev/mapper/secure-volume /mnt/secure xfs  defaults,nofail 0 0

The first three arguments of the lines in /etc/fstab are always device_path mount_point file_system_type. Here, we have the same device path and mount point as in Step 2, and we specify the XFS file system. You can read about the other fields in fstab’s man page (man fstab).

Save and close the file. Your encrypted file system is now set to automatically mount when your Droplet boots. You can test this by rebooting your Droplet, but be cautious with any running services.

Conclusion

By default, DigitalOcean Volumes are encrypted when they are not attached to a Droplet. In this tutorial, you added an additional layer of security by putting a file system in an encrypted disk on a Volume. You can create an encrypted disk, add passphrases to it, and mount it manually or automatically for use within the Droplet.

You can learn more about DigitalOcean Block Storage Volumes in the Getting Started with DigitalOcean Block Storage series.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about us


About the authors

Default avatar

staff technical writer

hi! i write do.co/docs now, but i used to be the senior tech editor publishing tutorials here in the community.


Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
6 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

How is it better than just using the volume?

https://docs.digitalocean.com/products/volumes/

Encryption: Volumes are encrypted with LUKS (Linux Unified Key Setup). The entire storage cluster is encrypted, so snapshots of volumes are also encrypted at rest.

It seems like under the hood, the container already is using LUKS and mounts the decrypted volume. If you encrypt only to mount it automatically at boot with a key stored on the same vm, it’s almost the same as if you just used the regular volume and there’s unnecessary overhead.

Thank you so much, everything worked like a charm.

@jschwenn Do you have any info on how this impacts performance?

@BetterAutomations see @ahmedr comment this could help (droplet encryption).

@ahmedr +1

I don’t get the point of leaving the key on the hard drive in an unencrypted volume. Couldn’t that be sniffed and you’re back to square one?

This is great, but I want to encrypt the whole droplet, is there an easy way to do that?

This comment has been deleted

    Try DigitalOcean for free

    Click below to sign up and get $200 of credit to try our products over 60 days!

    Sign up

    Join the Tech Talk
    Success! Thank you! Please check your email for further details.

    Please complete your information!

    Featured on Community

    Get our biweekly newsletter

    Sign up for Infrastructure as a Newsletter.

    Hollie's Hub for Good

    Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

    Become a contributor

    Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

    Welcome to the developer cloud

    DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

    Learn more
    DigitalOcean Cloud Control Panel