Integration with CipherTrust Manager
Perform the following steps to integrate LUKS with the CipherTrust Manager:
Configuring ks_config and ks_user_config Files
Note
It is expected that before using ProtectApp-LUKS all appropriate configuration is done on /etc/ks_config and /etc/ks_user_config files.
The basic configuration parameters that are required to be changed are:
NAE_IP: IP address of the CipherTrust Manager
NAE_Port: 9000 (default value)
Protocol: tcp/ssl
CA_File: The CA_File parameter refers to the CA certificate that was used to sign the server certificate presented by the NAE Server to the client. (for ssl only)
Cert_File: The Cert_File parameter stores the path and filename of the client certificate. This is only used when your SSL configuration requires clients to provide a client certificate to authenticate to the CipherTrust Manager appliances. (for ssl only)
Key_File: The Key_File parameter refers to the private key associated with the client certificate specified in the Cert_ File parameter. (for ssl only)
Log_Level: WARN (default value, can be set to DEBUG for troubleshooting).
Log_File: Full path and file name. The user must have write permissions on this path and file.
You can further configure the SafeNet ProtectApp LUKS Provider to meet the requirements of your environment. Refer to Configuring the Properties File for more details.
Create a user and a key on the CipherTrust Manager. For details on creating a user and key, refer to the following links:
Edit the /etc/ks_user_config file based on below authentication type:
User Based Authentication: Username and Password will be used for authentication with CipherTrust Manager. Refer, Configuring User based Authentication.
Passwordless Certificate Based Authentication: The Client Certificate will be used for authentication with CipherTrust Manager. Refer, Configuring Passwordless Certificate based Authentication.
SafeNet ProtectApp LUKS is now ready to be used by executing the standard LUKS commands.
Note
If LUKS is already installed on the system, the new installation keeps a backup of the old LUKS files as
<filename>_bak.ks_config and ks_user_config files will be accessed at boot time. These files must not be renamed.
Configuring LUKS Partition
LUKS partition can be configured for the following:
Note
The CipherTrust Manager provides both the mode of Authentication. However, only one authentication mode is supported at a time.
Configuring LUKS Partition for User Based Authentication
To initialize the volume, execute the following command. It prompts for a passphrase entry only for user based authentication and sets an initial key from Ciphertrust Manager.
Note
From LUKS 8.5.0 onwards, LUKS2 is the default type that supports disk encryption. However, the legacy LUKS1 can be used with cryptsetup command using the option --type luks1.
cryptsetup -y -v luksFormat /dev/<disk_name>
For Legacy Luks1, run the following command:
cryptsetup -y -v luksFormat /dev/<disk_name> --type luks1
The above commands return the following output:
Sample Output:
WARNING! ======== This will overwrite data on /dev/<disk_name> irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
Configuring LUKS Partition for Passwordless Certificate Based Authentication
To initialize the volume, execute the following command.
cryptsetup -q -v luksFormat /dev/<disk_name>
For Legacy Luks1, run the following command:
cryptsetup -q -v luksFormat /dev/<disk_name> --type luks1
The above commands return the following output:
Sample Output:
WARNING! ======== This will overwrite data on /dev/<disk_name> irrevocably.
Are you sure? (Type uppercase yes): YES
Command successful.
Note
You can use -q is used to suppress the above warning and confirmation message.
To specify the Ciphers explicitly, use the option --cipher. The default Cipher is aes-xts-plain64.
Example:
cryptsetup -q -v luksFormat /dev/sdb --cipher aes-cbc-essiv:sha256
and
cryptsetup -v luksOpen /dev/sdb backup2 --cipher aes-cbc-essiv:sha256
Refer to the Sample for Boot Time Configuration.
