Linux disk encryption
nixCraft Linux Tips, Hacks, Tutorials, And Ideas In Blog
Home Howtos & Tutorials Linux Shell Scripting Tutorial RSS Donations Search
How To Linux Hard Disk Encryption With LUKS [ cryptsetup encrypt command ] Author: Vivek Gite Last updated: August 21, 2020 47 comments
I carry my Linux powered laptop just about everywhere. How do I protect my private data stored on partition or removable storage media against bare-metal attacks where anyone can get their hands on my laptop or usb pen drive while traveling?
–Sincerely, Worried about my data.
Linux Hard Disk Encryption
That’s actually a great question. Many enterprises, small businesses, and government users need to encrypt their laptops to protect confidential information such as customer details, files, contact information, and much more. Linux supports the following cryptographic techniques to protect a hard disk, directory, and partition. All data that is written on any one of the following techniques will automatically encrypted and decrypted on the fly. Linux encryption methods
There are two methods to encrypt your data: Filesystem stacked level encryption
eCryptfs – It is a cryptographic stacked Linux filesystem. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. This solution is widely used, as the basis for Ubuntu’s Encrypted Home Directory, natively within Google’s ChromeOS, and transparently embedded in several network attached storage (NAS) devices. EncFS -It provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. You can find links to source and binary releases below. EncFS is open source software, licensed under the GPL.
Block device level encryption
Loop-AES – Fast and transparent file system and swap encryption package for linux. No source code changes to linux kernel. Works with 3.x, 2.6, 2.4, 2.2 and 2.0 kernels. VeraCrypt – It is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X and Linux based on TrueCrypt codebase. dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, removable media, partitions, software RAID volumes, logical volumes, and files.
In this tutorial, I will explain how to encrypt your partitions using Linux Unified Key Setup-on-disk-format (LUKS) on your Linux based computer or laptop. Step 1: Install cryptsetup utility on Linux
You need to install the following package. It contains cryptsetup, a utility for setting up encrypted filesystems using Device Mapper and the dm-crypt target. Debian / Ubuntu Linux user type the following apt-get command or apt command:
- apt-get install cryptsetup
OR $ sudo apt install cryptsetup
Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed:
console-setup console-setup-linux cryptsetup-bin kbd keyboard-configuration xkb-data
The following NEW packages will be installed:
console-setup console-setup-linux cryptsetup cryptsetup-bin kbd keyboard-configuration xkb-data
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded. Need to get 3,130 kB of archives. After this operation, 13.2 MB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://deb.debian.org/debian stretch/main amd64 kbd amd64 2.0.3-2+b1 [343 kB] Get:2 http://deb.debian.org/debian stretch/main amd64 keyboard-configuration all 1.164 [644 kB] Get:3 http://deb.debian.org/debian stretch/main amd64 console-setup-linux all 1.164 [983 kB] Get:4 http://deb.debian.org/debian stretch/main amd64 xkb-data all 2.19-1 [648 kB] Get:5 http://deb.debian.org/debian stretch/main amd64 console-setup all 1.164 [117 kB] Get:6 http://deb.debian.org/debian stretch/main amd64 cryptsetup-bin amd64 2:1.7.3-4 [221 kB] Get:7 http://deb.debian.org/debian stretch/main amd64 cryptsetup amd64 2:1.7.3-4 [174 kB] Fetched 3,130 kB in 0s (7,803 kB/s) Preconfiguring packages ... Selecting previously unselected package kbd. (Reading database ... 22194 files and directories currently installed.) Preparing to unpack .../0-kbd_2.0.3-2+b1_amd64.deb ... Unpacking kbd (2.0.3-2+b1) ... Selecting previously unselected package keyboard-configuration. Preparing to unpack .../1-keyboard-configuration_1.164_all.deb ... Unpacking keyboard-configuration (1.164) ... Selecting previously unselected package console-setup-linux. Preparing to unpack .../2-console-setup-linux_1.164_all.deb ... Unpacking console-setup-linux (1.164) ... Selecting previously unselected package xkb-data. Preparing to unpack .../3-xkb-data_2.19-1_all.deb ... Unpacking xkb-data (2.19-1) ... Selecting previously unselected package console-setup. Preparing to unpack .../4-console-setup_1.164_all.deb ... Unpacking console-setup (1.164) ... Selecting previously unselected package cryptsetup-bin. Preparing to unpack .../5-cryptsetup-bin_2%3a1.7.3-4_amd64.deb ... Unpacking cryptsetup-bin (2:1.7.3-4) ... Selecting previously unselected package cryptsetup. Preparing to unpack .../6-cryptsetup_2%3a1.7.3-4_amd64.deb ... Unpacking cryptsetup (2:1.7.3-4) ... Setting up keyboard-configuration (1.164) ... Setting up xkb-data (2.19-1) ... Setting up kbd (2.0.3-2+b1) ... Processing triggers for systemd (232-25+deb9u1) ... Setting up cryptsetup-bin (2:1.7.3-4) ... Processing triggers for man-db (18.104.22.168-2) ... Setting up console-setup-linux (1.164) ... Created symlink /etc/systemd/system/sysinit.target.wants/keyboard-setup.service → /lib/systemd/system/keyboard-setup.service. Created symlink /etc/systemd/system/multi-user.target.wants/console-setup.service → /lib/systemd/system/console-setup.service. Setting up console-setup (1.164) ... Setting up cryptsetup (2:1.7.3-4) ... update-initramfs: deferring update (trigger activated) Processing triggers for systemd (232-25+deb9u1) ... Processing triggers for initramfs-tools (0.130) ... update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64
Tools needed to encrypt your Hard drive in RHEL/CentOS/Fedora Linux
RHEL / CentOS / Oracle / Scientific Linux user type the following yum command:
- yum install cryptsetup-luks
Fedora Linux user use the dnf command:
- dnf install cryptsetup-luks
Step 2: Configure LUKS partition [Warning examples may crash your computer and data] WARNING! The following command will remove all data on the partition that you are encrypting. You WILL lose all your information! So make sure you backup your data to an external source such as NAS or hard disk before typing any one of the following command.
Open the terminal to list all Linux partitions/disks and then use the cryptsetup command:
- fdisk -l
The syntax is: cryptsetup luksFormat --type luks1 /dev/DEVICE cryptsetup luksFormat --type luks2 /dev/DEVICE
In this example, I’m going to encrypt /dev/xvdc. Type the following command:
- cryptsetup -y -v luksFormat /dev/xvdc
For example, set up cryptsetup on /dev/sdc with luks2 format, run: Sample outputs:
This will overwrite data on /dev/xvdc irrevocably.
Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
- cryptsetup -y -v --type luks2 luksFormat /dev/sdc
This command initializes the volume, and sets an initial key or passphrase. Please note that the passphrase is not recoverable so do not forget it.Type the following command create a mapping:
- cryptsetup luksOpen /dev/xvdc backup2
Enter passphrase for /dev/xvdc:
You can see a mapping name /dev/mapper/backup2 after successful verification of the supplied key material which was created with luksFormat command extension:
- ls -l /dev/mapper/backup2
lrwxrwxrwx 1 root root 7 Oct 19 19:37 /dev/mapper/backup2 -> ../dm-0
You can use the following command to see the status for the mapping:
- cryptsetup -v status backup2
/dev/mapper/backup2 is active.
type: LUKS1 cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/xvdc offset: 4096 sectors size: 419426304 sectors mode: read/write
You can dump LUKS headers using the following command:
- cryptsetup luksDump /dev/xvdc
LUKS header information for /dev/xvdc
Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha256 Payload offset: 4096 MK bits: 256 MK digest: 21 07 68 54 77 96 11 34 f2 ec 17 e9 85 8a 12 c3 1f 3e cf 5f MK salt: 8c a6 3d 8c e9 de 16 fb 07 fd 8e d3 72 d7 db 94
7e e0 75 f9 e0 23 24 df 50 26 fb 92 f8 b5 dd 70
MK iterations: 222000 UUID: 4dd563a9-5bff-4fea-b51d-b4124f7185d1
Key Slot 0: ENABLED Iterations: 2245613 Salt: 05 a8 b4 a2 54 f7 c6 ee 52 db 60 b6 12 7f 2f 53 3f 5d 2d 62 fb 5a b1 c3 52 da d5 5f 7b 2d 38 32 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED
Step 3: Format Linux LUKS partition
First, you need to write zeros to /dev/mapper/backup2 encrypted device. This will allocate block data with zeros. This ensures that outside world will see this as random data i.e. it protect against disclosure of usage patterns:
- dd if=/dev/zero of=/dev/mapper/backup2
The dd command may take many hours to complete. I suggest that you use pv command to monitor the progress:
- pv -tpreb /dev/zero | dd of=/dev/mapper/backup2 bs=128M
dd: error writing '/dev/mapper/backup2': No space left on device ]
200GiB 0:16:47 [ 203MiB/s] [ <=> ]
1600+1 records in 1599+1 records out 214746267648 bytes (215 GB, 200 GiB) copied, 1008.19 s, 213 MB/s
You can also pass the status=progress option to the dd command:
- dd if=/dev/zero of=/dev/mapper/backup2 status=progress
2133934592 bytes (2.1 GB, 2.0 GiB) copied, 142 s, 15.0 MB/s
Next, create a filesystem i.e. format filesystem, enter:
- mkfs.ext4 /dev/mapper/backup2
mke2fs 1.42.13 (17-May-2015) Creating filesystem with 52428288 4k blocks and 13107200 inodes Filesystem UUID: 1c71b0f4-f95d-46d6-93e0-cbd19cb95edb Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872
Allocating group tables: done Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done
To mount the new filesystem at /backup2, enter:
- mkdir /backup2
- mount /dev/mapper/backup2 /backup2
- df -H
- cd /backup2
- ls -l
Linux Hard Disk Encryption Demo
Encrypt your hard drive in Linux using LUKS2 How do I unmount and secure data?
Type the following commands:
- umount /backup2
- cryptsetup luksClose backup2
How do I mount or remount encrypted partition?
Type the following command:
- cryptsetup luksOpen /dev/xvdc backup2
- mount /dev/mapper/backup2 /backup2
- df -H
Sample outputs: Fig.01: Encrypted partition mounted on /backup2
Fig.01: Encrypted partition mounted on /backup2 See shell script wrapper that opens LUKS partition and sets up a mapping for nas devices.
Can I run fsck on LUKS based partition / LVM volume?
Yes, you can use the fsck command On LUKS based systems:
- umount /backup2
- fsck -vy /dev/mapper/backup2
- mount /dev/mapper/backup2 /backu2
See how to run fsck On LUKS (dm-crypt) based LVM physical volume for more details. How do I change LUKS passphrase (password) for encrypted partition?
Type the following command
- see key slots, max -8 i.e. max 8 passwords can be setup for each device ####
- cryptsetup luksDump /dev/xvdc
- cryptsetup luksAddKey /dev/xvdc
Enter any passphrase: Enter new passphrase for key slot: Verify passphrase:
Remove or delete the old password:
- cryptsetup luksRemoveKey /dev/xvdc
Please note that you need to enter the old password / passphrase. What next?
You can store files or store backups using following software:
Debian / Ubuntu Linux Install and Configure Remote Filesystem Snapshot with rsnapshot Incremental Backup Utility How To Set Red hat / CentOS Linux Remote Backup / Snapshot Server
Check out related media
This tutorial also available in video format:
(Video 01: cryptsetup command demo)
You now have an encrypted partition for all of your data. Pros:
LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media (usb pen) or laptop disk drives. You can also use with your nas server to protect backups. Intel and AMD cpus with AES-NI (Advanced Encryption Standard Instruction Set) can accelerate dm-crypt based encryption for Linux kernel v2.6.32+. This will speed up harddisk encryption. Works with swap partition too so that your laptop can use hibernation feature (suspend-to-disk) that writes out the contents of RAM to the swap partition before turning off the machine.
LUKS only support upto 8 passwords i.e. only 8 users can have distinct access keys to the same device. LUKS is also not recommend for applications requiring file-level encryption.
In this tutorial, we learned about hard disk encryption on Linux. For more information, see the cryptsetup man page and read RHEL 6.x documentation: man cryptsetup
This entry is 1 of 2 in the The Linux Unified Key Setup (LUKS) is a disk encryption Tutorial series. Keep reading the rest of the series:
Linux Hard Disk Encryption With LUKS Backup and restore LUKS header on Linux
2. Create the key file in the unencrypted /boot partition
# dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4 or # dd bs=256 count=1 if=/dev/random | base64 > keyfile
3. Set permissions
# chmod 0400 /boot/keyfile
Encrypt the disk using LUKS
We’re now ready to get to the fun part, and encrypt the disk or partition.
To start, check the name of the disk you want to use, using lsblk:
$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 30G 0 disk ├─sda1 8:1 0 29.9G 0 part / ├─sda14 8:14 0 4M 0 part └─sda15 8:15 0 106M 0 part /boot/efi sdb 8:16 0 4G 0 disk └─sdb1 8:17 0 4G 0 part /mnt sdc 8:32 0 32G 0 disk
In this example, I’m going to use the sdc disk. This is likely going to be different for you, so make sure you replace the disk name in all the commands below.
Watch out! The commands below will delete all files on the drive you select.
Before we start, install the cryptsetup utility:
# Debian, Ubuntu, Raspbian… apt install -y cryptsetup # CentOS, Fedora, RedHat yum install -y cryptsetup-luks
First, if your disk doesn’t have a partition yet (like mine), create a GPT partition table and a partition (without formatting it):
# Replace sdc with the drive you want to use parted /dev/sdc mklabel gpt parted -a opt /dev/sdc mkpart datadisk ext4 0% 100%
Encrypt the sda5 partition using LUKS, create an ext4 volume in that partition, and then close the encrypted volume. In all commands that require a keyfile.
# Encrypt the disk # Replace sda5 with the correct partition! cryptsetup -d - -v luksFormat /dev/sda5 # Open the encrypted volume, with the name "data" # Replace sdc1 with the correct partition! /etc/luks/key.sh | cryptsetup -d - -v luksOpen /dev/sda5 data # Create a filesystem on the encrypted volume mkfs.ext4 -F /dev/mapper/data # Close the encrypted volume cryptsetup -v luksClose data
4. Add the new file as unlock key to the encrypted volume
# cryptsetup -v luksAddKey /dev/sda5 /boot/keyfile Enter any passphrase: Enter your old/existing passphrase here. Expected output: Key slot 0 unlocked. Command successful.
Note:The device names may vary depending on the hypervisor: XenServer would assign "xvda", Proxmox would assign "vda", while VMware would stick to "sda". 5. Find the UUID of /dev/sda1
# ls -l /dev/disk/by-uuid/
6. Edit /etc/crypttab
Edit the contents of file /etc/crypttab (use the UUID of /dev/sda1 from the previous step)
# vi /etc/crypttab
This contents should be:
sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee none luks
(The UUID may be different)
The changes we'll be making:
Replace the 3rd parameter ‐ none ‐ with /dev/disk/by-uuid/<uuid>:/keyfile with the UUID for sda1
Replace the 4th parameter ‐ luks‐ with luks,keyscript=/lib/cryptsetup/scripts/passdev
The final result:
sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee /dev/disk/by-uuid/2a5e9b7f-2128-4a50-83b6-d1c285410145:/keyfile luks,keyscript=/lib/cryptsetup/scripts/passdev
In this case the UUID for our /dev/sda1 UUID was 2a5e9b7f....
If you run into any issues with file permissions, run:
# chmod 0777 /etc/crypttab
After editing, run the following to reset the permissions:
# chmod 0440 /etc/crypttab
7. Generate a new initramfs disk
# mkinitramfs -o /boot/initrd.img-4.9.0-7-amd64 \ 4.9.0-7-amd64
(Make sure 4.9.0-7 is your version, as on step 1)
8. Cross your fingers and reboot
Congratulations: You have effectively short-circuited the security of the encrypted drive. Be careful now!