It is a good practice to encrypt your data device to secure data and improve protection. In this article, we will learn how to encrypt drives using LUKS in Linux.
How to Encrypt Drives Using LUKS in Linux
We will be using block device encryption that allows you to secure data on a block device by encrypting it. To decrypt the data, one must provide the required password or passphrase. The block device remains encrypted even when it is detached from system.
LUKS (Linux Unified Key System) is the standard protocol for block device encryption in Linux. It works by forming an on-disk for data and password policy. It stores all necessary setup information in partition header (called LUKS header) making it easy to transport data.
It uses device mapper subsystem to provide low-level mapping that stores the encryption and decryption of data. Here are the steps to encrypt block devices using LUKS.
Preparing Block Device
We will be using cryptsetup package for this purpose. Open terminal and run the following command to install it.
# dnf install cryptsetup-luks
Next, we will fill the device with random data to increase the strength of encryption.
# dd if=/dev/urandom of=/dev/sdb1 [slow with high quality random data ] OR # badblocks -c 10240 -s -w -t random -v /dev/sdb1 [fast with high quality random data]
Please note, the above command will wipe out the existing data in your device.
Formatting Encrypted Device
Next, use cryptsetup to format the device as LUKS encrypted device.
# cryptsetup luksFormat /dev/sdb1
When you run the above command, you will be prompted to enter YES (in uppercase) to confirm device formatting. Next you will be prompted twice to enter password to format the device. Once you have formatted the device, you can verify it with the following command.
# cryptsetup isLuks /dev/sdb1 && echo Success
You can view the summary of encryption with the following command.
# cryptsetup luksDump /dev/sdb1
Create Mapping to Access Decrypted Content
Next we will create kernel device-mapper to access encrypted device’s decrypted content. Create a meaningful name for this mapping such as luk-uuid (uuid is replaced with device’s UUID). You can get your device’s UUDI with the following command.
# cryptsetup luksUUID /dev/sdb1
Once you have the UUID, you can create the mapping with the following command.
# cryptsetup luksOpen /dev/sdb1 luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c
If the above command is successful, it will create a device node called /dev/mapper/luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c
The block device that you have encrypted can be read from and written to just like other unencrypted block device. You can see the detailed information about your mapped device using the following command.
# dmsetup info /dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c
Creating FileSystem on Mapped Device
Next we will create filesystem on mapped device so that you can access it just like any other device.
# mkfs.ext4 /dev/mapper/luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c
To mount the above file system, we create a mount point called /mnt/enc-device using the following commands.
# mkdir -p /mnt/enc-device # mount /dev/mapper/luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c /mnt/encrypted-device/
Add Mapping Information
Next you need to add the mapping information in /etc/crypttab and /etc/fstab files.
luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c UUID=69f2b688-526d-45c7-8f0a-1ac4555d1d7c none
In the above command,
- luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c – is the mapping name
- UUID=69f2b688-526d-45c7-8f0a-1ac4555d1d7c – is the device name
Next, add the following entry to /etc/fstab file.
/dev/mapper/luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c /mnt/encrypted-device ext4 0 0
Save and close the file. Run the following command to update systemd units. Once you create the mount point you can easily access your block device just as you access any other disk on your system.
# systemctl daemon-reload
Backup LUKS Header
Finally, we will backup LUKS header to ensure that we don’t lose all data in case of hardware failure or user error.
# mkdir /root/backups # cryptsetup luksHeaderBackup --header-backup-file luks-headers /dev/mapper/luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c
Here is the command to restore LUKS header.
# cryptsetup luksHeaderRestore --header-backup-file /root/backups/luks-headers /dev/mapper/luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c
In this article, we have learnt how to encrypt drives using LUKS encryption.
How to Limit Memory & Time of Processes in Linux
How to Use Yum History To Find Installed or Removed Packages
What To Do After Installing Ubuntu
How to Fix No Route to Host SSH Error in Linux
How to Find Django Install Location