encrypt drives using LUKS

How to Encrypt Drives Using LUKS in Linux

It is a good practice to encrypt your data device to secure data and improve protection. In this article, we will learn how to encrypt drives using LUKS in Linux.

How to Encrypt Drives Using LUKS in Linux

We will be using block device encryption that allows you to secure data on a block device by encrypting it. To decrypt the data, one must provide the required password or passphrase. The block device remains encrypted even when it is detached from system.

LUKS (Linux Unified Key System) is the standard protocol for block device encryption in Linux. It works by forming an on-disk for data and password policy. It stores all necessary setup information in partition header (called LUKS header) making it easy to transport data.

It uses device mapper subsystem to provide low-level mapping that stores the encryption and decryption of data. Here are the steps to encrypt block devices using LUKS.

Preparing Block Device

We will be using cryptsetup package for this purpose. Open terminal and run the following command to install it.

# dnf install cryptsetup-luks

Next, we will fill the device with random data to increase the strength of encryption.

# dd if=/dev/urandom of=/dev/sdb1	           [slow with high quality random data ]
# badblocks -c 10240 -s -w -t random -v /dev/sdb1  [fast with high quality random data]

Please note, the above command will wipe out the existing data in your device.

Formatting Encrypted Device

Next, use cryptsetup to format the device as LUKS encrypted device.

# cryptsetup luksFormat /dev/sdb1

When you run the above command, you will be prompted to enter YES (in uppercase) to confirm device formatting. Next you will be prompted twice to enter password to format the device. Once you have formatted the device, you can verify it with the following command.

# cryptsetup isLuks /dev/sdb1 && echo Success

You can view the summary of encryption with the following command.

# cryptsetup luksDump /dev/sdb1

Create Mapping to Access Decrypted Content

Next we will create kernel device-mapper to access encrypted device’s decrypted content. Create a meaningful name for this mapping such as luk-uuid (uuid is replaced with device’s UUID). You can get your device’s UUDI with the following command.

# cryptsetup luksUUID /dev/sdb1

Once you have the UUID, you can create the mapping with the following command.

# cryptsetup luksOpen /dev/sdb1 luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c

If the above command is successful, it will create a device node called /dev/mapper/luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c

The block device that you have encrypted can be read from and written to just like other unencrypted block device. You can see the detailed information about your mapped device using the following command.

# dmsetup info /dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c

Creating FileSystem on Mapped Device

Next we will create filesystem on mapped device so that you can access it just like any other device.

# mkfs.ext4 /dev/mapper/luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c

To mount the above file system, we create a mount point called /mnt/enc-device using the following commands.

# mkdir -p /mnt/enc-device
# mount /dev/mapper/luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c /mnt/encrypted-device/

Add Mapping Information

Next you need to add the mapping information in /etc/crypttab and /etc/fstab files.

luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c  UUID=69f2b688-526d-45c7-8f0a-1ac4555d1d7c   none

In the above command,

  • luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c – is the mapping name
  • UUID=69f2b688-526d-45c7-8f0a-1ac4555d1d7c – is the device name

Next, add the following entry to /etc/fstab file.

/dev/mapper/luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c  /mnt/encrypted-device  ext4 0 0

Save and close the file. Run the following command to update systemd units. Once you create the mount point you can easily access your block device just as you access any other disk on your system.

# systemctl daemon-reload

Backup LUKS Header

Finally, we will backup LUKS header to ensure that we don’t lose all data in case of hardware failure or user error.

# mkdir /root/backups  
# cryptsetup luksHeaderBackup --header-backup-file luks-headers /dev/mapper/luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c 

Here is the command to restore LUKS header.

# cryptsetup luksHeaderRestore --header-backup-file /root/backups/luks-headers /dev/mapper/luk-69f2b688-526d-45c7-8f0a-1ac4555d1d7c 

In this article, we have learnt how to encrypt drives using LUKS encryption.

Also read:

How to Limit Memory & Time of Processes in Linux
How to Use Yum History To Find Installed or Removed Packages
What To Do After Installing Ubuntu
How to Fix No Route to Host SSH Error in Linux
How to Find Django Install Location

Leave a Reply

Your email address will not be published.