encrypt partition in linux

How to Encrypt Partition in Linux

Team Fedingo

Sometimes you may need to encrypt your entire disk partition in Linux to keep your data secure and protect it from malicious attacks. In this article, we will learn how to encrypt partition in Linux. You can use these steps on almost any Linux distribution such as Ubuntu, Debian, RHEL, Fedora, CentOS.


How to Encrypt Partition in Linux

Here are the steps to encrypt partition in Linux.


1. Backup your partition

The first step is to ensure that you have taken backup of your disk partition. This is because when you encrypt a partition, it is formatted and its data is completely erased.


2. Create New Partition

For our example, we will create new disk partition in Linux. 

$ sudo fdisk /dev/sdb

You will get a prompt asking you to enter what kind of partition you want to create. Enter ‘n’ first and then ‘p’ to select partition type as primary partition. Next, enter 1-4 to determine the partition number. We will enter 1 to create partition /dev/sdb1 in disk /dev/sdb

It will also ask you the space to be allocated for partition. For our example, you can create a partition of 5GB by entering +5GB. Next, enter ‘w’ to write changes to disk.


3. Format Partition using LUKS

LUKS stand for Linux Unified Key System. It is a protocol to store all encrypted devices. We will use cryptosetup utility for this purpose. Here are the commands to install cryptosetup.

$ sudo apt-get install cryptsetup                     (for Debian distributions)

$ sudo yum install cryptsetup                         (for RHEL/CentOS distributions)

Next, run the following command to format partition in LUKS.

$ sudo cryptsetup luksFormat /dev/sdb1

You will see a prompt for confirmation. Enter YES to proceed. Next, enter passphrase to encrypt the partition. Once it is completer, you can verify it with the following command.

$ lsblk -f


4. Create Ext4 filesystem on partition

By default, the encrypted partition is closed. We will open it using cryptosetup command.

$ sudo cryptsetup luksOpen /dev/sdb1 cryptpart

In the above command, you need to specify the partition /dev/sdb1 after cyptsetup command and luksOpen keyword. After the partition location, you need to specify the name with you want to identify the opened partition. We will use the string cryptpart for this purpose.

Run the following command to create ext4 filesystem on your partition.

$ sudo mkfs.ext4 /dev/mapper/cryptpart

Now you can mount it and add new files to it. It is important to note that any file or data you add to an encrypted partition will automatically be encrypted before writing to the disk.

$ mkdir -p /home/ubuntu/files 

$ sudo mount /dev/mapper/cryptpart /home/ubuntu/files

$ sudo chown ubuntu:ubuntu /home/ubuntu/files


5. Modify fstab and crypttab

fstab & crypttab files are used during system boot. You can use it to automatically open encrypted partition. The content of crypttab is used to unlock encrypted partition.

Open it with text editor.

$ sudo vi /etc/crypttab

# Content of the crypttab file
cryptpart    UUID=<partition_uuid>    none    luks

If you don’t know the partition UUID, you can get it with the following command.

$ sudo blkid | grep -i luks

Next, modify the fstab file using a text editor. The first command gets decrypted device UUID which you will need to ad d in fstab file.

$ sudo blkid | grep -i ext4

$ sudo vi /etc/fstab

Add the following line to it.

UUID=<device_decrypt_UUID> /home/ubuntu/files ext4 defaults 0 0

In the above line the second value is the mount point. Next value is filesystem type. The last 3 values are dump and pass options.


6. Verify encryption

Reboot the system to verify the encryption.

$ sudo reboot

On reboot, you will see a prompt for passphrase. Enter the passphrase you entered to encrypt your disk. Your Linux system will automatically mount the disk for you.

After login, you can check that the encrypted partition was correctly mounted, with the following command.

$ lsblk -f | grep sdb1 -A 2


7. Create Keys for Encrypted Partition (Optional)

We have seen steps to encrypt disk with passphrase. You can also do the same thing with private keys. You can run the following command to create a private key. Replace secretpass with a tough password. Also keep this file volume-key in a secret location that others cannot find out easily. 

$ echo "secretpass" > volume-key
$ sudo mv volume-key /boot/

Run the following commands to change ownership and permissions of the file.

$ sudo chown root:root /boot/volume-key
$ sudo chmod 0400 /boot/volume-key

Add the key to LUKS volume with the following command.

# command syntax
$ sudo cryptsetup luksAddKey <encrypted_device> <path_to_key>
# exact command
$ sudo cryptsetup luksAddKey /dev/sdb1 /boot/volume-key

You can check if the key was successfully added using the following command.

$ sudo cryptsetup luksDump /dev/sdb1

Modify the crypttab file to make it easy for your system to find the key file on boot.

$ sudo nano /etc/crypttab

# Content of the crypttab file
cryptpart    UUID=<partition_uuid>    /boot/volume-key    luks

Now when you reboot, the partition will be mounted automatically.

In this article, we have learnt how to encrypt a partition in Linux.

Also read:

How to Encrypt Folder in Linux
How to Use SSH Instead of HTTPS in Git
How to Encrypt File in Linux
How to Repair Ubuntu 18.04 using USB
How to Monitor Disk IO Performance in Linux

Related posts:

How to Change Default Display Manager in Ubuntu
How to Check Uptime of Service in Linux
Bash Script to Run Commands on Remote Server
How to Install Dpkg dependencies automatically
How to Clear Cache Memory in Linux
How to Install Monit on CentOS 7 Linux
How to Uninstall Ubuntu from Dual Boot
How to Force User to Change Password in Linux

Leave a Reply

Your email address will not be published. Required fields are marked *