How to Encrypt Hard Disk (partition) using LUKS in Linux


Linux, Security

Earlier I had shared an article to encrypt, decrypt and sign a file using GPG key in Linux. In this article I will show you the steps to create an encrypted block device using LUKS. By default if somebody connects your hard disk to their computer, it can be mounted automatically, even without entering any user credentials, and that is why we should always encrypt hard disk.

If your hard disk was encrypted then in order to mount an encrypted device, you need to enter a passphrase, without passphrase, nobody can mount it. So this will protect your hard disk, or your server, hard disk from being lost or stolen or whatever, after which data can be accessed easily.

To create encrypted devices in Linux we use LUKS. LUKS is the Linux encryption layer.

 

Below are some more articles on LUKS based Disk Encryption

 

dm-crypt and cryptsetup vs LUKS

dm-crypt and cryptsetup

  • Device-mapper is a part of the Linux kernel that provides a generic way to create virtual layers of block devices, most commonly LVM logical volumes. The device-mapper crypt target (dm-crypt) provides transparent encryption of block devices using the kernel crypto API.
  • In Red Hat Enterprise Linux, userspace interaction with dm-crypt is managed by a tool called cryptsetup, which uses the device-mapper infrastructure to setup and operate on encrypted block devices.

 

LUKS

  • With modern versions of cryptsetup (i.e., since ~2006), encrypted block devices can be created in two main formats, plain dm-crypt format or the extended LUKS (Linux Unified Key Setup-on-disk-format) format.
  • LUKS provides a standard on-disk-format for hard disk encryption, which facilitates compatibility among Linux distributions and provides secure management of multiple user passwords.
  • In contrast to previous Linux disk-encryption solutions, LUKS stores all necessary setup information in the partition header, enabling the user to more easily transport or migrate their data.
  • The advantages of LUKS over plain dm-crypt are the obvious higher usability: automatic configuration of non-default crypto parameters, the ability to add, change, and remove multiple passphrases.
  • Additionally, LUKS offers defenses against low-entropy passphrases like salting and iterated PBKDF2 passphrase hashing

 

Attach new hard disk (optional)

So to start with, you need an empty device. I have added a new virtual disk to my virtual machine as /dev/sdb

[root@node1 ~]# cat /proc/partitions
major minor  #blocks  name

  11        0    1048575 sr0
   8        0   31457280 sda
   8        1     524288 sda1
   8        2   28844032 sda2
   8       16    5242880 sdb
 253        0   26738688 dm-0
 253        1    2097152 dm-1

 

Create new partition

We will create a new partition /dev/sdb1 on this disk

[root@node1 ~]# fdisk /dev/sdb
Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0xa12bdd47.

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p):
Using default response p
Partition number (1-4, default 1):
First sector (2048-10485759, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-10485759, default 10485759):
Using default value 10485759
Partition 1 of type Linux and of size 5 GiB is set

Command (m for help): p

Disk /dev/sdb: 5368 MB, 5368709120 bytes, 10485760 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0xa12bdd47

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1            2048    10485759     5241856   83  Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

So our partition is successfully created.

[root@node1 ~]# partprobe

So our partition is successfully created.

[root@node1 ~]# cat /proc/partitions
major minor  #blocks  name

  11        0    1048575 sr0
   8        0   31457280 sda
   8        1     524288 sda1
   8        2   28844032 sda2
   8       16    5242880 sdb
   8       17    5241856 sdb1
 253        0   26738688 dm-0
 253        1    2097152 dm-1

 

Format the partition using luksFormat

So you would do luksFormat on the device, and the luksFormat command is going to create the encryption layer. This is the passphrase that needs to be entered by anyone who wants to access the device. In real life of course, you wanna have something that really is secure because devices are not mounted that often. (computer keys tapping and clicking)

[root@node1 ~]# cryptsetup luksFormat /dev/sdb1

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdb1:
Verify passphrase:

 

Initialise LUKS device

Next, you need to do luksOpen, and that brings you to a different level where you are going to work with the encrypted device. So this will create a new device, and this new device is managed by the device mapper, so let's call it /dev/mapper/secret.

[root@node1 ~]# cryptsetup luksOpen /dev/sdb1 secret
Enter passphrase for /dev/sdb1:

As we will see when you are using the cryptsetup, luksOpen command, a new device is created, and you will provide the name for the device. In this example, the name for the device is /dev/mapper/secret

[root@node1 ~]# cd /dev/mapper/
[root@node1 mapper]# ls -l
total 0
lrwxrwxrwx. 1 root root       7 Feb 25 21:11 centos-root -> ../dm-0
lrwxrwxrwx. 1 root root       7 Feb 25 21:11 centos-swap -> ../dm-1
crw-------. 1 root root 10, 236 Feb 25 21:09 control
lrwxrwxrwx. 1 root root       7 Feb 25 21:14 secret -> ../dm-2

 

Create file system on LUKS device

Now the important step is that you need to create a file system on the encrypted device, and that means that the file system is going to be created here.

IMPORTANT NOTE:
Here make sure you create a file system on the encrypted device and not on the physical partition. The file system must be created on the LUKS device.
[root@node1 mapper]# mkfs.ext4 /dev/mapper/secret
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
327680 inodes, 1309952 blocks
65497 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1342177280
40 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

 

Mount the LUKS partition

Once a file system has been created on the LUKS device, you can move on, you can create a mount point and mount it.

[root@node1 mapper]# mkdir /secret
[root@node1 mapper]# cd
[root@node1 ~]# mount /dev/mapper/secret /secret/

Once we can verify using the mount command, you can see that from the mount command perspective, there's nothing visible about the device being encrypted, we just see a device that is encrypted.

[root@node1 ~]# mount | grep secret
/dev/mapper/secret on /secret type ext4 (rw,relatime,seclabel,data=ordered)

So we can create files on top of it. (computer keys tapping and clicking) And these files will be safely stored on the encrypted device.

 

Dis-connect the encrypted partition

let me also show you how to disconnect the encrypted device.

[root@node1 ~]# umount /secret
[root@node1 ~]# cryptsetup luksClose /dev/mapper/secret
[root@node1 ~]# mount | grep secret

 

Lastly I hope the steps from the article to encrypt hard disk (partition) using LUKS on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

In the next article I will share the steps to automatically decrypt and mount the encrypted partition at booting stage using key file on Linux

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

13 thoughts on “How to Encrypt Hard Disk (partition) using LUKS in Linux”

  1. hello, thank you for this tutorial..
    I want to ask about change mount point..
    I want to move all my /home to separated encrypted disk..
    so, according this tutorial, I just need change /secret to /home, isn’t it?? or there is additional workaround??

    thank you..

    Reply
  2. Hi there!
    I tried to do this procedure on a second backup device. The first device still works like a charm (also automounting) but the new device is not mounting.
    My fstab looks like this:

    /dev/mapper/secret      /media/Benjis_ZS                 ext4    nofail,users,defaults        0 2
    /dev/mapper/backup      /media/backup                    ext4    nofail,users,defaults        0 2 

    and my crypttab like this:

    secret  /dev/sdc1       /root/lukskey
    secret  /dev/sdb1       none

    When plugin the new HDD sdb changed to sdc. So the old HDD is /dev/sdc1 and still working. The new is /dev/sdb1.
    I can only mount the new HDD after:

    sudo cryptsetup luksOpen /dev/sdb1 backup

    Before this I am not able to mount the new HDD. How can I perform encryption with two HDDs?

    Reply
    • You will have to create a key slot for the second device as well to make it auto mount after reboot.

      secret /dev/sdb1 none
      Reply
      • Thanks a lot! Works like a charm now. I think the mistake was with this:

        secret  /dev/sdc1       /root/lukskey
        secret  /dev/sdb1       none

        It should be:

        secret  /dev/sdc1       /root/lukskey
        backup  /dev/sdb1       none
        Reply
        • Thanks for highlighting, I overlooked the LVM name 🙂
          I am glad you sorted it out and thanks for sharing the solution.

          Reply
  3. Hello, thank you very much for the tuto!

    A question: what is the difference between encrypting a partition and simply assigning password protected privileges to a file system, like a user password or a root password? For instance, allowing only root access to a file, or simply use a user’s password to open a session? If the drive is stolen, people won’t have access to the content either, no?

    Reply
  4. Really great Tutorial! I run through it in Kubuntu 18.04 and everything from the start worked out very nicely!!! Great job! Cheers

    Reply

Leave a Comment