Encrypt Drives with LUKS in Linux

|
Last Updated:
|
|
Encrypt Drives with LUKS in Linux

In this tutorial, you will learn how to encrypt drives with LUKS in Linux. LUKS, the Linux Unified Key Setup, is a standard for disk encryption. It adds a standardized header at the start of the device, a key-slot area directly behind the header and the bulk data area behind that. The whole set is called a ‘LUKS container‘. The device that a LUKS container resides on is called a ‘LUKS device‘.

Encrypting Drives with LUKS in Linux

The DOs and DON’Ts of LUKS

According to Fedora Docs, below are the DOs and DON’Ts of LUKS;

DOs;

  • LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop disk drives.
  • The underlying contents of the encrypted block device are arbitrary. This makes it useful for encrypting swap devices. This can also be useful with certain databases that use specially formatted block devices for data storage.
  • LUKS uses the existing device mapper kernel subsystem.
  • LUKS provides passphrase strengthening which protects against dictionary attacks.
  • LUKS devices contain multiple key slots, allowing users to add backup keys or passphrases.

DON’Ts;

  • LUKS is not well-suited for applications requiring more than eight users to have distinct access keys to the same device.
  • LUKS is not well-suited for applications requiring file-level encryption.

Install cryptsetup Utility

cryptsetup is a utility that is used to manage LUKS encrypted volumes. Therefore, you need to install this package;

On Ubuntu/Debian systems, run the command below to install cryptsetup utility.

apt install cryptsetup

On CentOS and similar derivatives, simply run the command below;

yum install cryptsetup

For any other distro, consult your specific distro package manager on how to install cryptsetup utility.

Create a Block Device to Encrypt with LUKS

You can encrypt the entire root partition (easily done during initial system install), specific partition, a logical volume or RAID device with LUKS.

In this guide, we already created a partition, /dev/sdb1 and this is what we will use as an example.

To list the block devices on the system, simply run lsblk command.

lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0   15G  0 disk 
├─sda1   8:1    0   13G  0 part /
├─sda2   8:2    0    1K  0 part 
└─sda5   8:5    0    2G  0 part [SWAP]
sdb      8:16   0    4G  0 disk 
└─sdb1   8:17   0    4G  0 part

Format the Device with LUKS

Once you have created a device, you need to initialize the device as a LUKS partition and sets the initial passphrase (for key-slot 0). To do this, you can use the luksFormat option for the cryptsetup command in the format below;

cryptsetup [OPTION] luksFormat <device>

So for example, to encrypt the /dev/sdb1 partition above, with LUKS key, you would run the command below;

cryptsetup -y -v luksFormat /dev/sdb1

Note that this command overwrites any data on the disk, hence, if it an already used drive, ensure you back up your data.

When command runs you are prompted to

  • confirm that formatting,
  • enter and confirm the passphrase (for the first key slot (0), if the drive had no other passphrase already).
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdb1: 
Verify passphrase: 
Key slot 0 created.
Command successful.

NOTE: The passphrase is not recoverable if lost, so keep it safe and do not forget it.

If you do not want to be prompted for passphrase, then you can use key file instead.

echo "mypassphrase" > ~/luks-key

Next, you can specify a path to the file containing your phrase on command line as;

cryptsetup -y -v luksFormat /dev/sdb1 ~/luks-key

Display LUKS Device Header Information

To view the details of the LUKS device, you can use the luksDump LUKS action;

cryptsetup luksDump /dev/sdb1
LUKS header information
Version:       	2
Epoch:         	3
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	242c24d8-ac65-413d-b3a2-eb7f2f0993b0
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)

Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]

Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2i
	Time cost:  4
	Memory:     1003317
	Threads:    2
	Salt:       b3 c8 b0 69 db 38 cb bd 1c 58 d0 a2 8a b8 92 12 
	            05 47 ca dd c7 3d dd 94 c0 f7 51 04 12 fb 3a 56 
	AF stripes: 4000
	AF hash:    sha256
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 133338
	Salt:       e1 9b 70 5e 87 25 46 d6 08 20 43 60 6c ae 2c 06 
	            42 fa 61 32 f0 fc ca 5f 10 f9 3d 63 dd 22 a4 96 
	Digest:     e9 62 ab 83 4c 3c 81 88 52 08 42 9b 47 c2 e1 b6 
	            d5 8a 59 88 5c 17 02 54 c4 89 36 7e 5f e0 f5 ec

Obtain the UUID of LUKS Device

If you want to easily get the UUID of the LUKS device, use the luksUUID action;

cryptsetup luksUUID /dev/sdb1

This should print the UUID which matches the one from the luksDump output, 242c24d8-ac65-413d-b3a2-eb7f2f0993b0.

Mounting LUKS Encrypted Device in Linux

Now that you have encrypted your drive/device with LUKS, it has to be mounted in order for you to access and store content in it.

Create LUKS Drive Device Mapping

Device mapping is a generic way to provide virtual block devices which you will then create a filesystem on it and mount it to access your encrypted drive to store data.

To create a device mapping for the LUKS encrypted drive, you can use such a command;

cryptsetup luksOpen <device> <name>

Where:

  • <device> is the device you just set LUKS encryption on, like /dev/sdb1. You can also use device UUID instead of device drive number.
  • <name> is a unique name you can assign to the mapped virtual block device. This will be listed as /dev/mapper/<name>. To cerate a unique name, you can you can use luks-UUID, where UUID is obtained above.

See example below;

cryptsetup luksOpen /dev/sdb1 luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0

If you used a key file while formatting the device, then you can specify the use of the same key file as follows;

cryptsetup luksOpen /dev/sdb1 luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 --key-file ~/luks-key

If you want, you can use device UUID;

blkid | grep sdb1

Sample output;

/dev/sda1: UUID="242c24d8-ac65-413d-b3a2-eb7f2f0993b0" TYPE="crypto_LUKS" PARTUUID="22d456fe-9bc7-2f45-9eee-cfa50653606b"

So, you can run;

cryptsetup luksOpen /dev/disk/by-uuid/242c24d8-ac65-413d-b3a2-eb7f2f0993b0 luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0

This creates a virtual block device as;

/dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0

You can list device mappers using the dmsetup command;

dmsetup ls
luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0	(254:0)

You can also check the status of the virtual block device using the command cryptsetup -v status <name>.

cryptsetup -v status luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0
/dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 is active.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: keyring
  device:  /dev/sdb1
  sector size:  512
  offset:  32768 sectors
  size:    8353792 sectors
  mode:    read/write
Command successful.

Create Filesystem on LUKS Device

So now that you have a virtual block device for your LUKS encrypted drive, you need to now create a filesystem on it to enable you mount and use the device.

The command below creates an EXT4 filesystem type on our LUKS device.

mkfs.ext4 /dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0
mke2fs 1.44.5 (15-Dec-2018)
Creating filesystem with 1044224 4k blocks and 261120 inodes
Filesystem UUID: e940b45b-dbc8-4c40-aaa5-9acf9fcb2119
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

Mounting LUKS Device in Linux

You can now mount the device using mount command, or put an entry in /etc/fstab file for auto mounting during system boot.

You can create a path to mount location, for example, we want to mount it on /mnt in our case.

mkdir /mnt/luks-242c24d8

To mount the device;

mount /dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 /mnt/luks-242c24d8/

Listing the mounted devices;

df -hT
Filesystem     Type      Size  Used Avail Use% Mounted on
udev           devtmpfs  984M     0  984M   0% /dev
tmpfs          tmpfs     200M  3.1M  197M   2% /run
/dev/sda1      ext4       13G  3.6G  8.5G  30% /
tmpfs          tmpfs     998M  8.0K  998M   1% /dev/shm
tmpfs          tmpfs     5.0M     0  5.0M   0% /run/lock
tmpfs          tmpfs     998M     0  998M   0% /sys/fs/cgroup
tmpfs          tmpfs     200M     0  200M   0% /run/user/0
/dev/dm-0      ext4      3.9G   16M  3.7G   1% /mnt/luks-242c24d8

Configure LUKS device auto mounting on system boot;

Automount LUKS Encrypted Device in Linux

Close LUKS Device

To remove existing device mapping and wipe the key from kernel memory, unmount the drive if it mounted and close it;

umount /mnt/luks-242c24d8
cryptsetup -v luksClose luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0

If you need to mount the device again open it with luksOpen action and mount it as shown above.

And there you go.

You have created a device with LUKS encryption and can now use it to store your data.

Other Tutorials

How to Use VeraCrypt on Command Line to Encrypt Drives on Ubuntu 18.04

How to Encrypt Files and Folders with eCryptFS on Ubuntu 18.04

Install and Setup VeraCrypt on Ubuntu 20.04

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
gen_too
Co-founder of Kifarunix.com, Linux Tips and Tutorials. Linux/Unix admin and author at Kifarunix.com.

1 thought on “Encrypt Drives with LUKS in Linux”

  1. First of all
    Excellent tutorial!!!
    a question about this, complicating the issue
    If instead of a single disk, it is an LVM disk and the encryption is done on the previously created /dev/mapper/logicalvol
    how would we add an additional disk to the volume group?
    Should we use some specific procedure when adding the new disk or would it be done in the same way as usual?

    Reply

Leave a Comment