Encrypt Drives with LUKS in Linux

By
gen_too
-
0
937

In this tutorial, you will learn how to encrypt drives with LUKS in Linux. LUKS, the Linux Unified Key Setup, is a standard for disk encryption. It adds a standardized header at the start of the device, a key-slot area directly behind the header and the bulk data area behind that. The whole set is called a ‘LUKS container‘. The device that a LUKS container resides on is called a ‘LUKS device‘.

According to Fedora Docs, below are the DOs and DON’Ts of LUKS;

DOs;

  • LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop disk drives.
  • The underlying contents of the encrypted block device are arbitrary. This makes it useful for encrypting swap devices. This can also be useful with certain databases that use specially formatted block devices for data storage.
  • LUKS uses the existing device mapper kernel subsystem.
  • LUKS provides passphrase strengthening which protects against dictionary attacks.
  • LUKS devices contain multiple key slots, allowing users to add backup keys or passphrases.

DON’Ts;

  • LUKS is not well-suited for applications requiring more than eight users to have distinct access keys to the same device.
  • LUKS is not well-suited for applications requiring file-level encryption.

Encrypt Drives with LUKS in Linux

So, how do you encrypt drives with LUKS in Linux?

Install cryptsetup Utility

cryptsetup is a utility that is used to manage LUKS encrypted volumes. Therefore, to be able to encrypt drives with LUKS in Linux, you need to install this package;

On Ubuntu/Debian systems, run the command below to install cryptsetup utility.

apt install cryptsetup

On CentOS and similar derivatives, simply run the command below;

yum install cryptsetup

For any other distro, consult your specific distro package manager on how to install cryptsetup utility.

Create a Block Device to Encrypt with LUKS

You can encrypt the entire root partition (easily done during initial system install), specific partition, a logical volume or RAID device with LUKS.

In this guide, we already created a partition, /dev/sdb1 and this is what we will use as an example on how to encrypt drives with LUKS in Linux.

To list the block devices on the system, simply run lsblk command.

lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0   15G  0 disk 
├─sda1   8:1    0   13G  0 part /
├─sda2   8:2    0    1K  0 part 
└─sda5   8:5    0    2G  0 part [SWAP]
sdb      8:16   0    4G  0 disk 
└─sdb1   8:17   0    4G  0 part

Format the Device with LUKS

Once you have created a device, you need to initialize the device as a LUKS partition and sets the initial passphrase (for key-slot 0). To do this, you can use the luksFormat option for the cryptsetup command in the format below;

cryptsetup [OPTION] luksFormat <device>

So for example, to encrypt the /dev/sdb1 partition above, with LUKS key, you would run the command below;

cryptsetup -y -v luksFormat /dev/sdb1

Note that this command overwrites any data on the disk, hence, if it an already used drive, ensure you back up your data.

When command runs you are prompted to

  • confirm that formatting,
  • enter and confirm the passphrase (for the first key slot (0), if the drive had no other passphrase already).

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdb1: 
Verify passphrase: 
Key slot 0 created.
Command successful.

NOTE: The passphrase is not recoverable if lost, so keep it safe and do not forget it.

If you do not want to be prompted for passphrase, then you can use key file instead.

echo "mypassphrase" > ~/luks-key

Next, you can specify a path to the file containing your phrase on command line as;

cryptsetup -y -v luksFormat /dev/sdb1 ~/luks-key

Display LUKS Device Header Information

To view the details of the LUKS device, you can use the luksDump LUKS action;

cryptsetup luksDump /dev/sdb1
LUKS header information
Version:       	2
Epoch:         	3
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	242c24d8-ac65-413d-b3a2-eb7f2f0993b0
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)

Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]

Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2i
	Time cost:  4
	Memory:     1003317
	Threads:    2
	Salt:       b3 c8 b0 69 db 38 cb bd 1c 58 d0 a2 8a b8 92 12 
	            05 47 ca dd c7 3d dd 94 c0 f7 51 04 12 fb 3a 56 
	AF stripes: 4000
	AF hash:    sha256
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 133338
	Salt:       e1 9b 70 5e 87 25 46 d6 08 20 43 60 6c ae 2c 06 
	            42 fa 61 32 f0 fc ca 5f 10 f9 3d 63 dd 22 a4 96 
	Digest:     e9 62 ab 83 4c 3c 81 88 52 08 42 9b 47 c2 e1 b6 
	            d5 8a 59 88 5c 17 02 54 c4 89 36 7e 5f e0 f5 ec

Obtain the UUID of LUKS Device

If you want to easily get the UUID of the LUKS device, use the luksUUID action;

cryptsetup luksUUID /dev/sdb1

This should print the UUID which matches the one from the luksDump output, 242c24d8-ac65-413d-b3a2-eb7f2f0993b0.

Mounting LUKS Encrypted Device in Linux

Now that you have encrypted your drive/device with LUKS, it has to be mounted in order for you to access and store content in it.

Create LUKS drive device mapping

Device mapping is a generic way to provide virtual block devices which you will then create a filesystem on it and mount it to access your encrypted drive to store data.

To create a device mapping for the LUKS encrypted drive, you can use such a command;

cryptsetup luksOpen <device> <name>

Where:

  • <device> is the device you just set LUKS encryption on, like /dev/sdb1.
  • <name> is a unique name you can assign to the mapped virtual block device. This will be listed as /dev/mapper/<name>. To cerate a unique name, you can you can use luks-UUID, where UUID is obtained above.

See example below;

cryptsetup luksOpen /dev/sdb1 luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0

If you used a key file while formatting the device, then you can specify the use of the same key file as follows;

cryptsetup luksOpen /dev/sdb1 luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 --key-file ~/luks-key

This creates a virtual block device as;

/dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0

You can list device mappers using the dmsetup command;

dmsetup ls
luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0	(254:0)

You can also check the status of the virtual block device using the command cryptsetup -v status <name>.

cryptsetup -v status luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0
/dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 is active.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: keyring
  device:  /dev/sdb1
  sector size:  512
  offset:  32768 sectors
  size:    8353792 sectors
  mode:    read/write
Command successful.

Create Filesystem on LUKS Device

So now that you have a virtual block device for your LUKS encrypted drive, you need to now create a filesystem on it to enable you mount and use the device.

The command below creates an EXT4 filesystem type on our LUKS device.

mkfs.ext4 /dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0
mke2fs 1.44.5 (15-Dec-2018)
Creating filesystem with 1044224 4k blocks and 261120 inodes
Filesystem UUID: e940b45b-dbc8-4c40-aaa5-9acf9fcb2119
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

Mounting LUKS Device in Linux

You can now mount the device using mount command, or put an entry in /etc/fstab file for auto mounting during system boot.

You can create a path to mount location, for example, we want to mount it on /mnt in our case.

mkdir /mnt/luks-242c24d8

To mount the device;

mount /dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 /mnt/luks-242c24d8/

Listing the mounted devices;

df -hT
Filesystem     Type      Size  Used Avail Use% Mounted on
udev           devtmpfs  984M     0  984M   0% /dev
tmpfs          tmpfs     200M  3.1M  197M   2% /run
/dev/sda1      ext4       13G  3.6G  8.5G  30% /
tmpfs          tmpfs     998M  8.0K  998M   1% /dev/shm
tmpfs          tmpfs     5.0M     0  5.0M   0% /run/lock
tmpfs          tmpfs     998M     0  998M   0% /sys/fs/cgroup
tmpfs          tmpfs     200M     0  200M   0% /run/user/0
/dev/dm-0      ext4      3.9G   16M  3.7G   1% /mnt/luks-242c24d8

Configure LUKS device auto mounting on system boot;

Automount LUKS Encrypted Device in Linux

Close LUKS Device

To remove existing device mapping and wipe the key from kernel memory, unmount the drive if it mounted and close it;

umount /mnt/luks-242c24d8
cryptsetup -v luksClose luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0

If you need to mount the device again open it with luksOpen action and mount it as shown above.

And there you go.

You have created a device with LUKS encryption and can now use it to store your data.

That concludes our guide on how to encrypt drives with LUKS in Linux.

Other Tutorials

How to Use VeraCrypt on Command Line to Encrypt Drives on Ubuntu 18.04

How to Encrypt Files and Folders with eCryptFS on Ubuntu 18.04

Install and Setup VeraCrypt on Ubuntu 20.04

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here