Encrypting Partitions With LUKS: Guide To Encrypt Linux Partitions

Encrypting With Luks

Let’s learn about encrypting partitions with LUKS Disk encryption is a method of protecting confidential data and sensitive data on any storage device by converting the data into unreadable text (encrypting) such that only authorized users can decrypt and read the original data.

This method of protecting data is much stronger than simply having a password on your laptop since it actually changes the data itself instead of just putting it behind a password.

What is LUKS?

Linux Unified Key Setup (LUKS) is a disk encryption specification released in 2004 for Linux.

Since LUKS is a standard method and not an external software, its implementation is uniform across all distros, partitions, and even other block devices such a USB drives.

It uses multiple ciphers such as aes-cbc-essiv:sha256 and aes-xts-plain to encrypt the data. The specific cipher depends on the use case.

Step-By-Step Encrypting Partitions With LUKS

We will be implementing LUKS using the cryptsetup command. As an example, I will be encrypting my USB Drive. But this method can be used on any empty partition in Linux.

NOTE: Make sure you don’t have any data in the partition, USB you are going to encrypt as all the data will be lost in the process

Step 1: Identify the partition to be formatted.

You can list all filesystems using the following command.

df -hl
Partitions List Encrypting Partitions With LUKS

Since my USB drive is mounted at /dev/sdb1, I will be formatting that partition. If you formatting a primary hard drive partition this is usually something like /dev/sdaX

Step 2: Unmount the partition

sudo umount /dev/sdb1  

Replace /dev/sdb1 with the name of your partition which we identified in the last step.

Step 3 : Format the partition

DO NOT RUN UNTIL YOU HAVE MADE SURE THAT THE PARTITION DOES NOT HAVE ANY IMPORTANT DATA

sudo wipefs -a /dev/sdb1

Step 4 : Format the partition with LUKS

Now we will use Cryptsetup on this formatted partition to make an encrypted LUKS partition. To do so, run the following

sudo cryptsetup luksFormat /dev/sdb1

After running this, you will be asked a passphrase. That passphrase is how you will access the device whenever you want. So make sure to remember the passphrase.

Luks Setup Encrypting Partitions With LUKS

Step 5: Open the partition

Now your partition has a LUKS partition behind a password however it isn’t visible just yet.

Lsblk Before Luksopen 1 Encrypting Partitions With LUKS

To access the encrypted Luks drive, execute the following:

sudo cryptsetup luksOpen /dev/sdd1 map_point

Here, you can replace map_point with any name that you like and the partition will be mapped to.

Luksopen Output

Now as we can see, lsblk shows the encrypted Luks partition (map_point).

Step 6: Create a filesystem in Luks partition and mount it.

Now to store files in the encrypted partition, we need a filesystem.

I will be creating an exFAT filesystem in the partition using the following command.

sudo mkfs.exfat /dev/mapper/map_point -n volume_name

You can choose any other filesystem. For ext4, use mkfs.ext4 and for FAT32, use mkfs.vfat, and so on.

Now that we have a filesystem, we can mount it to a location to access the contents.

mkdir /dev/luks_mount
sudo mount /dev/mapper/map_point /mnt/luks_mount

We are done with the implementation. Let’s see what do you need to do every time you need to access the data.

How to use LUKS?

If the partition you encrypted was on a USB drive, every time you insert the USB drive, you will be prompted with the passphrase to access the partition. The partition will be automatically mounted if you enter the password and can be accessed like a normal USB drive partition.

Luks Password Prompt

If you are not using a desktop environment, you will not get the GUI prompt and have to mount the partition itself using the commands below.

sudo mount /dev/mapper/map_point /mnt/luks_mount
ls /mnt/luks_mount
#Now you can access the partition at /mnt/luks_mount
#After you are done unmount and close the partition.
sudo umount /mnt/luks_mount
sudo cryptsetup luksClose volume_name

Conclusion

We have learned how to encrypt your partition and protect your sensitive data from the hands of unwanted users using Linux Unified Key Setup.

As with everything, it’s important to make sure to have a strong passphrase, have upper case characters, lower case characters, numbers, and special characters.

To read more about LUKS, head over to Redhat forums. Keep exploring!