Sometimes you may want to encrypt your hard disk so that when someone connects your hard drive to their computer they need to provide user credentials to mount the drive. In Linux, it is possible to encrypt individual block devices. In this article, we will learn how to encrypt block devices in Linux using LUKS. LUKS is the Linux encryption layer that can be used to encrypt the entire root partition, a logical volume, or a specific partition.
This tutorial covers the following Linux Distributions
- Debian
- Ubuntu
- RHEL
- CentOS
- Rocky Linux
- Almalinux
Install cryptsetup-luks package
Cryptsetup utility tool comes with the cryptsetup-luks package which is used for setting up block device encryption in Linux systems. Installation can be done by using the following command.
Ubuntu/Debian
$ apt-get install cryptsetup
RHEL/CentOS/Rocky Linux/Almalinux
$ dnf install cryptsetup-luks
Prepare a LUKS partition
Once the utility tool is installed, prepare a partition for encryption. To list all the available partitions and block devices, run the following command.
$ fdisk -l
$ blkid
Now use cryptsetup luksFormat command to set up encryption in the partition. In this example, the partition, sdb, is used for encryption. You can make your own assumption based on your environment.
$ cryptsetup -y -v luksFormat /dev/sdb
The command executed above will remove all the data on the partition
Now we need to create a logical device-mapper device mounted to the LUKS-encrypted partition in the above step. In this example, encrypted is the name provided for the mapping name of the opened LUKS partition.
The following command will create a volume and set passphrase or initial keys. Remember that the passphrase can not be recovered.
$ cryptsetup luksOpen /dev/sdb encrypted
The mapping details of the partition can be found by using the following command.
$ ls -l /dev/mapper/encrypted
Use the following command to view the status of mapping. Replace your mapping name with encrypted.
$ cryptsetup -v status encrypted
cryptsetup along with luksDump command can be used to check that the device has been formatted successfully for encryption. In this example, sdb partition is being used for the confirmation.
$ cryptsetup luksDump /dev/sdb
Format LUKS partition
Writing zeros to the LUKS-encrypted partition will allocate the block size with zeros. Use the following command to set zeros to the encrypted block device.
$ dd if=/dev/zero of=/dev/mapper/encrypted
dd command may take some time to be executed. Use the pv command to check the progress.
$ pv -tpreb /dev/zero | dd of=/dev/mapper/encrypted bs=128M
Note: Replace encrypted with your device mapping name.
Now format the new partition with your desired file system. In this example, the ext4 file system is used.
$ mkfs.ext4 /dev/mapper/encrypted
Replace encrypted with your device-mapper name.
Mount the new file system. In this example, the new file system is mounted at /encrypted
$ mkdir /encrypted $ mount /dev/mapper/encrypted /encrypted
Replace the device-mapper name encrypted with your own mapper name.
$ df -h $ cd /encrypted $ ls -l
So we successfully created an encrypted partition on Linux using LUKS.