HowTo: Linux Hard Disk Encryption With LUKS [ cryptsetup Command ]

by on October 19, 2012 · 19 comments· LAST UPDATED October 21, 2012

in Hardware, Howto, Open Source, Security

Dear nixCraft,

I carry my Linux powered laptop just about everywhere. How do I protect my private data stored on partition or removable storage media against bare-metal attacks where anyone can get their hands on my laptop or usb pen drive while traveling?

Sincerely,
Worried about my data.

Dear Worried Linux user,

That's actually a great question. Many enterprises, small business, and government users need to encrypt their laptop to protect confidential information such as customer details, files, contact information and much more. Linux supports the following cryptographic techniques to protect a hard disk, directory, and partition. All data that is written on any one of the following techniques will automatically encrypted, and decrypted on the fly.

Linux encryption methods

There are two methods to encrypt your data:

#1: Filesystem stacked level encryption

  1. eCryptfs - It is a cryptographic stacked Linux filesystem. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. This solution is widely used, as the basis for Ubuntu's Encrypted Home Directory, natively within Google's ChromeOS, and transparently embedded in several network attached storage (NAS) devices.
  2. EncFS -It provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. You can find links to source and binary releases below. EncFS is open source software, licensed under the GPL.

#2: Block device level encryption

  1. Loop-AES - Fast and transparent file system and swap encryption package for linux. No source code changes to linux kernel. Works with 3.x, 2.6, 2.4, 2.2 and 2.0 kernels.
  2. Truecrypt - It is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X and Linux.
  3. dm-crypt+LUKS - dm-crypt is a transparent disk encryption subsystem in Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, removable media, partitions, software RAID volumes, logical volumes, and files.

In this post, I will explain how to encrypt your partitions using Linux Unified Key Setup-on-disk-format (LUKS) on your Linux based computer or laptop.

Step #1: Install cryptsetup utility

You need to install the following package. It contains cryptsetup, a utility for setting up encrypted filesystems using Device Mapper and the dm-crypt target. Debian / Ubuntu Linux user type the following apt-get command:
# apt-get install cryptsetup
Sample outputs:

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  cryptsetup-bin libcryptsetup4
Suggested packages:
  busybox
The following NEW packages will be installed:
  cryptsetup cryptsetup-bin libcryptsetup4
0 upgraded, 3 newly installed, 0 to remove and 7 not upgraded.
Need to get 168 kB of archives.
After this operation, 669 kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://ap-northeast-1.ec2.archive.ubuntu.com/ubuntu/ precise/main libcryptsetup4 amd64 2:1.4.1-2ubuntu4 [55.8 kB]
Get:2 http://ap-northeast-1.ec2.archive.ubuntu.com/ubuntu/ precise/main cryptsetup-bin amd64 2:1.4.1-2ubuntu4 [32.2 kB]
Get:3 http://ap-northeast-1.ec2.archive.ubuntu.com/ubuntu/ precise/main cryptsetup amd64 2:1.4.1-2ubuntu4 [80.0 kB]
Fetched 168 kB in 0s (268 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libcryptsetup4.
(Reading database ... 25374 files and directories currently installed.)
Unpacking libcryptsetup4 (from .../libcryptsetup4_2%3a1.4.1-2ubuntu4_amd64.deb) ...
Selecting previously unselected package cryptsetup-bin.
Unpacking cryptsetup-bin (from .../cryptsetup-bin_2%3a1.4.1-2ubuntu4_amd64.deb) ...
Selecting previously unselected package cryptsetup.
Unpacking cryptsetup (from .../cryptsetup_2%3a1.4.1-2ubuntu4_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up libcryptsetup4 (2:1.4.1-2ubuntu4) ...
Setting up cryptsetup-bin (2:1.4.1-2ubuntu4) ...
Setting up cryptsetup (2:1.4.1-2ubuntu4) ...
update-initramfs: deferring update (trigger activated)
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Processing triggers for initramfs-tools ...
update-initramfs: Generating /boot/initrd.img-3.2.0-31-virtual

RHEL / CentOS / Fedora Linux user type the following yum command:
# yum install cryptsetup-luks

Step #2: Configure LUKS partition

WARNING! The following command will remove all data on the partition that you are encrypting. You WILL lose all your information! So make sure you backup your data to an external source such as NAS or hard disk before typing any one of the following command.

In this example, I'm going to encrpt /dev/xvdc. Type the following command:
# cryptsetup -y -v luksFormat /dev/xvdc
Sample outputs:

 
WARNING!
========
This will overwrite data on /dev/xvdc irrevocably.
 
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
 

This command initializes the volume, and sets an initial key or passphrase. Please note that the passphrase is not recoverable so do not forget it.Type the following command create a mapping:
# cryptsetup luksOpen /dev/xvdc backup2
Sample outputs:

Enter passphrase for /dev/xvdc:

You can see a mapping name /dev/mapper/backup2 after successful verification of the supplied key material which was created with luksFormat command extension:
# ls -l /dev/mapper/backup2
Sample outputs:

lrwxrwxrwx 1 root root 7 Oct 19 19:37 /dev/mapper/backup2 -> ../dm-0

You can use the following command to see the status for the mapping:
# cryptsetup -v status backup2
Sample outputs:

/dev/mapper/backup2 is active.
  type:    LUKS1
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/xvdc
  offset:  4096 sectors
  size:    419426304 sectors
  mode:    read/write
Command successful.

You can dump LUKS headers using the following command:
# cryptsetup luksDump /dev/xvdc

Step #3: Format LUKS partition

First, you need to write zeros to /dev/mapper/backup2 encrypted device. This will allocate block data with zeros. This ensures that outside world will see this as random data i.e. it protect against disclosure of usage patterns:
# dd if=/dev/zero of=/dev/mapper/backup2
The dd command may take many hours to complete. I suggest that you use pv command to monitor the progress:
# pv -tpreb /dev/zero | dd of=/dev/mapper/backup2 bs=128M
To create a filesystem i.e. format filesystem, enter:
# mkfs.ext4 /dev/mapper/backup2
To mount the new filesystem at /backup2, enter:
# mkdir /backup2
# mount /dev/mapper/backup2 /backup2
# df -H
# cd /backup2
# ls -l

How do I unmount and secure data?

Type the following commands:
# umount /backup2
# cryptsetup luksClose backup2

How do I mount or remount encrypted partition?

Type the following command:
# cryptsetup luksOpen /dev/xvdc backup2
# mount /dev/mapper/backup2 /backup2
# df -H
# mount

See shell script wrapper that opens LUKS partition and sets up a mapping for nas devices.

Can I run fsck on LUKS based partition / LVM volume?

Yes, you can use the fsck command On LUKS based systems:
# umount /backup2
# fsck -vy /dev/mapper/backup2
# mount /dev/mapper/backup2 /backu2

See how to run fsck On LUKS (dm-crypt) based LVM physical volume for more details.

How do I change LUKS passphrase (password) for encrypted partition?

Type the following command
### see key slots, max -8 i.e. max 8 passwords can be setup for each device ####
# cryptsetup luksDump /dev/xvdc
# cryptsetup luksAddKey /dev/xvdc

Enter any passphrase:
Enter new passphrase for key slot:
Verify passphrase:

Remove or delete the old password:
# cryptsetup luksRemoveKey /dev/xvdc
Please note that you need to enter the old password / passphrase.

Check out related media

This tutorial also available in video format:

(Video 01: cryptsetup command demo)

Conclusion

You now have an encrypted partition for all of your data.

Pros:

  1. LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media (usb pen) or laptop disk drives.
  2. You can also use with your nas server to protect backups.
  3. Intel and AMD cpus with AES-NI (Advanced Encryption Standard Instruction Set) can accelerate dm-crypt based encryption for Linux kernel v2.6.32+. This will speed up harddisk encryption.
  4. Works with swap partition too so that your laptop can use hibernation feature (suspend-to-disk) that writes out the contents of RAM to the swap partition before turning off the machine.

Cons:

  1. LUKS only support upto 8 passwords i.e. only 8 users can have distinct access keys to the same device.
  2. LUKS is also not recommend for applications requiring file-level encryption.

For more information see cryptsetup man page and read RHEL 6.x documentation.

Sincerely,
nixCraft

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

  • Cae

    Truecrypt – It is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X and Linux.

    You may want to check your statement about Truecrypt.

    If it’s not available in Debian, it cannot be opensource.

  • Unix Lover

    How do you do this on FreeBSD?

  • Nmonk
  • Rizky Ariestiyansyah

    Hello NixCraft, good tutorial using cryptsetup,

    just advice cryptsetup now had new release by 3 days ago,, :D

    http://code.google.com/p/cryptsetup/downloads/list

    *compile from source will help us to know more ;)

    Regards,

  • Neo

    usbs can be carried within a baggy or balloon within a user’s rectum once slid into the anus.

  • Isaac

    No, TrueCrypt is Open Source (at least that’s what their website says), though it has its own license (non-GPL), which might be why most distros don’t have it.
    You can download the source here:
    http://www.truecrypt.org/downloads2

    Besides, not even Debian could have absolutely every piece of Free and Open Source Software out there.

    And if you need it, here is a program based off of TrueCrypt:
    http://www.diskcryptor.net/wiki/Main_Page/en

    Another thing: Fedora stopped providing TrueCrypt as well. Here is their opinion on it.

  • agresor

    “RHEL / CentOS / Fedora Linux user type the following yum command:
    # apt-get install cryptsetup-luks”
    rather
    # yum install cryptsetup-luks

    greetings

  • http://www.cyberciti.biz/tips/about-us nixCraft

    Thanks for the heads up!

  • Ashish

    Hi,

    I have a RHEL 6.3 laptop with 500GB hard disk. The entire disk is encrypted via LUKS.

    I want to create a 250 GB partition on my disk to be able to install Windows7 on it. I wish to have RHEL/Windows dual boot on my laptop.

    But, I think without de-crypting the entire HDD, its not possible to create a new partition. Can you please help me on this? I would be greatly helpful to you.

    Thanks,
    Ashish

  • Ashish

    Oops… typo in last sentence…. I would be greatly thankful to you !!!

  • http://www.cyberciti.biz/tips/about-us nixCraft

    Read this thread. If I were you I will backup all data before resizing anything. Good luck!

  • Guest

    For pv -tpreb /dev/zero | dd of=/dev/mapper/backup2 bs=128M I have a 1TB drive. The bs=128 is that OK?

  • Arjun Ram

    My entire disk is encrypted using LUKS ..Mistakenly i deleted one imporatnt *.nsf file. Using some software i could restore that deleted file but it says PGP/MIME encrypted header ..Do we have any way to decrypt the single file ..

  • Mayur Pipaliya

    # I strive on raring ringtail (gnome) backed by crypt-luks (entire 500GB) + encfs (over dropbox/google drive). m/

  • mtz

    There is a project that gives a GUI tool to manage cryptsetup LUKS and PLAIN volumes as well as truecrypt volumes.The project is hosted at: http://code.google.com/p/zulucrypt/

  • Kendall

    Regarding monitoring of the dd process, an easier to remember and more portable method is as such:

    # kill -USR1 $pid_of_dd

    This will cause the to output the number of bytes copied, current run time and throughput to the terminal running the ‘dd’ command.

  • aprogrammer

    I found cool russian instruction for encrytion. http://sysadmin.te.ua/tag/luks

  • safeuser

    I think there are mistake. You should initially fill device my random bytes not zeros i.e.

    pv -tpreb /dev/urandom | dd of=/dev/mapper/backup2 bs=128M
    or
    dd if=/dev/urandom of=/dev/mapper/backup2

  • Jacobo

    Only use the filesystem with root? if you going step by step the default use is for root.

Previous post:

Next post: