These are instruction for setting up LUKS (Linux Unified Key Setup) encryption in Debian. They will probably work relatively well in other Linux distributions.
Before you begin using LUKS in Debian, you should install the following packages:
cryptsetup cryptmount dmsetup
There are two types of LUKS encryption: 1) encrypting a container within an existing filesystem, and 2) encrypting an entire partition.
Encrypting a container within an existing filesystem
The first thing we need to do is create the encrypted container. The following command creates an 2GB file, named “container1”, which is full of random data:
dd if=/dev/urandom of=container1 bs=1024 count=2048000
Now we need to create a mapping between this file and a free loop device. This step is needed because at the moment cryptsetup cannot use a file as a block device directly. We can use losetup (part of util-linux) to find out which loop device is free with the command:
losetup -f
For me it was /dev/loop0. So, I map the container1
file to /dev/loop0.
losetup /dev/loop0 /path/to/container1
Once the loop device is mapped, we can encrypt the container.
cryptsetup --verbose --verify-passphrase luksFormat /dev/loop0
--verify-passphrase
causes cryptsetup
to ask for a passphrase twice, which is a good idea when formating to avoid typos. luksFormat
formats /dev/loop0
.
Now that the container has been encrypted, we need to open it up and create an ext4
partition inside it.
cryptsetup luksOpen /dev/loop0 encr-container mkfs.ext4 /dev/mapper/encr-container
luksOpen
will create a device under /dev/mapper
named encr-container
that we can use to access our container. To facilitate easy mounting of the container we can create an entry in fstab.
/dev/mapper/encr-container /mnt/encr-mount ext4 user,noauto 0 0
You can, of course, use any options that you desire in your fstab entry. In the future, to connect to the encrypted container, the following three commands must be run.
losetup /dev/loop0 /path/to/container cryptsetup luksOpen /dev/loop0 encr-container mount /dev/mapper/encr-container
luksOpen
will prompt you for your password before proceeding. To disconnect from the encrypted container, undo the commands in reverse.
umount /dev/mapper/encr-container cryptsetup luksClose encr-container losetup -d /dev/loop0
These commands can be scripted to facilitate easy access.
Encrypting an entire partition
The first step is to optionally fill the disk with random data, which is a good practice if it is likely that someone knowledgable is actually going to crack your encrypted data. The downside is that it can take a long time if the partition is large. For example, filling a 500 GB partition over a SATA II connection with a relatively fast CPU takes over 24 hours. If you don’t have the time you can simply skip this step. The worst part of the process is that there is no progress indicator, so you just wait for it to finish.
dd if=/dev/urandom of=/dev/sdb
Substitute /dev/sdb
with the path to your device node.
Now we can create the LUKS partition.
cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb
--verify-passphrase
causes cryptsetup
to ask for a passphrase twice, which is a good idea when formating to avoid typos. luksFormat
encrypts the device /dev/sdb
.
Now that the device has been encrypted, we need to open it up and create an ext4
partition inside it.
cryptsetup luksOpen /dev/sdb encr-sdb mkfs.ext4 /dev/mapper/encr-sdb
luksOpen
will create a device under /dev/mapper
named encr-sdb
that we can use to access our encrypted partition. To facilitate easy mounting of the container we can create an entry in fstab.
/dev/mapper/encr-sdb /mnt/encr-sdb ext4 user,noauto 0 0
You can, of course, use any options that you desire in your fstab entry. In the future, to connect to the encrypted container, the following commands must be run.
cryptsetup luksOpen /dev/sdb encr-sdb mount /dev/mapper/encr-sdb
luksOpen
will prompt you for your password before proceeding. To disconnect from the encrypted container, undo the commands in reverse.
umount /dev/mapper/encr-sdb cryptsetup luksClose encr-sdb
These commands can be scripted to facilitate easy access.