Linux hard disk encryption – LUKS

What is LUKS

Data safety is one of the top concerns everywhere be it corporate environment or confidential information or a regular home setup. LUKS is an encryption method handled at block level devices. This data can be decrypted by providing a password provided at time of setting up.

Install LUKS (cryptsetup)

LUKS uses package cryptsetup for encryption of block level devices. To install LUKS on Fedora or Red Hat use below syntax 

Syntax

dnf install cryptsetup

Setting up or configuring LUKS partition

The block level device need to  be formatted using cryptsetup command to format and encrypt device as a LUKS encrypted device

Syntax

cryptsetup luksFormat /dev/xdaXX

Example

cryptsetup luksFormat /dev/sda1

Once this command is processed you will be asked to confirm by entering “YES” (in caps). This command initializes the volume and will ask you to enter LUKS passphrase. Once entered passphrase you must not forget it as passphrase is not recoverable. Type the following command create a mapping:

Initialize LUKS partition

Now in the next step this partition has to be opened while opening it will ask for a passphrase. Now provide a name for the partition with which you want it to be mapped. 

Syntax

cryptsetup open /dev/xdaXX [name_of_partition]

Example

cryptsetup open /dev/sdb1 infojinx

Once the partition is mapped its available for use as a regular partition. Now format this partition with a filesystem.

Syntax

mkfs.ext4 /dev/mapper/[name_of_partition]

Example

mkfs.ext4 /dev/mapper/infojinx

Note: To access encrypted devices you will have to use the path to the mapped name rather than accessing it directly.

Mounting of LUKS partition

Encrypted LUKS partition can be accessed by mounting it by partition name

Syntax

mount /dev/mapper/[name_of_partition]

Example

mount /dev/mapper/infojinx

Unmounting of LUKS partition

To unmount a LUKS partition use command

Syntax

unmount /dev/mapper/[name_of_partition]

Add entry for LUKS partition to fstab

Adding entry of LUKS partition in fstab, will enable mounting of the partition at time of booting.  

add below line to /etc/fstab file

/dev/mapper/[name_of_partition]      /[mount_point]                 ext4    defaults        0 0

Example

/dev/mapper/infojinx      /infojinx                 ext4    defaults        0 0

Next add entry to crypttab file

[name_of_luks_partition] [path_of_partition] none

none implies no key file is available as of now.

Example

infojinx  /dev/sdb1       none

Now at time of booting, the system will halt to ask for the passphrase of luks partition.