Guide to Encryption a Partition with LUKS Encryption
Introduction
Encryption provides an added layer of security to protect your data. Using LUKS
(Linux Unified Key Setup) encryption, you can ensure the confidentiality of
data on a specific partition of your hard drive. This guide will walk you
through the steps to encrypt a partition on your hard drive using LUKS.
Prerequisites
- A Linux-based operating system.
- Root or sudo access to your system.
- A partition that's already been created.
- A backup of all important data (encryption can be destructive if not done
correctly).
Encryption Procedure
Identify Partition
- Open a terminal and type lsblk to list all the available drives and
partitions.
- Identify the partition you wish to encrypt (e.g., /dev/sda2). This can be
done either using the size of the partition or the label provided.
Note: fdisk -l can be used for a more detailed listing.
- If you don't have
cryptsetup installed, you can get it using:
sudo apt install cryptsetup
Note: This step may vary depending upon your distribution, if you do not use
apt then look up the way to install cryptsetup for your distribution.
Encrypt the Partition
- Use the cryptsetup tool to initialize LUKS encryption on the chosen
partition:
# Replace <partition> with the partition identified from the previous step.
sudo cryptsetup --verbose --verify-passphrase luksFormat <partition>
- You'll be prompted to enter a passphrase. Ensure you choose a strong one and
don't forget it. There is no way to recover the drive if you forget the
password.
Open the Encrypted Partition
- Before you can use the partition, it needs to be opened/mapped:
# <name> can be any name, but I like to use the same name as the partition.
# So, if my partition is /dev/sda2, I use "sda2" as <name>.
sudo cryptsetup luksOpen <partition> <name>
Create a File System
- With the encrypted partition opened, create a file system (e.g.
ext4).
sudo mkfs.<fs-type> /dev/mapper/<name>
Example:
sudo mkfs.ext4 /dev/mapper/sda2
- We can also optimize this partition for data if this isn't something that is
used for
/ or /boot, i.e. a data partition. Note that this is for ext4
partitions and I'm not sure about other formats.
sudo tune2fs -m 0 /dev/mapper/<name>
With that you have an encrypted partition.
Useage
Open Partition
We can use the following command to "open" or decrypt our partition:
sudo cryptsetup luksOpen <partition> <name>
Here the <partition> is the partition to be decrypted, as identified by
lsblk. The <name> is an arbitrary name given to this decrypted partition.
Example:
sudo cryptsetup luksOpen /dev/sda2 sda2
Mount Partition
We can mount this opened partition using the regular mount command.
sudo mount /dev/mapper/<name> <empty-directory>
Here, <empty-directory> must be an empty directory where this partition will
be mounted onto. Example: /mnt/sda2-mount
Unmount Partition
Once you're done with the encrypted partition, you can unmount it using:
sudo umount /dev/mapper/<name>
Close Partition
You can now "close" or stop decrption of the partition using:
sudo cryptsetup luksClose <name>
Arguments
<partition>: The complete location of a partition such as /dev/sda2.<name>: The name given to the "mapped" drive once the partition is decrypted.<empty-directory>: The path to an empty, existing directory.