LUKS Encyrption

These are instruction for setting up LUKS (Linux Unified Key Setup) encryption in Debian. They will probably work relatively well in other Linux distributions.

Before you begin using LUKS in Debian, you should install the following packages:

cryptsetup
cryptmount
dmsetup

There are two types of LUKS encryption: 1) encrypting a container within an existing filesystem, and 2) encrypting an entire partition.

Encrypting a container within an existing filesystem

The first thing we need to do is create the encrypted container. The following command creates an 2GB file, named “container1”, which is full of random data:

dd if=/dev/urandom of=container1 bs=1024 count=2048000

Now we need to create a mapping between this file and a free loop device. This step is needed because at the moment cryptsetup cannot use a file as a block device directly.  We can use losetup (part of util-linux) to find out which loop device is free with the command:

losetup -f

For me it was /dev/loop0. So, I map the container1 file to /dev/loop0.

losetup /dev/loop0 /path/to/container1

Once the loop device is mapped, we can encrypt the container.

cryptsetup --verbose --verify-passphrase luksFormat /dev/loop0

--verify-passphrase causes cryptsetup to ask for a passphrase twice, which is a good idea when formating to avoid typos. luksFormat formats /dev/loop0.

Now that the contaner has been encrypted, we need to open it up and create an ext4 partition inside it.

cryptsetup luksOpen /dev/loop0 encr-container

mkfs.ext4 /dev/mapper/encr-container

luksOpen will create a device under /dev/mapper named encr-container that we can use to access our container. To facilitate easy mounting of the container we can create an entry in fstab.

/dev/mapper/encr-container  /mnt/encr-mount  ext4  user,noauto  0  0

You can, of course, use any options that you desire in your fstab entry. In the future, to connect to the encrypted container, the following three commands must be run.

losetup /dev/loop0 /path/to/container

cryptsetup luksOpen /dev/loop0 encr-container

mount /dev/mapper/encr-container

luksOpen will prompt you for your password before proceeding. To disconnect from the encrypted container, undo the commands in reverse.

umount /dev/mapper/encr-container

cryptsetup luksClose encr-container

losetup -d /dev/loop0

These commands can be scripted to facilitate easy access.

Encrypting an entire partition

The first step is to optionally fill the disk with random data, which is a good practice if it is likely that someone knowledgable is actually going to crack your encrypted data. The downside is that it can take a long time if the partition is large. For example, filling a 500 GB partition over a SATA II connection with a relatively fast CPU takes over 24 hours. If you don’t have the time you can simply skip this step. The worst part of the process is that there is no progress indicator, so you just wait for it to finish.

dd if=/dev/urandom of=/dev/sdb

Substitute /dev/sdb with the path to your device node.

Now we can create the LUKS partition.

cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb

--verify-passphrase causes cryptsetup to ask for a passphrase twice, which is a good idea when formating to avoid typos.  luksFormat encrypts the device /dev/sdb.

Now that the device has been encrypted, we need to open it up and create an ext4 partition inside it.

cryptsetup luksOpen /dev/sdb encr-sdb

mkfs.ext4 /dev/mapper/encr-sdb

luksOpen will create a device under /dev/mapper named encr-sdb that we can use to access our encrypted partition.  To facilitate easy mounting of the container we can create an entry in fstab.

/dev/mapper/encr-sdb  /mnt/encr-sdb  ext4  user,noauto  0  0

You can, of course, use any options that you desire in your fstab entry. In the future, to connect to the encrypted container, the following commands must be run.

cryptsetup luksOpen /dev/sdb encr-sdb

mount /dev/mapper/encr-sdb

luksOpen will prompt you for your password before proceeding. To disconnect from the encrypted container, undo the commands in reverse.

umount /dev/mapper/encr-sdb

cryptsetup luksClose encr-sdb

These commands can be scripted to facilitate easy access.