How to encrypt a partition in Linux using cryptsetup tool
Recent Linux distributions include cryptsetup-luks package installed by default. This package makes disk encryption pretty easy in Linux. You can either choose to encrypt a partition on the disk or create encrypted file system with in a file using loop-back device. This article outlines the basic usage of cryptsetup tool to set up encryption of a disk partition.
If you don’t have cryptsetup-luks package installed in Fedora Linux you can use “yum” to install it. For more details read this article and look for xinetd package installation.
Initializing Disk Partition for Encryption
This procedure is required only once to initialize a disk partition for the first time. The next section explains how to mount and unmount a partition for daily usage.
First chose a partition to encrypt. But ensure that you don’t have any useful data and take backup of any data present on it before you use it for encryption.
First the chosen partition should be formatted for luks encryption. Here I am using “/dev/sda6″ partition as example. Use a password that you must always remember when it prompts for passphrase. Be careful while choosing the password because forgetting the password means a permanent loss of files and data you will store in the encrypted partition forever.
[root@techpulp mark]# cryptsetup luksFormat /dev/sda6
WARNING!
========
This will overwrite data on /dev/sda6 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: <-- input "yourpassword" here
Verify passphrase: <-- input "yourpassword" here
Command successful.
[root@techpulp mark]#
Once the partition is formatted you need to use luksOpen option to open the device and map it another device with a symbolic name using device mapper. Here I am using “enc-disk” as device mapper name. Whenever you attempt to open a luks encrypted partition, you will be requested to supply the password that you used while formatting the partition.
[root@techpulp mark]# cryptsetup luksOpen /dev/sda6 enc-disk Enter LUKS passphrase for /dev/sda6: <-- input "yourpassword" here key slot 0 unlocked. Command successful. [root@techpulp mark]#
If the above command is successful, you should see a new file created in “/dev/mapper” directory with the symbolic name you have given with luksOpen operation. In this case I used “enc-disk” so there will be a special block device created as /dev/mapper/enc-disk.
[root@techpulp mark]# ls -l /dev/mapper total 0 crw-rw---- 1 root root 10, 63 2009-01-07 16:02 control brw-rw---- 1 root disk 253, 1 2009-01-07 16:39 enc-disk [root@techpulp mark]#
Now format the partition as EXT3 file system. It is not mandatory that EXT3 file system must be used. You can choose any file system type.
[root@techpulp mark]# mkfs.ext3 /dev/mapper/enc-disk mke2fs 1.41.3 (12-Oct-2008) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 2101232 inodes, 8389809 blocks 419490 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=0 257 block groups 32768 blocks per group, 32768 fragments per group 8176 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624 Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 36 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. [root@techpulp mark]#
Now you can mount the partition and start using it.
[root@techpulp mark]# mkdir /enc-disk [root@techpulp mark]# mount /dev/mapper/enc-disk /enc-disk [root@techpulp mark]#
You can see the encrypted disk mounted using “df” command. Remember that “/dev/mapper/enc-disk” is a logical device that is actually mapped to /dev/sda6. So what ever is written in to this logical device is encrypted and written to physical partition /dev/sda6.
[root@techpulp mark]# df /enc-disk Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/enc-disk 33031680 180236 31173484 1% /enc-disk [root@techpulp mark]#
This procedure of formatting physical partition and formatting logical device are needed only once while setting it up. The following section tells you about daily usage.
Daily Usage
It is not advised to mount the encrypted partition by default. You can manully mount the partition when you need it and unmount it once you are done with it.
How to open and mount:
Open the partition using password and map it to a logical device.
[root@techpulp mark]# cryptsetup luksOpen /dev/sda6 enc-disk Enter LUKS passphrase for /dev/sda6: <-- input "yourpassword" here key slot 0 unlocked. Command successful. [root@techpulp mark]#
Now mount the partition
[root@techpulp mark]# mount /dev/mapper/enc-disk /enc-disk [root@techpulp mark]#
How to unmount and close:
[root@techpulp mark]# umount /enc-disk [root@techpulp mark]# cryptsetup luksClose enc-disk
about 2 years ago
Good post!
about 2 years ago
Very good explanation. Everything worked just fine. Much appreciated!