Header Ads

Encrypt Hard Disks using LUKS Crypt on Debian/Ubuntu

Encryption of hard disks and removable devices on Linux can be done using cryptsetup command following LUKS (Linux Unified Key Setup) specification, similar to using Bitlocker on Windows.

Note : We'll prefix 'sudo' on commands that require root privileges instead of switching to root, so that the limited/regular user will have access. In-case you're not able to write to a disk after completing the process, use 'chown' command to assume access as limited user.

1. Install cryptsetup utility

Enter following command in Linux terminal to install

`sudo apt update && sudo apt install cryptsetup -y`

2. Find device path

Enter following command on Linux terminal to get the path of the device and partition to be encrypted using LUKS.


Output should similar to the one below, with its path in second column (/dev/sdx as device path and /dev/sdxn as partition path). These paths will be used to identify the device and partition in next set of commands.

device path info


3. Create Linux partitions

To work with disk-drives, enter command mode in fdisk

`sudo fdisk /dev/sdx`

To quit this command mode without saving, use 'q' command or press ctrl+z

Under command mode, press 'm' and enter to view list of commands

To list available free space (un-partitioned) using 'F'

If there are is no free space, list all partitions using 'p' command and find the partition number of the partition to be deleted. They will be listed as /dev/sdxn, where n is the partition number.

And delete the partition using 'd', and subsequently entering the partition number.

To create partitions, use command 'n'.

Under 'n' command. There are three options.

a. Partition number : This will be partition number n, as in /dev/sdxn

b. First sector : This will be the first sector of new partition. If deleting a partition in the middle and filling it up with a new one, note down the partition sector end of the previous partition (using 'p' command) and add it by one as start for the new partition.

c. Last sector : To create partition by size on disk, for example enter +5G for 5GB partition. Use K, M or G accordingly. Or enter a sector number if creating the partition in the middle to fill it (in this case sector number will one less of 'start' sector number of the next partition). To use default which will fill the un-allocated space.

Once complete enter 'w' command to write it on disk. To undo changes use 'q' command instead.

4. Create LUKS containers using cryptsetup utility

Find partition name using second step. Partition name should be similar to /dev/sdx1

Unmount the partition if it's mounted

`umount /dev/sdx1`

Create LUKS container on partition

`sudo cryptsetup -y -v luksFormat /dev/sdx1`

Enter a strong passphrase which will be used to unlock it later.

To check LUKS setup

`sudo cryptsetup luksDump /dev/sdx1`

Map the device using luksopen (replace crypt1 to any word of choice)

`sudo cryptsetup luksOpen /dev/sdx1 crypt1`

The device will be mapped to /dev/mapper/crypt1

Format partition using pv utitlity (secure)

`sudo pv -tpreb /dev/zero | sudo dd of=/dev/mapper/crypt1 bs=16M`

If pv is not installed, install it using

`sudo apt install pv`

Create file system on the mapped container

`sudo mkfs.ext4 /dev/mapper/crypt1`

Once the process is complete the partition can be mounted.

If there are more than one partition, repeat this step for each partition.

5. Mounting and un-mounting disks.

Most latest versions of Ubuntu/Debian distros have GUI based auto-mount. Unplug and re-plug drive and enter the password to access.

To do it manually, if auto-mount ever fails, follow below instructions.

5.1. Create a mount point (only for the first time), map LUKS partition and mount the LUKS mapped container.

`mkdir /mnt/crypt1`

`sudo cryptsetup luksOpen /dev/sdx1 crypt1`

`sudo mount /dev/mapper/crypt1 /mnt/crypt1`

Now the drive is ready to use.

5.2 To disconnect device, issue unmount and luksclose.

`sudo umount /mnt/crypt1`

`sudo cryptsetup luksClose /dev/mapper/crypt1`

6. Changing LUKS passphrase

Each LUKS partition can use up-to 8 passwords slots for partition. 

To get the first used password slot for a partition, execute

`sudo cryptsetup luksDump /dev/sdx1 | grep -A 1 Keyslots:`

To add new key on an empty slot using

`sudo cryptsetup luksAddKey /dev/sdx1`

To alter an used password slot, enter following command replacing 'n' with the slot number

`sudo cryptsetup luksChangeKey /dev/sdx1 -S n`

To remove a key, execute

`sudo cryptsetup luksRemoveKey /dev/sdx1`


To assume write access to device for limited user say 'username', get the media directory mount-point by browsing through folders, and then use 'chown' command (replace username and unique-id-mount-point)

`sudo chown username:username /media/username/unique-id-mount-point`

No comments