Header Ads

Encrypt Hard Disks using LUKS Crypt on Debian/Ubuntu

Encryption of hard disks and removable devices on Linux can be done using cryptsetup command following LUKS (Linux Unified Key Setup) specification, similar to using Bitlocker on Windows.

1. Install cryptsetup utility

Enter root mode

`sudo -i`

Enter following command in Linux terminal to install

`apt update && apt install cryptsetup -y`

2. Find device path

Enter following command on Linux terminal to get the path of the device and partition to be encrypted using LUKS.


Output should similar to the one below, with its path in second column (/dev/sdx as device path and /dev/sdxn as partition path). These paths will be used to identify the device and partition in next set of commands.

device path info


3. Create Linux partitions

To work with disk-drives, enter command mode in fdisk

`fdisk /dev/sdx`

To quit this command mode without saving, use 'q' command or press ctrl+z

Under command mode, press 'm' and enter to view list of commands

To list available free space (un-partitioned) using 'F'

If there are is no free space, list all partitions using 'p' command and find the partition number of the partition to be deleted. They will be listed as /dev/sdxn, where n is the partition number.

And delete the partition using 'd', and subsequently entering the partition number.

To create partitions, use command 'n'.

Under 'n' command. There are three options.

a. Partition number : This will be partition number n, as in /dev/sdxn

b. First sector : This will be the first sector of new partition. If deleting a partition in the middle and filling it up with a new one, note down the partition sector end of the previous partition (using 'p' command) and add it by one as start for the new partition.

c. Last sector : To create partition by size on disk, for example enter +5G for 5GB partition. Use K, M or G accordingly. Or enter a sector number if creating the partition in the middle to fill it (in this case sector number will one less of 'start' sector number of the next partition). To use default which will fill the un-allocated space.

Once complete enter 'w' command to write it on disk. To undo changes use 'q' command instead.

4. Create LUKS containers using cryptsetup utility

Find partition name using second step. Partition name should be similar to /dev/sdx1

Unmount the partition if it's mounted

`umount /dev/sdx1`

Create LUKS container on partition

`cryptsetup -y -v luksFormat /dev/sdx1`

Enter a strong passphrase which will be used to unlock it later.

To check LUKS setup

`cryptsetup luksDump /dev/sdx1`

Map the device using luksopen (replace crypt1 to any word of choice)

`cryptsetup luksOpen /dev/sdx1 crypt1`

The device will be mapped to /dev/mapper/crypt1

Format partition using pv utitlity (secure)

`pv -tpreb /dev/zero | dd of=/dev/mapper/crypt1 bs=16M`

If pv is not installed, install it using

`apt install pv`

Create file system on the mapped container

`mkfs.ext4 /dev/mapper/crypt1`

Once the process is complete the partition can be mounted.

If there are more than one partition, repeat this step for each partition.

Exit root mode once complete and luks setup is now complete.


5. Mounting and un-mounting disks.

Most latest versions of Ubuntu/Debian distros have GUI based auto-mount. Unplug and re-plug drive and enter the password to access.

To do it manually, if auto-mount ever fails, follow below instructions.

5.1. Create a mount point (only for the first time), map LUKS partition and mount the LUKS mapped container.

`mkdir /mnt/crypt1`

`sudo cryptsetup luksOpen /dev/sdx1 crypt1`

`sudo mount /dev/mapper/crypt1 /mnt/crypt1`

Now the drive is ready to use.

5.2 To disconnect device, issue unmount and luksclose.

`sudo umount /mnt/crypt1`

`sudo cryptsetup luksClose /dev/mapper/crypt1`

6. Changing LUKS passphrase

Each LUKS partition can use up-to 8 passwords for partition. 

To get the list of empty password slots for a partition, execute

`sudo cryptsetup luksDump /dev/sdx1 | grep -i key`

If there are empty slots, add new key using

`sudo cryptsetup luksAddKey /dev/sdx1`

To alter a password slot, enter following command replacing 'n' with the slot number

`sudo cryptsetup luksChangeKey /dev/sdx1 -S n`

To remove a key, execute

`sudo cryptsetup luksRemoveKey /dev/sdx1`

No comments