Disk encryption is used to encrypt the entire hard disk or a thumb drive in order to secure and protect the information contained within from prying eyes. For this exercise, we shall be using the program called cryptsetup
to encrypt a thumb drive.
These instructions can also be extended to hard-disks for full-disk encryption.
Install cryptsetup
On Debian / Ubuntu, do:
$ sudo apt-get install cryptsetup
On RedHat / Fedora, do:
$ sudo yum install cryptsetup-luks
Linux Unified Key Setup (LUKS) is a platform independent standardised disk-encryption specification for Linux. We’ll be using programs that use LUKS for encryption. Read about it on Wikipedia!
Identify your device
Can’t stress this enough. If you don’t identify the device (your thumb drive) correctly, you’ll end up screwing a different storage device that you didn’t originally intend to wipe.
Plug in your device, and see if there are extra files under /dev. They usually start with sd
. My thumb drive assumed /dev/sdb
. With partitions like /dev/sdb1
, /dev/sdb2
and so on. My memory cards usually assume /dev/mmcblk0
with partitions /dev/mmcblk0p1
, /dev/mmcblk0p2
and so on
Distinction:
sdb
,sdc
, etc represent devices;sdb1
,sdb2
,sdc1
,sdc2
(that which end in numbers) are usually partitions on the corresponding device. Similarly,mmcblk0
,mmcblk1
represent memory card devices andmmcblk0p1
,mmcblk1p2
, (that which end in p1, p2, etc.) are usually memory card partitions.p1, p2 presumably stand for partition 1, partition 2, etc.
Note the device. This device needs to be formatted in preparation for encrypting. We will create an encrypted layer on the device and then format it to any desired filesystem to be able to use the thumb drive. For the purposes of this exercise, let’s assume that our device is /dev/sde
. We will refer to the device as /dev/sde
for the rest of the article.
Format the device to LUKS
Warning: THIS WILL NUKE ALL DATA ON DEVICE
To encrypt the device, do:
$ sudo cryptsetup luksFormat /dev/sde
WARNING!
========
This will overwrite data on /dev/sde irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
This will create an encrypted layer on top of the device. You will use the passphrase you chose to use the device when you need to.
Do not forget the passphrase or you will lose access to your data.
And for the love of all things secure, use a really good passPHRASE (not a pass’WORD’) that’s at least 12 characters long and that has upper/lower case letters and numbers. And no dictionary words or personally identifiable names, please (duh).
Using the device
First, we need to initialize the encrypted device like so:
$ sudo cryptsetup luksOpen /dev/sde mydevice
Enter passphrase for /dev/sde:
The above command creates a virtual mapping of the encrypted device at /dev/mapper/mydevice
. mydevice
is an arbitrary name and you can specify any name there. Consequently, the mapping should be accessed at /dev/mapper/<nameSpecified>
Formating the device ( first time only )
Now this device can be formatted in the desired filesystem. This is a one time step and needs to be done the first time.
$ sudo mkfs.ext4 /dev/mapper/mydevice
or for NTFS (assuming you have NTFS drivers):
$ sudo mkfs.ntfs /dev/mapper/mydevice
Mounting the filesystem
Now the filesystem can be mounted like any other filesystem
$ sudo mount /dev/mapper/mydevice /media
You can verify the mount using the mount
command or the df
command. From now on, you can use the device by doing cryptsetup luksOpen
and then mounting the mapper device.
Unmounting the device securely
The device can be unmounted securely like so:
$ sudo umount /dev/mapper/mydevice
$ sudo cryptsetup luksClose mydevice
Adding additional pass-phrases
You can add up to 8 passphrases for each LUKS device. See man page for more info. To add an extra key, use the following command: At first you have to provide an existing pass-phrase, later a new pass-phrase.
$ sudo cryptsetup luksAddKey /dev/sde
Enter any passphrase:
Enter new passphrase for key slot:
Verify passphrase:
Removing a pass-phrase
To remove an existing passphrase, do:
$ sudo cryptsetup luksRemoveKey /dev/sde
Then enter the passphrase you want to remove from the device.
Getting LUKS status
If you are interested in the status of the LUKS mapping, use the following command:
$ sudo cryptsetup -v status mydevice
/dev/mapper/mydevice is active.
type: LUKS1
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sde
offset: 4096 sectors
size: 419426304 sectors
mode: read/write
Command successful.
Note that this article is about block level disk encryption and not file level encryption (stacked) like ecryptfs. This means the disk is encrypted completely and the filesystem layer is on top of the encryption layer. Whereas in a stacked encryption scheme, the encryption is done on top of the filesystem layer to specific trees in the Linux file hierarchy system.