Disk encryption is used to encrypt the entire hard disk or a thumb drive in order to secure and protect the information contained within from prying eyes. For this exercise, we shall be using the program called cryptsetup to encrypt a thumb drive.
These instructions can also be extended to hard-disks for full-disk encryption.
Install cryptsetup
On Debian / Ubuntu, do:
$ sudo apt-get install cryptsetupOn RedHat / Fedora, do:
$ sudo yum install cryptsetup-luksLinux Unified Key Setup (LUKS) is a platform independent standardised disk-encryption specification for Linux. We’ll be using programs that use LUKS for encryption. Read about it on Wikipedia!
Identify your device
Can’t stress this enough. If you don’t identify the device (your thumb drive) correctly, you’ll end up screwing a different storage device that you didn’t originally intend to wipe.
Plug in your device, and see if there are extra files under /dev. They usually start with sd. My thumb drive assumed /dev/sdb. With partitions like /dev/sdb1, /dev/sdb2 and so on. My memory cards usually assume /dev/mmcblk0 with partitions /dev/mmcblk0p1, /dev/mmcblk0p2 and so on
Distinction:
sdb,sdc, etc represent devices;sdb1,sdb2,sdc1,sdc2(that which end in numbers) are usually partitions on the corresponding device. Similarly,mmcblk0,mmcblk1represent memory card devices andmmcblk0p1,mmcblk1p2, (that which end in p1, p2, etc.) are usually memory card partitions.p1, p2 presumably stand for partition 1, partition 2, etc.
Note the device. This device needs to be formatted in preparation for encrypting. We will create an encrypted layer on the device and then format it to any desired filesystem to be able to use the thumb drive. For the purposes of this exercise, let’s assume that our device is /dev/sde. We will refer to the device as /dev/sde for the rest of the article.
Format the device to LUKS
Warning: THIS WILL NUKE ALL DATA ON DEVICE
To encrypt the device, do:
$ sudo cryptsetup luksFormat /dev/sde
WARNING!
========
This will overwrite data on /dev/sde irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.This will create an encrypted layer on top of the device. You will use the passphrase you chose to use the device when you need to.
Do not forget the passphrase or you will lose access to your data.
And for the love of all things secure, use a really good passPHRASE (not a pass’WORD’) that’s at least 12 characters long and that has upper/lower case letters and numbers. And no dictionary words or personally identifiable names, please (duh).
Using the device
First, we need to initialize the encrypted device like so:
$ sudo cryptsetup luksOpen /dev/sde mydevice
Enter passphrase for /dev/sde:The above command creates a virtual mapping of the encrypted device at /dev/mapper/mydevice. mydevice is an arbitrary name and you can specify any name there. Consequently, the mapping should be accessed at /dev/mapper/<nameSpecified>
Formating the device ( first time only )
Now this device can be formatted in the desired filesystem. This is a one time step and needs to be done the first time.
$ sudo mkfs.ext4 /dev/mapper/mydeviceor for NTFS (assuming you have NTFS drivers):
$ sudo mkfs.ntfs /dev/mapper/mydeviceMounting the filesystem
Now the filesystem can be mounted like any other filesystem
$ sudo mount /dev/mapper/mydevice /mediaYou can verify the mount using the mount command or the df command. From now on, you can use the device by doing cryptsetup luksOpen and then mounting the mapper device.
Unmounting the device securely
The device can be unmounted securely like so:
$ sudo umount /dev/mapper/mydevice
$ sudo cryptsetup luksClose mydeviceAdding additional pass-phrases
You can add up to 8 passphrases for each LUKS device. See man page for more info. To add an extra key, use the following command: At first you have to provide an existing pass-phrase, later a new pass-phrase.
$ sudo cryptsetup luksAddKey /dev/sde
Enter any passphrase:
Enter new passphrase for key slot:
Verify passphrase:Removing a pass-phrase
To remove an existing passphrase, do:
$ sudo cryptsetup luksRemoveKey /dev/sdeThen enter the passphrase you want to remove from the device.
Getting LUKS status
If you are interested in the status of the LUKS mapping, use the following command:
$ sudo cryptsetup -v status mydevice
/dev/mapper/mydevice is active.
type: LUKS1
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sde
offset: 4096 sectors
size: 419426304 sectors
mode: read/write
Command successful.Note that this article is about block level disk encryption and not file level encryption (stacked) like ecryptfs. This means the disk is encrypted completely and the filesystem layer is on top of the encryption layer. Whereas in a stacked encryption scheme, the encryption is done on top of the filesystem layer to specific trees in the Linux file hierarchy system.
Free and Open Source Software Knowledge Base 