Encryption is not only for someone who has something to hide. There are simple concerns like a lost or stolen laptop that justify a full disk encryption. There are only a few steps necessary to create a encrypted partition.
In the following a already created partition will be used to create an encrypted volume. To creating the partition layout on the disk tools like gparted (GUI) parted (command-line) fdisk (command-line) or others can be used.
The following partition layout is used in this example. It shows the device /dev/sdc1 with the partitions shown below.
$ sudo fdisk -l /dev/sdc Disk /dev/sdc: 2055 MB, 2055208960 bytes 221 heads, 35 sectors/track, 518 cylinders, total 4014080 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x01bed634 Device Boot Start End Blocks Id System /dev/sdc1 1 4014079 2007039+ 83 Linux
Create luks encrypted partition
To create the encrypted partition on /dev/sdc1, luks is used. The encryption of the partition will be managed using the cryptsetup command. The command below will format the partition sdb5 as luks encrypted partition.
The man page suggests to use the options “–cipher aes-xts-plain” with “–key-size 512” for kernel 2.6.24 or higher. The “luksFormat” action will create the encryption on the partition.
$ sudo cryptsetup --cipher aes-xts-plain --key-size 512 --hash sha512 -v luksFormat /dev/sdc1 WARNING! ======== This will overwrite data on /dev/sdc1 irrevocably. Are you sure? (Type uppercase yes):
YESEnter passphrase: SecurePassword! Verify passphrase: SecurePassword! Command successful.
sudo umount /dev/sdc1
With the successful execution of the above command, the partition is now encrypted. The encrypted partition now needs to be opened to access its content. With the “luksOpen” activity, the encrypted partition provided is opened and mapped to the name specified in the last option.
$ sudo cryptsetup -v luksOpen /dev/sdc1 sdc1crypt Enter passphrase for /dev/sdc1: SecurePassword! Key slot 0 unlocked. Command successful.
The Luks encryption created on the device supports the possibility to configure multiple keys. Those keys are stored in a so called “Key Slot”. To show the configured keys as well as other details of the encrypted partition cryptsetup provides the following “luksDump” action.
$ sudo cryptsetup luksDump /dev/sdc1 LUKS header information for /dev/sdc1 Version: 1 Cipher name: aes Cipher mode: xts-plain Hash spec: sha512 Payload offset: 4096 MK bits: 512 MK digest: a9 a7 02 02 69 9c 2a 66 fa a1 63 18 ce 42 24 40 53 94 af 8d MK salt: e2 48 15 da 0e 63 a9 92 c4 82 be 26 42 b7 c3 bd 70 02 9b e1 e6 9e c0 98 7a 47 b9 10 70 d0 a0 81 MK iterations: 22750 UUID: f30dd479-0ce5-4819-992f-eec11e1a17b8 Key Slot 0: ENABLED Iterations: 90908 Salt: 7c 78 14 18 1f 71 88 64 4e a7 15 32 d1 ba 9c 50 01 7d 96 aa 78 ce 6e 10 6a d6 df c0 b5 e7 c1 42 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED
The partition is now encrypted and opened, but does not jet have a filesystem that can be mounted and used. The lsblk(8) command allows to show the filesystem on a block device.
$ sudo lsblk -f /dev/mapper/sdc1crypt NAME FSTYPE LABEL MOUNTPOINT sdc1crypt (dm-4)
Executed with the mapping name, the command shows that no filesystem is on the encrypted partition.
Create a filesystem on the encrypted partition
Depending on the use of the encrypted partition, the filesystem can be chosen as needed. The following will generate a ext4 filesystem. With the command mkfs(8) a new filesystem will be created on the encrypted partition. The parameter “-t ext4” defines the filesystem while the “-L” option is a ext4 specific option to sets the user friendly label of the filesystem. This label will be used to show the filesystem in the GUI file manager.
$ sudo mkfs -t ext4 -L LuksPartition /dev/mapper/sdc1crypt mke2fs 1.42.9 (4-Feb-2014) Filesystem label=LuksPartition OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 125440 inodes, 501058 blocks 25052 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=515899392 16 block groups 32768 blocks per group, 32768 fragments per group 7840 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912 Allocating group tables: done Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done
The filesystem is now generated on the partition. The filesystem reserves “25052 blocks (5.00%) reserved for the super user” on the filesystem. To manage the reserved space see Utility df shows inconsistent calculation for ext filesystems for details.
Another check with “lsklb” shows already the newly created filesystem ext4.
$ sudo lsblk -f /dev/mapper/sdc1crypt NAME FSTYPE LABEL MOUNTPOINT sdc1crypt (dm-4) ext4 LuksPartition
Finally to use the partition, the filesystem just created needs to be mounted in the system. To manually mount the filesystem in the system a directory to mount the filesystem should be created before the filesystem can be mounted.
$ sudo mkdir /mnt/sdc1crypt/ $ sudo mount /dev/mapper/sdc1crypt /mnt/sdc1crypt/
Executing mount(8) will finaly mount the filesystem passed on as the mapped luks partition at the directory specified. When mount is executed without any parameters, the list of mounted filesystems should now list the mounted filesystem.
/dev/mapper/sdc1crypt on /mnt/sdc1crypt type ext4 (rw)
Remove luks encrypted partition from system
To removing the luks encrypted device properly from the system the following commands should be executed.
$ sudo umount /mnt/sdc1cryp $ sudo cryptsetup -v luksClose sdc1crypt Command successful.
With the first command, the filesystem is unmounted from the system. In the second command cryptsetup is called with the “luksClose” action to close the encrypted partition which will as well remove the mapping.
Backup and safety
The encrypted partition will keep your data safe even when the laptop is lost or stolen. In case of a problem with the luks header on the partition, a backup of the luks header is suggested. Even the man page indicates that a damaged luks header happens “surprising frequently”.
$ sudo cryptsetup -v luksHeaderBackup /dev/sdc1 --header-backup-file LuksHeaderBackup.bin
The above command creates a backup of the luks header which can be used in case of a damaged luks header. The command below is used to restore the luks header. For both operation it is not necessary to have the luks encrypted partition opened.
$ sudo cryptsetup -v luksHeaderRestore /dev/sdc1 --header-backup-file LuksHeaderBackup.bin
Read more of my posts on my blog at https://blog.tinned-software.net/.