Encrypt your data using LUKS (Linux)



Introduction

This is meant to be a quick rough-and-ready guide for setting up a new encrypted partition, or changing an existing one (e.g. your home directory) into an encrypted partition. To find out what partitions exist on your system and what size they are, use the command "df -h" as follows:

$ df -h
Filesystem                        Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00   14G  5.1G  7.5G  41% /
/dev/sda5                         99M   19M   76M  20% /boot
tmpfs                             442M     0  442M   0% /dev/shm
/dev/mapper/VolGroup00-LogVol02    79G   17G   63G  22% /home

In this example, you can see that I have a 79 Gigabyte /home partition which is managed by the LVM (logical volume manager), with device address /dev/mapper/VolGroup00-LogVol02. I want to turn this into an encrypted partition.

You will need to have the "cryptsetup" program installed. If you have SELinux running (which is by default on Fedora) then you might also need "restorecon". On Fedora, I think these are already installed in a default installation; if you’ve removed them or just want to be sure, you can get them back with:

% yum install cryptsetup-luks policycoreutils

In this guide I will tell you how to change an existing partition into an encrypted one. If you do not have an existing partition (i.e. you are adding a new partition and do not yet have any data), then you can skip steps 1. and 3.


1. Copy data off your partition

You cannot change an existing partition into an encrypted one in one stage. You need to remove the data, create the encrypted partition, and then copy it back. Use whatever tools you like to copy the data (e.g. /bin/cp, or drag and drop from your desktop).

cp -a /home/* /path/to/backup/directory/

2. Format your partition with LUKS

If you have a partition that is ready to use (i.e. it exists and it contains no data that you want to keep), then you can prepare it with "cryptsetup luksFormat" followed by the device name. The device name will either be a device for a hard disk partition (e.g. /dev/sdb1) or for a LVM logical volume. You will need to be the root user. You will be asked to set a password for use with the encryption.

% /sbin/cryptsetup luksFormat /dev/mapper/VolGroup00-LogVol02

3. Open your partition with LUKS

Now the partition needs to be made known to the encryption manager. You will be asked for the password that you created above. The name "home" here is arbitrary – you can use whatever name you like.

%cryptsetup luksOpen /dev/mapper/VolGroup00-LogVol02 home

4. Format the partition (filesystem format)

The partition is now available, but needs to be formatted with the normal filesystem tools in order to be usable. In this next command, the -L switch is giving a filesystem label which is again arbitrary, and the last /home corresponds to the name given in step 3, above.

% mke2fs -j -m 0 -L /home /dev/mapper/home



5. Make the partition available

If you want your partition to be available when the computer boots (i.e. so that you don’t have to open it manually every time), you need to add an entry to the file /etc/crypttab. Open this file in a text editor (you will still need to be the root user) and add a line like this. The first entry corresponds to the name from step 3, and the second entry to the device from the introduction.

home    /dev/mapper/VolGroup00-LogVol02

You will also want to make the partition known in the file /etc/fstab. Open this file and add a line like this (replacing any previous entry in the same file for the same partition if you are replacing an existing one):

/dev/mapper/home        /home                   ext3    defaults        1 2

In my example, the previous entry that needed replacing would be this:

/dev/mapper/VolGroup00-LogVol02   /home                   ext3    defaults        1 2

6. Mount the partition

Now you can either reboot your computer and have the partition automatically mounted (via the entry you made in step 5), or you can do it manually as follows.

% mount /home

or

% mount /dev/mapper/home

7. Copy your data on to the partition

Now, if applicable, get back the data that you copied in step 1. If you are using SELinux then you might also need to tell your computer to restore the security contexts of the files, depending on whether the place you copied the files to supported security contexts or not – if it was a USB stick or pen drive then it probably didn’t. There’s no harm in restoring them anyway:

% cp -a /path/to/backup/directory/home/* /home/
% restorecon -r /home

8. That’s it!

That’s all. You may find that your computer automatically offers to do various helpful things (such as automatically mount the partition), depending on what you’ve got installed.




Links:

  1. My blog.
  2. Recently I have written this parable about Richard Dawkins.
  3. I also wrote this website and this blog exposing a bogus group of science educators.
  4. My homepage.



Feedback / E-mail / Anything I forgot to mention?: Use the address on my homepage
(Of course, please try Google first).

Print This Page Print This Page

2 Responses to Encrypt your data using LUKS (Linux)

  1. Hey can you help me ? i need to uncrypt my disk, how can I do that ?

    i need to do this because i bought an SSD Drive to replace my old big & slow 7200tr …
    (i m under Fedora)

    thanks

    • Hi Ben,

      These days, if you’re running GNOME or KDE as your desktop, then whenever you insert an encrypted disk, it should handle it all for you.

      But if you want to use the CLI, then you would run a “cryptsetup luksOpen” command, to get a decrypted device in /dev/mapper/, and then mount that device with mount – basically steps 3 & 6 in this guide (which I wrote several years ago, so I don’t exactly have it at my fingertips – but I know that those are the only two steps).

      David

Leave a Reply