How to Encrypt Disk with LUKS
Hello and Welcome again ,
In this article , I’m going to share with you the steps on how to encrypt a filesystem using LUKS on a Linux system .
But , what is LUKS ?
LUKS stands for Linux Unified Key Setup , it is a disk encryption program and it is the standard disk encryption format on Red Hat family distributions .
LUKS provide strong encryption for data and it allows us to encrypt entire storage devices, such as hard drives or partitions (commonly used to enhance the security of sensitive data on Linux ).
LUKS offers several key features and advantages that make it a good choice for disk encryption ( I’m not here to discuss LUKS advantages , If you’re interested in knowing more about it , check the documentation 😊 ) .
Now , that we know about LUKS, let’s jump into the command line , so that I can show you how to do it .
The first thing , I’m going to do is to create a partition on my device .
As you can see , I have a disk “ /dev/vdb” with a 2G of space , I created a 1G partition using a little bash script ( partition.sh ) because I’m little bit lazy 😊 ( we can automate the whole procedure using a bash script, but I want to show the steps manually so we can understand every step ) .
OK , let’s move to the next step and encrypt the partition using the cryptsetup command ( some people may get confused but in reality we are creating an encryption layer on top of the partition layer ).
All right , so the luksFormat command format the partition with LUKS encryption means we initialized a LUKS header and we set up the encryption parameters . Next , Type YES on uppercase and finally when it prompt you for a password make sure it’s a good password 😁 .
If we want to verify that is encrypted we can use the file command like this:
Now that the partition is encrypted, let’s open it so we can use it. We also need to assign a name to the mapper device. In this example, I’m calling it ‘’ new ‘’ .
And that’s it! 😁 , no I’m joking .Now, let’s proceed to create a filesystem, just as we usually do.
And let’s mount it :
And , let’s add it to /etc/fstab to make the mount persistent .
Finally, before we reboot, let’s add this line to /etc/crypttab so the system knows it’s an encrypted partition otherwise, the system may not boot correctly.
Let’s reboot and see what’s happens
And It’s prompting us for the passphrase. From here, we can enter the password and continue to boot normally. However, this solution is not the most flexible or convenient, especially in scenarios where automation or remote access is required .
So what do we do ???
Well, there are a lot of solutions. We can use systemd to automate the unlocking process during boot, or we can use key files.
I want to keep things simple, so we’ll go with the easiest solution, which is key files.
Let’s create a key file, add it to the key slots in LUKS, and then modify /etc/crypttab again.
I’ve created a simple password “goodpass1234@ “ , Of course, you can generate a stronger password (this is just a demo).
And let’s add it to the key slots in LUKS using the luksAddKey command :
Of course, you need to be aware that you should provide the full path to the key (in my case, it’s in the root directory). When prompted for the passphrase, use the first one you created earlier because it’s the only key we have right now .
Next, let’s verify if our key is added using the luksDump command :
Unfortunately, I had to reduce the font size of my terminal to show you that we now have 2 key slots (slots 0 and 1). LUKS supports up to 8 slots in total.
Finally, let’s modify the /etc/crypttab and Instead of none in the third field, we are going to specify the absolute path to the encryption key file.
And that’s it , let’s reboot :
And, as you can see, we have reached the login screen, which means there are no problems with LUKS. Let me SSH to this server to verify that the LUKS partition is mounted and opened automatically using the keyfile.
Et voilà, the partition is mounted and opened successfully .
Feel free to reach out or leave a comment if you have any questions . Please don’t forget to share and like if you find it helpful .
Thank you for reading and I’ll see you in the next one .
