Encrypting a disk is one of the security actions to prevent bare-metal attacks. Nowadays, many organizations, businesses, government officials around the world encrypt their disks to protect confidential information such as files, contacts, customer details e.t.c from manipulation. Encryption modifies the files and makes them unreadable to anyone who does not have the decryption key.
There are basically two encryption methods:
- Filesystem stacked level encryption: such as eCryptfs and EncFS, mounted on any directory at the top of the main file system
- Block device level encryption: The entire disk or partition in which the filesystem is stored becomes encrypted. These tools include VeraCrypt, CipherShed dm-crypt+LUKS, DMCrypt and Loop-AES
Cryptsetup is a Linux encryption tool based on DM-Crypt. It can be used to encrypt both hard disks and external media. Encryption is done using Linux Unified Key Setup(LUKS) which provides disk encryption specifications that facilitate compatibility on various distributions.
This guide offers a deep illustration of how you can encrypt Ubuntu / Debian Disk Partition using Cryptsetup.
Step 1: Install Cryptsetup on Ubuntu / Debian
The Cryptsetup utility tool is available in the default Ubuntu / Debian repositories and can be downloaded using the APT command below.
sudo apt update
sudo apt install cryptsetupDependency tree:
Reading state information... Done
The following package was automatically installed and is no longer required:
linux-image-5.10.0-8-amd64
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:
cryptsetup-bin cryptsetup-initramfs cryptsetup-run
Suggested packages:
keyutils
The following NEW packages will be installed:
cryptsetup cryptsetup-bin cryptsetup-initramfs cryptsetup-run
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 762 kB of archives.
After this operation, 2,846 kB of additional disk space will be used.
Do you want to continue? [Y/n] yStep 2: Format Disk Partition as LUKS
First, identify the attached drives to your system.
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 10G 0 disk
sr0 11:0 1 3.7G 0 rom
vda 254:0 0 40G 0 disk
├─vda1 254:1 0 39G 0 part /
├─vda2 254:2 0 1K 0 part
└─vda5 254:5 0 975M 0 part [SWAP]For this guide, we have the primary disk(vda )and another disk(sda ). We will be using the second disk(sda) which can as well be an external drive/removable media.
First, take a backup of the data in the disk and format it as LUKS.
sudo cryptsetup luksFormat /dev/sda
In the command above, we have initiated the Cryptsetup encryption on /dev/sda using the luksFormat. Proceed as below.
WARNING!
========
This will overwrite data on /dev/sda irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sda: <SET-PASSPHRASE>
Verify passphrase: <CONFIRM-PASSPHRASE>Type YES and provide a passphrase, to encrypt the disk. You can also use keys for encryption but here, we will proceed with the set passphrase. Once complete, the disk will be formatted and can be viewed as below.
$ lsblk -f
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINT
sda crypto 2 95f75ab5-6b1c-49b7-a4e3-088e6bd89fd1
sr0 iso966 Jolie Debian 11.0.0 amd64 1
2021-08-14-11-23-46-00
vda
├─vda1
│ ext4 1.0 88c8363f-6c60-4526-b6ac-e8f3609cf71c 31.2G 13% /
├─vda2
│
└─vda5
swap 1 7b104eda-111a-4eb1-bd78-c2461193b074 [SWAP]Step 3: Create a Partition for Encryption
Once the disk has been encrypted as above, you cannot access the data on it. For use to be able to access and partition it. Open it and create the partition as below
sudo cryptsetup luksOpen /dev/sda cryptpartProvide the passphrase set above to open the disk.
Run the command below to identify the disk.
lsblk -fOutput:
From the output, we can see a new volume (cryptpart) created under sda. This has been created by the mapper device for Linux.
Now create a new partition. Here, I will create an EXT4 partition.
$ sudo mkfs.ext4 /dev/mapper/cryptpart
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 2617344 4k blocks and 655360 inodes
Filesystem UUID: 289493ba-f87b-41c9-803a-c59baf112fff
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done Now create a mount point and mount the created partition temporarily.
sudo mkdir -p /mnt/encrypted
sudo mount /dev/mapper/cryptpart /mnt/encrypted
Verify if the disk has been mounted.
$ lsblk | grep cryptpart
└─cryptpart 253:0 0 10G 0 crypt /mnt/encryptedStep 4: Permanently Mount the Encrypted Disk
Many Linux users know about editing the fstab file to make mounted disks persistent. But when it comes to these encrypted partitions, there is another file at /etc/crypttab as well.
Just like the /etc/fstab, the crypttab file is also read by the init process when the system boots. Based on the information on it, it will ask for the unlock key or automatically read it.
The crypttab file is created with the following information.
- Device name – this is the name assigned for the encypted device. For this guide, we chose cryptpart
- Encrypted device UUID – this helps to find the partition with encrypted data.
- Authentication method – you can choose “none” for the passphrase or you can specify a path to the key.
- Mount options – here, you can specify the number of tries for a passphrase, the cipher, the encryption method and other parameters.
Identify the UUID for the LUKS partition using the command:
$ sudo blkid | grep -i luks
/dev/sda: UUID="95f75ab5-6b1c-49b7-a4e3-088e6bd89fd1" TYPE="crypto_LUKS"Now create the file as below.
$ sudo vim /etc/crypttab
# Content of the crypttab file
cryptpart UUID=<partition_uuid> none luksSample:
Save the file and proceed as below.
Identify the UUID for the ext4 partition.
$ sudo blkid | grep -i ext4
/dev/vda1: UUID="88c8363f-6c60-4526-b6ac-e8f3609cf71c" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="61f2181b-01"
/dev/mapper/cryptpart: UUID="289493ba-f87b-41c9-803a-c59baf112fff" BLOCK_SIZE="4096" TYPE="ext4"Modify the fstab file as well.
sudo vim /etc/fstabAdd the De-crypted partition mount point.
##De-crypted device will be mounted here##
UUID=289493ba-f87b-41c9-803a-c59baf112fff /mnt/encrypted ext4 defaults 0 0Step 5: Verify auto Mount
We will now verify if the device will be mounted automatically on boot. Reboot your system.
sudo rebootWhen the system powers on, you will be asked to provide the passphrase.
With the passphrase provided, login to the system and once again verify if the disk has been mounted.
lsblk -f | grep sda -A 2 Sample Output:
Step 6: Create Keys For Automatic Authentication
At times handling the passphrase on system boot can be tiring and therefore one needs to create an authentication key.
This key can be created as below:
echo "StrongPassw0rd" > volume-key
sudo mv volume-key /boot/Set the required permissions.
sudo chown root:root /boot/volume-key
sudo chmod 0400 /boot/volume-keyNow add the keys to the LUKS Volume suing the syntax.
sudo cryptsetup luksAddKey <encrypted_device> <path_to_key>For example:
sudo cryptsetup luksAddKey /dev/sda /boot/volume-keyProvide your passphrase for the key to be added to the volume. Verify if the key has been added.
sudo cryptsetup luksDump /dev/sdaSample output:
Now modify the crypttab file to accommodate the new authentication method by replacing none with the key.
$ sudo vim /etc/crypttab
# Content of the crypttab file
cryptpart UUID=<partition_uuid> /boot/volume-key luksVerify this by rebooting the system.
sudo rebootVerify if the device has been mounted.
lsblk -fSample output:
Step 7: Restore the Backup
Voila!
At this point, you can restore the backup made on the disk before formatting and enjoy the awesomeness of this tool.
The end!
We have managed to encrypt Ubuntu / Debian Disk Partition using Cryptsetup. Now you can keep the encrypted files out of reach by bare-metal attackers.
You can also view related posts:
- Encrypt Files and Directories on Linux using VeraCrypt
- Encrypt Files and Directories on Linux using eCryptFS
- How To Decode / Decrypt Kubernetes Secret
