This guide will walk you through the creation of an encrypted filesystem using LUKS. LUKS is the Linux Unified Key Setup and is a standard format for linux hard disk encryption. It has a lot of interesting features such as using a key on a removable disk, keeping multiple keys, and more. This is the technology used by the Debian Installer (since etch beta3) and is quickly becoming a standard in the linux world.
Who this guide is for:
This guide is for anyone who wants to secure their data using an encrypted partition. While it is tailored to users of Debian, it should apply elsewhere in the linux world. This guide is intended to add an encrypted device to an existing install, if you are contemplating a fresh install, the Debian Installer will configure encrypted filesystems for you.
Ready? Then let’s begin
Prepare the partition (or other block device) to be used
This can be a partition on disk, a logical volume in LVM or some other block device. For this example, I created a 40 GB volume in LVM.
- For a physical partition, you would need to have an entire partition available on disk. Instructions for this can be found from many other sources
- For LVM, create a partition like this
lvcreate -n crypto_test --size 40g asimov-vol
This utility provides an interface into the code in the linux kernel that handles encrypted block devices. It’s packaged for Debian in both testing and unstable, stable has an older version and I don’t know whether or not it will work in the same manner.
apt-get install cryptsetup
Set up encryption on the partition:
This initializes the partition for encryption and sets the initial key. People not using LVM will want a path like /dev/hdxY where hdxY is the partition on their hard drive that will be used for encryption.
Important! This command will wipe out anything on that partition
cryptsetup luksFormat /dev/mapper/asimov--vol-crypto_test
This will overwrite data on /dev/mapper/asimov–vol-crypto_test irrevocably. Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Congratulation! You now have an encrypted block device! However, it’s not quite ready to use.
Open and map the device:
This opens the device (prompting for a passphrase) and maps it to a block device in /dev/mapper. This can be used like any other block device, and the encryption/decryption is transparent. The first path (/dev/mapper/asimov–vol-crypto_test) is the encrypted partition you set up earlier. The name (crypto_test) is the name of the volume, the block device will be mapped as /dev/mapper/<name>.
cryptsetup luksOpen /dev/mapper/asimov--vol-crypto_test crypto_test
Enter LUKS passphrase:
key slot 0 unlocked.
Create the filesystem of your choice on the device:
This is just like setting up any other block device. I use ext3, others may prefer different formats.
Add the definition to /etc/crypttab:
/etc/crypttab is a list of encrypted devices that are mapped on boot. The format is <map name> <path to device> <key file> <options> Since we’re using a passphrase, we don’t have a key file.
crypto_test /dev/mapper/asimov--vol-crypto_test none luks
Create a mount point:
This is where the encrypted device will be mounted on your filesystem.
Add the device to /etc/fstab:
/etc/fstab tells the computer where to mount different devices on the filesystem. The format is
<source path> <mount path> <type of filesystem> <options> <mount options options> <dump frequency> <fsck pass> More information can be found by reading
man 5 fstab
. You will want to add a line like this:
/dev/mapper/crypto_test /mnt/crypto_test ext3 defaults 0 2
somewhere in this file.
Update the initial ramdisk.
The initial ramdisk is used to jumpstart the boot process and load modules for the kernel that it can’t load itself (such as drivers for block devices that contain the modules it uses). I’m not sure if this is needed or not, but I wanted to be on the safe side.
update-initramfs -u -k all
Now your encrypted filesystem is completely set up! Reboot the system and you will see it prompt you for your passphrase during the boot cycle. Once the password has entered, the encryption is completely transparent. If you want to use your encrypted filesystem before rebooting, simply type