LUKS — Disk Encryption

Linux Unified Key Encryption — Disk Encryption

cryptsetupmanage plain dm-crypt and LUKS encrypted volumes

An encrypted blockdevice is protected by a key. A key is either:

  • a passphrase
  • a keyfile

What the..?

Ok.. If you are new to encryption world, then it’s time to get a bit familiar data encryption.

There are 2 methods to encrypt your data:

  • Filesystem stacked level encryption : Form of disk encryption where individual files or directories are encrypted by the file system itself. read more here
  • Block device level encryption : The entire partition or disk, in which the file system resides, is encrypted.

Before things go really technical and scary, let me show you how your data is stored in a harddisk.

Above diagram shows how your data is stored in a harddisk.

  • You create files (I am calling it data chunks) and insert your data in it.
  • These files are stored in a very systematic and managed system called File System.
  • Partitions are formatted to carry a file system on it.
  • Harddisks are divided into Partitions. (Wanna know why? — ask Leo!)

Now when you know how your data is exactly stored in a harddisk. Let’s see how a Block device level encryption works.

Here, a new layer is added in the usual thing.

  • We attach a harddisk to our system.
  • Create partitions on it.
  • Encrypt the complete partition (make it password protected) 🔐
  • Create filesystem (NTFS, EXT4, XFS, etc) on the encrypted partition.
  • Write/save your data chunks.

Just Do It now ✔️

Installing required tools

I am using a RHEL based OS which uses yum/dnf package managers.

yum install cryptsetup -y or dnf install -y cryptsetup

Creating the partition

- check the device name for the harddisk (sdb)

- partitioning tool

formating with luks

- encrypt the partition

- check the encrypted partition

- map the encrypted partition to 'myencrypt'.

- check it

creating a file system

- create a file system on top of the encrypted partition.

- Check the layering and filesystem associated.

creating a mountpoint

If you face such issues - SELinux lables blah blah blah

Type this on magic terminal — - This will restore the SELinux context back to defaults for the destination directory.

Checking luks dumps

Adding new key

Checking the dumps again

Now here are 2 slots available.

  • one with the initial key I entered at the time of setting it up.
  • another, just in the above step.

At this particular moment, there are few questions in my mind.

You should know them too.

  1. If you want to unmount and remove the harddisk. You’ll have to follow the steps:
umount /mountpoints/sdb cryptsetup luksClose myencrypt

2. If you want to open the luks partition with keyfile instead of the passphrase.

cryptsetup -v luksOpen /dev/sdb1 myencrypt --key-file=/etc/luks-keys/mybackup_key

3. What if someone changes the content of the keyfile?

Creating a new key

Add the key to the slots

Use key

So the content inside the keyfile do matter; You can’t change it and expect things to work just fine for you.

Time for some Automation

Get the UUID of the encrypted partition

And make the below entry in file. (Check the UUID for your device - Don't copy mine!!)

myencrypt UUID=48a20857-6f26-4352-89d5-e778f2d98950 /etc/luks-keys/mybackup_key luks

The above line is a combination of 4 fields:

  • name of the mapped device.
  • uuid of the encrypted partition
  • keyfile to unlock the partiotion
  • type of encryption used — luks

And then make below entry in file.

/dev/mapper/myencrypt /mountpoints/sdb xfs defaults 0 0

Want to learn more about crypttab and fstab

Last step to verify if the above steps worked fine or not.

  • Remount and verify (using mount command with 'a' and 'v' flags for clarity)
  • Reboot the system and check if everything works after reboot. (Trust me, things betray sometimes after reboot)

Want to read more about dm-crypt or device encryption?

Originally published at

Connecting the dots and rest is magic.