Linux Unified Key Setup (LUKS) is a utility for disk encryption based on the DMCrypt kernel module.
It is not recommended to encrypt a partition that already contains data due to the risk of data loss.
The safer approach is to attach a new volume to the system, encrypt it, and then copy the files over.
Edit the partition table of the new volume:
sudo fdisk -l sudo fdisk /dev/sdb
Press the following keys:
- p
- Prints the existing partitions (should have none yet).
- n
- Creates a new partition.
- p
- Primary
- 1
- Partition number.
- <Enter>
- <Enter>
- Partition number.
- 1
- Primary
- p
- Creates a new partition.
- p
- Prints the partition table with the newly created partition.
- w
- Writes the changes to the disk.
Install cryptsetup:
sudo apt-get install cryptsetup -y
Encrypt the partition:
sudo cryptsetup luksFormat /dev/sdb1
Type YES, set a passphrase, and save it securely in a key vault or password manager.
Open (unlock) the partition and give it a meaningful name:
sudo cryptsetup luksOpen /dev/sdb1 partitionName
Inspect the partition:
lsblk
Format the new partition:
sudo mkfs.ext4 /dev/mapper/partitionName
Create a mount point and mount the partition:
sudo mkdir -p /encryptedVolume sudo mount /dev/mapper/partitionName /encryptedVolume
MOUNTING ON BOOT
sudo nano /etc/crypttab
Find the UUID of the new partition:
sudo blkid
Add the following line:
# <target name> <source device> <key file> <options> partitionName UUID=7769dc40-66f1-4028-9fc4-1ac0178a080e none luks
Note: For a passphrase, use none in the third column. If using a key file, add its path instead. luks is the mount option.
Now edit fstab:
sudo nano /etc/fstab
Append the following line:
UUID=7769dc40-66f1-4028-9fc4-1ac0178a080e /encryptedVolume ext4 defaults 0 0
Note: During boot you will be prompted for the passphrase. Not all distributions handle this well and may not prompt for it correctly.
Alternatively, create a key file for the volume:
sudo cryptsetup luksAddKey /dev/sdb1 /boot/volume.key
Verify the key was added correctly:
sudo cryptsetup luksDump /dev/sdb1
Then, in /etc/crypttab, enter the path to the key file:
# <target name> <source device> <key file> <options> partitionName UUID=7769dc40-66f1-4028-9fc4-1ac0178a080e /boot/volume.key luks
BONUS
1 – If the drive header gets corrupted, the rest of the drive cannot be decrypted. Back it up with:
cryptsetup luksHeaderBackup /dev/sdb1 --header-backup-file LUKS-Header.bin
2 – To restore the header:
cryptsetup luksHeaderRestore /dev/sdb1 --header-backup-file LUKS-Header.bin
3 – Press TAB to see all available commands:
cryptsetup <TAB>
4 – Change the passphrase:
cryptsetup luksChangeKey /dev/sdb1
5 – Add multiple keys:
cryptsetup luksAddKey /dev/sdb1
BONUS
Encrypt drives, partitions, or create a container of encrypted files with VeraCrypt [Link]. This open-source app is compatible with Windows, Linux, and MacOS, and also runs on ARM devices such as Raspberry Pis.