One of the best ways to protect your files on a Linux system is to enable hard disk encryption. It’s possible to encrypt an entire hard drive or partition, which will keep every file that resides there safe. Without the correct decryption key, prying eyes will only be able to see cryptic gibberish when they try to read your files.
In this guide, we’ll go over the step by step instructions of using LUKS to encrypt a Linux partition. Regardless of what Linux distro you’re running, these steps should work the same. Follow along with us below to get partition encryption configured on your own system.
In this tutorial you will learn:
- How to install cryptsetup on major Linux distros
- How to create an encrypted partition
- How to mount or unmount encrypted partition
- How to setup disk encryption during Linux install
Category | Requirements, Conventions or Software Version Used |
---|---|
System | Any Linux distro |
Software | LUKS, cryptsetup |
Other | Privileged access to your Linux system as root or via the sudo command. |
Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Install cryptsetup on major Linux distros
To start things off, we’ll need to install the necessary packages on our system in order to configure partition encryption. Note that some of this software may already be installed by default, but there’s no harm in running the commands again. Use the appropriate command below to install the packages with your system’s package manager.
To install cryptsetup on Ubuntu, Debian, and Linux Mint:
$ sudo apt install cryptsetup
To install cryptsetup on CentOS, Fedora, AlmaLinux, and Red Hat:
$ sudo dnf install cryptsetup
To install cryptsetup on Arch Linux and Manjaro:
$ sudo pacman -S cryptsetup
Create encrypted partition
We will be setting up a 10 GB encrypted partition on a separate hard disk. You can easily adapt some of the commands below if you need to create a bigger partition, or if your partition is named differently than ours, etc.
The following commands will erase your partition completely. If you have important files on the disk, move them off to a safe location before following the steps below. Afterwards, you can move them back on to the (now encrypted) partition.
- You can identify the partition or hard disk that you want to encrypt by running the
fdisk
command. This will allow you to see how your hard drive is referenced in the system, and make note of the name for future commands.# fdisk -l
- As you can see in the screenshot above, the hard drive we’ll be working with is
/dev/sdb
. We can now use cryptsetup to create the partition by running the following command. You’ll be asked for a passphrase when executing this command. Be sure to choose a very secure, yet memorable password. Your data will be lost if you forget this password, and your data is susceptible to theft if you choose a password that is easily cracked.# cryptsetup luksFormat /dev/sdb
The default options for this command should suffice, but you can specify a different cypher, key size, hash, and more details if you want. Check out the cryptsetup man page for full details.
- Next, we will open the volume on to the device mapper. At this point, we will be prompted for the passphrase that we just configured in the previous step. We will also have to specify the name that we want our partition mapped as. You can pick any name that you find convenient. We’ll just call ours “encrypted”.
# cryptsetup open /dev/sdb encrypted Enter passphrase for /dev/sdb:
- Now we will put a file system onto the disk. This is what will make it accessible and writable for normal user tasks. For this tutorial, we’ll just use the ext4 file system. You’ll probably want to use it too.
# mkfs.ext4 /dev/mapper/encrypted
After your file system is created, the disk is ready to be used. See the section below for instructions on how to mount the encrypted partition, which will make it accessible.
How to mount or unmount encrypted partition
To manually mount or unmount the encrypted partition, we need to use the usual mount
and umount
commands, but also the cryptsetup
command. Here’s how we would mount our encrypted partition to the /mnt/encrypted
folder.
# cryptsetup --type luks open /dev/sdb encrypted # mount -t ext4 /dev/mapper/encrypted /mnt/encrypted
To unmount the encrypted partition, we’d use the following two commands which will also close the mapped device.
# umount /mnt/encrypted # cryptsetup close encrypted
We can also setup automatic mounting, so the encrypted partition is mounted any time we login to the system, but it will require a passphrase to complete the mounting. To do that, we’ll need to edit the /etc/fstab
and /etc/crypttab
files.
Add the following line to the /etc/fstab
file. Here we are telling the system where to mount our encrypted partition, which we’ve specified as /mnt/encrypted
.
/dev/mapper/encrypted /mnt/encrypted ext4 defaults 0 0
Then, edit the /etc/crypttab
file and add the following line. Here we are specifying the name of our device mapper as well as the device name of the partition. We also write “none” because we don’t want to specify a key file.
encrypted /dev/sdb none
Now, when our system boots up, we will see a prompt that asks us for the passphrase to mount the encrypted partition.
As you can see below, after a reboot our encrypted partition has been mounted and is accessible under the directory we configured, /mnt/encrypted
. Make sure this directory (or whichever one you’re using) exists before you try to mount the partition there.
How to setup disk encryption during Linux install
Note that many Linux distros offer full disk encryption when you are first installing the operating system. You just need to make sure that you select this option when you are going through the installation prompts. It’s normally in the same menu as the partitioning and other hard disk configuration options.
For example, on an Ubuntu system, you would need to first select “advanced features” under the partitioning menu.
And then select “Encrypt the new Ubuntu installation for security” option in the next menu.
These settings will configure an encrypted hard disk the same way that we have covered in this guide.
Closing Thoughts
In this guide, we saw how to configure an encrypted LUKS partition to protect our files on Linux. We also saw how to manually and automatically mount the partition. You can follow this guide whether you are setting up a brand new Linux installation, or have an existing install that you want to add disk encryption to. This is one of the easiest and most secure ways to protect your files and keep them for your eyes only.