How to encrypt partition in Linux

One of the best ways to protect your files on a Linux system is to enable hard disk encryption. It’s possible to encrypt an entire hard drive or partition, which will keep every file that resides there safe. Without the correct decryption key, prying eyes will only be able to see cryptic gibberish when they try to read your files.

In this guide, we’ll go over the step by step instructions of using LUKS to encrypt a Linux partition. Regardless of what Linux distro you’re running, these steps should work the same. Follow along with us below to get partition encryption configured on your own system.

In this tutorial you will learn:

  • How to install cryptsetup on major Linux distros
  • How to create an encrypted partition
  • How to mount or unmount encrypted partition
  • How to setup disk encryption during Linux install
How to configure, mount, and access encrypted partition on Linux

How to configure, mount, and access encrypted partition on Linux

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distro
Software LUKS, cryptsetup
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Install cryptsetup on major Linux distros



To start things off, we’ll need to install the necessary packages on our system in order to configure partition encryption. Note that some of this software may already be installed by default, but there’s no harm in running the commands again. Use the appropriate command below to install the packages with your system’s package manager.

To install cryptsetup on Ubuntu, Debian, and Linux Mint:

$ sudo apt install cryptsetup

To install cryptsetup on CentOS, Fedora, AlmaLinux, and Red Hat:

$ sudo dnf install cryptsetup

To install cryptsetup on Arch Linux and Manjaro:

$ sudo pacman -S cryptsetup

Create encrypted partition



We will be setting up a 10 GB encrypted partition on a separate hard disk. You can easily adapt some of the commands below if you need to create a bigger partition, or if your partition is named differently than ours, etc.

WARNING
The following commands will erase your partition completely. If you have important files on the disk, move them off to a safe location before following the steps below. Afterwards, you can move them back on to the (now encrypted) partition.
  1. You can identify the partition or hard disk that you want to encrypt by running the fdisk command. This will allow you to see how your hard drive is referenced in the system, and make note of the name for future commands.
    # fdisk -l
    
  2. We can see the name of our hard drive that we wish to encrypt, take note of it for future commands

    We can see the name of our hard drive that we wish to encrypt, take note of it for future commands

  3. As you can see in the screenshot above, the hard drive we’ll be working with is /dev/sdb. We can now use cryptsetup to create the partition by running the following command. You’ll be asked for a passphrase when executing this command. Be sure to choose a very secure, yet memorable password. Your data will be lost if you forget this password, and your data is susceptible to theft if you choose a password that is easily cracked.
    # cryptsetup luksFormat /dev/sdb
    

    The default options for this command should suffice, but you can specify a different cypher, key size, hash, and more details if you want. Check out the cryptsetup man page for full details.



  4. Encrypting the device and entering a passphrase

    Encrypting the device and entering a passphrase

  5. Next, we will open the volume on to the device mapper. At this point, we will be prompted for the passphrase that we just configured in the previous step. We will also have to specify the name that we want our partition mapped as. You can pick any name that you find convenient. We’ll just call ours “encrypted”.
    # cryptsetup open /dev/sdb encrypted
    Enter passphrase for /dev/sdb:
    
  6. Now we will put a file system onto the disk. This is what will make it accessible and writable for normal user tasks. For this tutorial, we’ll just use the ext4 file system. You’ll probably want to use it too.
    # mkfs.ext4 /dev/mapper/encrypted
    
  7. Creating a file system on the hard drive

    Creating a file system on the hard drive

After your file system is created, the disk is ready to be used. See the section below for instructions on how to mount the encrypted partition, which will make it accessible.

How to mount or unmount encrypted partition



To manually mount or unmount the encrypted partition, we need to use the usual mount and umount commands, but also the cryptsetup command. Here’s how we would mount our encrypted partition to the /mnt/encrypted folder.

# cryptsetup --type luks open /dev/sdb encrypted
# mount -t ext4 /dev/mapper/encrypted /mnt/encrypted

To unmount the encrypted partition, we’d use the following two commands which will also close the mapped device.

# umount /mnt/encrypted
# cryptsetup close encrypted

We can also setup automatic mounting, so the encrypted partition is mounted any time we login to the system, but it will require a passphrase to complete the mounting. To do that, we’ll need to edit the /etc/fstab and /etc/crypttab files.

Add the following line to the /etc/fstab file. Here we are telling the system where to mount our encrypted partition, which we’ve specified as /mnt/encrypted.

/dev/mapper/encrypted      /mnt/encrypted                 ext4    defaults        0 0
Adding the device mapper name and the directory to fstab file

Adding the device mapper name and the directory to fstab file

Then, edit the /etc/crypttab file and add the following line. Here we are specifying the name of our device mapper as well as the device name of the partition. We also write “none” because we don’t want to specify a key file.

encrypted  /dev/sdb       none
Add automatic mounting to the crypttab config file

Add automatic mounting to the crypttab config file



Now, when our system boots up, we will see a prompt that asks us for the passphrase to mount the encrypted partition.

We are prompted for a password during boot up in order to mount the encrypted partition

We are prompted for a password during boot up in order to mount the encrypted partition

As you can see below, after a reboot our encrypted partition has been mounted and is accessible under the directory we configured, /mnt/encrypted. Make sure this directory (or whichever one you’re using) exists before you try to mount the partition there.

Accessing our encrypted partition, which has already ben automatically mounted for us

Accessing our encrypted partition, which has already ben automatically mounted for us

How to setup disk encryption during Linux install



Note that many Linux distros offer full disk encryption when you are first installing the operating system. You just need to make sure that you select this option when you are going through the installation prompts. It’s normally in the same menu as the partitioning and other hard disk configuration options.

For example, on an Ubuntu system, you would need to first select “advanced features” under the partitioning menu.

Select the advanced features menu to configure encryption

Select the advanced features menu to configure encryption

And then select “Encrypt the new Ubuntu installation for security” option in the next menu.

Choose LVM for the new Linux installation and then you can enable hard disk encryption for security

Choose LVM for the new Linux installation and then you can enable hard disk encryption for security

These settings will configure an encrypted hard disk the same way that we have covered in this guide.

Closing Thoughts

In this guide, we saw how to configure an encrypted LUKS partition to protect our files on Linux. We also saw how to manually and automatically mount the partition. You can follow this guide whether you are setting up a brand new Linux installation, or have an existing install that you want to add disk encryption to. This is one of the easiest and most secure ways to protect your files and keep them for your eyes only.



Comments and Discussions
Linux Forum