IntroThere are plenty of reasons why people would need to encrypt a partition. Whether they're rooted it privacy, security, or confidentiality, setting up a basic encrypted partition on a Linux system is fairly easy. This is especially true when using LUKS, since its functionality is built directly into the kernel.
Debian/UbuntuOn both Debian and Ubuntu, the
cryptsetuputility is easily available in the repositories. The same should be true for Mint or any of their other derivatives.
$ sudo apt-get install cryptsetup
CentOS/FedoraAgain, the required tools are easily available in both CentOS and Fedora. These distributions break them down into multiple packages, but they can still be easily installed using
# yum install crypto-utils cryptsetup-luks cryptsetup-luks-devel cryptsetup-luks-libsFedora
# dnf install crypto-utils cryptsetup cryptsetup-luks
OpenSUSEOpenSUSE is more like the Debian based distributions, including everything that you need with
# zypper in cryptsetup
Arch LinuxArch stays true to its "keep it simple" philosophy here as well.
# pacman -S cryptsetup
GentooThe main concern that Gentoo users should have when installing the tools necessary for using LUKS is whether or not their kernel has support. This guide is not going to cover that part, but just be aware that kernel support is a factor. If your kernel does support LUKS, you can just
# emerge --ask cryptsetup
Setting Up The PartitionWARNING: The following will erase all data on the partition being used and will make it unrecoverable. Proceed with caution. From here on, none of this is distribution specific. It will all work well with any distribution.The defaults provided are actually quite good, but they can easily be customized. If you really aren't comfortable playing with them, don't worry. If you do know what you want to do, feel free.
The basic options are as follows:
--cypher: This determines the cryptographic cypher used on the partition. The default option is aes-xts-plain64 --key-size: The length of the key used. The default is 256 --hash: Chooses the hash algorithm used to derive the key. The default is sha256. --time: The time used for passphrase processing. The default is 2000 milliseconds. --use-random/--use-urandom: Determines the random number generator used. The default is --use-random.
So, a basic command with no options would look like the line below.
# cryptsetup luksFormat /dev/sdb1Obviously, you'd want to use the path to whichever partition that you're encrypting. If you do want to use options, it would look like the following.
# cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 --time 5000 --use-urandom /dev/sdb1
Cryptsetupwill ask for a passphrase. Choose one that is both secure and memorable. If you forget it, your data will be lost. That will probably take a few seconds to complete, but when it's done, it will have successfully converted your partition into an encrypted LUKS volume.
Next, you have to open the volume onto the device mapper. This is the stage at which you will be prompted for your passphrase. You can choose the name that you want your partition mapped under. It doesn't really matter what it is, so just pick something that will be easy to remember and use.
# cryptsetup open /dev/sdb1 encryptedOnce the drive is mapped, you'll have to choose a filesystem type for you partition. Creating that filesystem is the same as it would be on a regular partition.
# mkfs.ext4 /dev/mapper/encryptedThe one difference between creating the filesystem on a regular partition and an encrypted one is that you will use the path to the mapped name instead of the actual partition location. Wait for the filesystem to be created. Then, the drive will be ready for use.
Mounting and UnmountingManually mounting and unmounting encrypted partitions is almost the same as doing so with normal partitions. There is one more step in each direction, though. First, to manually mount an encrypted partition, run the command below.
# cryptsetup --type luks open /dev/sdb1 encrypted # mount -t ext4 /dev/mapper/encrypted /place/to/mountUnmounting the partition is the same as a normal one, but you have to close the mapped device too.
# umount /place/to/mount # cryptsetup close encrypted