Posts Linux Unified Key Setup (LUKS) is a Best Disk Encryption in Linux
Post
Cancel

Linux Unified Key Setup (LUKS) is a Best Disk Encryption in Linux

Purpose of this article is to explain the importance of LUKS encryption in Linux and how to use it. In this article, we will setup LUKS encryption in Linux and automatically mount the encrypted partition.

Importance of LUKS Encryption

LUKS encryption is crucial for securing sensitive data on Linux systems. It provides an additional layer of protection against unauthorized access, data breaches, and potential cyber threats. By encrypting your data, you ensure that even if your system is compromised, the attacker cannot access your sensitive information without the decryption key or passphrase.

Key Concepts

  • LUKS (Linux Unified Key Setup): A disk encryption specification that provides a standard on-disk format for data encryption.
  • Encryption: The process of converting data into an unreadable format, which can only be accessed with a decryption key or passphrase.
  • cryptsetup: The command-line tool used to manage LUKS encrypted volumes.
  • Mapper Device: A virtual device created by LUKS that provides access to the decrypted volume (e.g., /dev/mapper/vault1).
  • Key File: A file containing the encryption key, used instead of a passphrase.
  • Passphrase: A secret password used to unlock the encrypted volume.
  • fstab: A system configuration file that defines how file systems are mounted at boot time.
  • crypttab: A system configuration file specifically for defining LUKS encrypted volumes to be unlocked at boot time (Used with fstab).
  • systemd: A system and service manager for Linux operating systems, used here to automate the unlocking and mounting of LUKS volumes.
  • UUID (Universally Unique Identifier): A unique identifier for a partition or disk, ensuring consistent mounting regardless of device name changes. This documentation uses /dev/disk/by-id/ instead.

Let’s Begin

Make sure you have a backup of your data before proceeding with the encryption process. If you don’t have a backup, you may lose all your data permanently. Check you have LUKS installed if not then install it using the following command:

1
2
3
4
# Check if LUKS is installed
command -v cryptsetup
# Install LUKS if not installed
sudo apt-get install cryptsetup

1. Attach the Disk to your system.

2. Check your attached disk

1
lsblk

It will show you all the disks attached to your system. Let’s say your disk is /dev/sdb. We will go through the steps to setup LUKS encryption on it.

3. Create a LUKS partition

1
sudo cryptsetup luksFormat /dev/sdb

This will create a LUKS partition on /dev/sdb.

4. If you want to use a encryption key file then use the following:

If you don’t want to use a key file, you can use a passphrase instead. Then skip this step.

1
sudo dd if=/dev/urandom of=/root/.mykey.img bs=1024 count=4

Add the key file to the LUKS partition:

1
2
sudo cryptsetup luksAddKey /dev/sdb /root/.mykey.img
sudo chmod 600 /root/.mykey.img

5. Open the LUKS partition

vault1 is a mapper name for the LUKS partition. LUKS will create a mapper device /dev/mapper/vault1 which you can use to mount the partition.

1
2
3
4
# If you want to use a key file
sudo cryptsetup open --key-file /root/.mykey.img /dev/sdb vault1
# If you want to use a passphrase
sudo cryptsetup open /dev/sdb vault1

6. Format the LUKS partition

This step needs to be performed only once. It will format the partition and create a filesystem on it.

1
2
3
4
# check avialable partition using
lsblk
# Format it using ext4 format
sudo mkfs.ext4 /dev/mapper/vault1

7. Mount partition

/mnt/vault1 is a mount point where you can mount your partition.

1
2
sudo mkdir /mnt/vault1
sudo mount /dev/mapper/vault1 /mnt/vault1

Once mounted, you can use it as a normal partition.

8. Unmount partition

1
sudo umount /mnt/vault1

9. Close the LUKS partition

This will close the LUKS partition and remove the mapper device /dev/mapper/vault1 and lock the partition.

1
sudo cryptsetup close vault1

Here we have completed the setup of LUKS encryption on /dev/sdb. To use it you only need to perform steps 5, 7, 8 and 9. Don’t use step 6 it will format the partition again.

Automate the process

Let’s talk about automating the process of unlocking, mounting and closing the LUKS partition for daily use.

  • Using fstab: If you are using internal hard drive, you can automate the process using crypttab and fstab. In this case error of the hard drive can lead to failure of system boot.
  • Using systemd: If you are using any drive, internal or external doesn’t matter, you can automate it. In this case we will use systemd to automate the process. No system boot failure will occur.
  • Both cases will be use disk unique id instead of the partition name. So, it will be unique and reliable. To get the unique id of the disk, use the following command:
    1
    
    ls -l /dev/disk/by-id/ | grep "sdb"
    

    It should display output like this-

    1
    2
    3
    4
    
    lrwxrwxrwx 1 root root  9 Jul 30 18:51 ata-VBOX_HARDDISK_VB5e1011c9-a737040b -> ../../sdb
    lrwxrwxrwx 1 root root  9 Jul 30 18:51 scsi-0ATA_VBOX_HARDDISK_VB5e1011c9-a737040b -> ../../sdb
    lrwxrwxrwx 1 root root  9 Jul 30 18:51 scsi-1ATA_VBOX_HARDDISK_VB5e1011c9-a737040b -> ../../sdb
    lrwxrwxrwx 1 root root  9 Jul 30 18:51 scsi-SATA_VBOX_HARDDISK_VB5e1011c9-a737040b -> ../../sdb
    

    Here you will notice the id starting with ata- is the unique id of the disk. Here I have used virtual hard disk. In your case, you will see manufacturer name, serial number, etc. So, we will use ata-VBOX_HARDDISK_VB5e1011c9-a737040b for the future steps.

1. Using fstab

  • Edit /etc/crypttab file and add the following line:
    1
    
    vault1 /dev/disk/by-id/ata-VBOX_HARDDISK_VB5e1011c9-a737040b /root/.mykey.img luks
    
  • Edit /etc/fstab file and add the following line:
    1
    
    /dev/mapper/vault1 /mnt/vault ext4 defaults 0 0
    
  • Update initramfs:
    1
    
    sudo update-initramfs -u
    

2. Using systemd

  • Create a file /usr/local/bin/luks-mount.sh with the following content:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    
    #!/bin/sh
    # Env will be set by systemd
    # System define variables
    DISK_PATH="/dev/disk/by-id/${DRIVE_ID}"
    # Operations
    if [ ! -e "$DISK_PATH" ]; then
      echo "❌ Drive ${DRIVE_ID} not present"
      exit 1
    fi
    # Check if already unlocked
    if [ -e "/dev/mapper/$MAPPER_NAME" ]; then
      echo "🔓 Volume '$MAPPER_NAME' is already unlocked."
    else
      echo "🔐 Unlocking encrypted volume..."
      if [ -n "$KEY_FILE_PATH" ] && [ -f "$KEY_FILE_PATH" ]; then
          echo "🔑 Using key file to unlock..."
          sudo cryptsetup luksOpen "$DISK_PATH" "$MAPPER_NAME" --key-file "$KEY_FILE_PATH"
      else
          echo "📝 Using passphrase to unlock..."
          echo "$PASSPHRASE" | sudo cryptsetup luksOpen "$DISK_PATH" "$MAPPER_NAME"
      fi
      if [ $? -ne 0 ]; then
          echo "❌ Failed to unlock the volume."
          exit 2
      fi
      echo "✅ Volume unlocked as /dev/mapper/$MAPPER_NAME"
    fi
    # Mount the device
    if mountpoint -q "$MOUNT_POINT"; then
      echo "📁 Already mounted at $MOUNT_POINT"
    else
      sudo mkdir -p "$MOUNT_POINT"
      sudo mount "/dev/mapper/$MAPPER_NAME" "$MOUNT_POINT"
      echo "✅ Mounted at $MOUNT_POINT"
    fi
    

    This script will be reused if you have multiple disks.

  • Create a file /usr/local/bin/luks-umount.sh with the following content:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    
    #!/bin/sh
    # Env will be set by systemd
    # System define variables
    DISK_PATH="/dev/disk/by-id/${DRIVE_ID}"
    # Check if disk exists
    if [ ! -e "$DISK_PATH" ]; then
      echo "⚠️  Drive ${DRIVE_ID} not present (may already be removed or unmounted)."
    fi
    # Unmount if mounted
    if mountpoint -q "$MOUNT_POINT"; then
      echo "📤 Unmounting $MOUNT_POINT..."
      sudo umount "$MOUNT_POINT"
      if [ $? -ne 0 ]; then
          echo "❌ Failed to unmount $MOUNT_POINT"
          exit 1
      fi
      echo "✅ Unmounted $MOUNT_POINT"
    else
      echo "ℹ️  $MOUNT_POINT is not mounted."
    fi
    # Close the encrypted volume if mapped
    if [ -e "/dev/mapper/$MAPPER_NAME" ]; then
      echo "🔒 Closing encrypted volume $MAPPER_NAME..."
      sudo cryptsetup luksClose "$MAPPER_NAME"
      if [ $? -ne 0 ]; then
          echo "❌ Failed to close volume $MAPPER_NAME"
          exit 2
      fi
      echo "✅ Volume $MAPPER_NAME closed."
      echo "🧹 Deleting mount point $MOUNT_POINT..."
      sudo rmdir "$MOUNT_POINT"
      echo "🧹 Mount point $MOUNT_POINT deleted."
    else
      echo "ℹ️  Volume $MAPPER_NAME is not open."
    fi
    

    This script will be reused if you have multiple disks.

  • Give executable permission to the script:
    1
    2
    
    sudo chmod +x /usr/local/bin/luks-mount.sh
    sudo chmod +x /usr/local/bin/luks-umount.sh
    
  • Create a env file /etc/vault1.env with the following content:
    1
    2
    3
    4
    5
    
    DRIVE_ID=ata-VBOX_HARDDISK_VB5e1011c9-a737040b
    MAPPER_NAME=vault1
    MOUNT_POINT=/mnt/vault1
    PASSPHRASE=your_passphrase_here
    KEY_FILE_PATH=/path/to/optional-keyfile
    
  • Give permission to the env file:
    1
    
    sudo chmod 600 /etc/vault1.env
    
  • Create a systemd service file /etc/systemd/system/mount-vault1.service with the following content:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    
    [Unit]
    Description=Unlock and mount LUKS volume vault1
    After=cryptsetup-pre.target local-fs.target
    Requires=local-fs.target
    [Service]
    Type=oneshot
    EnvironmentFile=/etc/vault1.env
    ExecStart=/usr/local/bin/luks-mount.sh
    ExecStop=/usr/local/bin/luks-umount.sh
    RemainAfterExit=true
    [Install]
    WantedBy=multi-user.target
    
  • Enable the service:
    1
    2
    
    sudo systemctl daemon-reload
    sudo systemctl enable mount-vault1.service
    
  • Start the service:
    1
    
    sudo systemctl start mount-vault1.service
    
  • Unmount can be done automatically when the system shuts down.

  • If you want to manually take out your disk, you can use the following command:
    1
    2
    3
    
    sudo systemctl stop mount-vault1.service
    sudo systemctl disable mount-vault1.service
    sudo systemctl daemon-reload
    
  • Congrats! You have successfully set up a LUKS encrypted disk in Linux.

Tips

  1. Always better to take backup of header of the disk using:
    1
    
    sudo cryptsetup luksHeaderBackup /dev/disk/by-id/ata-VBOX_HARDDISK_VB5e1011c9-a737040b --header-backup-file /path/to/ata-VBOX_HARDDISK_VB5e1011c9-a737040b_header_backup.img
    
  2. If you want to add additional passphrase to the LUKS volume:
    1
    
    sudo cryptsetup luksAddKey /dev/disk/by-id/ata-VBOX_HARDDISK_VB5e1011c9-a737040b
    
  3. If you want to remove a passphrase from the LUKS volume:
    1
    
    sudo cryptsetup luksRemoveKey /dev/disk/by-id/ata-VBOX_HARDDISK_VB5e1011c9-a737040b
    
  4. Read manual page for more information:
    1
    
    man cryptsetup