How To Encrypt Linux Hard Disks Using LUKS

Protecting data is essential, especially for businesses. Whether its data from your customers, sensitive information from the industry, credit card or financial details, or employee records, enforcing proper access and preserving confidentiality is essential to your relationships, reputation, and staying on the right side of the law.

A critical aspect of data security is ensuring that it can't be accessed if it were somehow to be stolen or accidentally lost. This might take the form of a laptop being misplaced during travel, or a computer being stolen from your offices. In both of these scenarios, the best way to protect the data is to encrypt it.

Encryption is a special way of encoding information to hide the true nature of the data. When data is encrypted, it can't be read without first "decrypting" it. To decrypt data, you need a special passphrase or token (sometimes called a key) to turn it back into a "plain text format."

Generally, there are two ways to encrypt information, at the file level or block device level:

• file-level encryption allows you to encrypt individual files that might have sensitive data in them such as a customer database
• block-device level encryption works at the hard drive (or block level device) level

In Linux, multiple technologies can be used to apply encryption at either level. For files, the options include eCryptfs and EncFS. At the block level, it includes systems like LoopAES, VeraCrypt, and Linux Unified Key Setup-on-disk-format (LUKS). In this article, we'll look at how to use LUKS to encrypt entire disks. We'll cover:

• a brief background of what LUKS is and how it works
• show how to install the needed libraries to use LUKS
• explore the options for using LUKS with Linux Logical Volume Manager (LVM)
• configure a LUKS encrypted logical volume and provision it with a filesystem
• show how to unlock and mount the LUKS encrypted volume manually
• configure the system to automatically unlock the LUKS volumes on startup using /etc/crypttab and /etc/fstab

What is LUKS?

LUKS is a standard on-disk format for hard disk encryption. It uses device mapper crypt (dm-crypt) and is implemented as a Kernel module to manage encryption at the block device level.

Configure Disks for Encryption (Ubuntu 20.04)

Install LUKS and other dependencies needed by Linux for the management of encrypted volumes.

apt-get install cryptsetup parted

cryptsetup is the utility used by Ubuntu for the management of encrypted volumes. It is how encrypted volumes are created and unlocked.

LUKS and LVM

LUKS can be used alongside LVM to create expandable/encrypted volumes. While there are multiple approaches to configuring the volumes, one of the more robust and expandable options is to create an encrypted volume inside a logical volume. To do this:

• create a volume group of one or more disks
• use the volume group to create logical volumes
• apply encryption to the filesystem of the logical volumes

Using a logical volume allows for disks to be mounted on boot and provides for a volume that can be dynamically expanded without sacrificing security.

LVM Utilities

LVM includes a set of utilities for managing physical volumes (pv), volume groups (vg), and logical volumes (lv). Each of these utilities -- used for creating (create), retrieving information (display), or extending (extend) -- are prefixed with the abbreviation of the type of resource they work with. The convention can be used to intuit which command should be used for a particular operation.

The command for creating/tagging a physical volume is pvcreate, for example, while the command for creating a logical volume is lvcreate. Information about physical volumes can be retrieved using pvdisplay while similar details for logical volumes would be retrieved using lvdisplay.

Creating the Logical Volume

Creating a logical volume is a three step process:

1. Tag the hard disk or storage device as a "physical volume"
2. Associate the physical volume with a "volume group"
3. Allocate a portion of the storage capacity of the group to a "logical volume"

Tag Storage Device As Physical Volume (pvcreate)

Storage devices can be tagged by using their device identifier (example: /dev/sda), partition (example: /dev/sda1), or by the UUID:

Add Physical Volume to Volume Group

Once a storage device is tagged as a physical volume, it can be added to a volume group using vgcreate or vgextend:

Create Logical Volume

Logical volumes are allocated from the capacity of a volume group using lvcreate by specifying the size (using the -L option), the name (--name), and the volume group from which the volume should be created:

Extending Existing Logical Volumes

Additional capacity can be added to a logical volume using vgextend:

Encrypting a Logical Volume With LUKS

To create an encrypted logical volume with LUKS:

1. the volume needs to be setup with LUKS using cryptsetup
2. after setup of the encrpyted volume, it needs to be opened so that a filesystem can be initialized on top of the encrypted volume
3. initialize a filesystem so that the volume can be mounted

Once the filesystem has been initialized, the volume can be attached to a mount point.

Setting Up LUKS

The encryption for the logical volume is setup and opened using cryptsetup. For LVM volumes, the device mapper to the logical volume should be used for the path. Example :/dev/volume-groupname/lvolume:

Open the Encrypted Volume

In addition to setup of the volume, cryptsetup is also used to open encrypted volumes for input/output via the open subcommand. crypsetup open takes uses the device mapper for the logical volume (including volume group) for the path. Example: /dev/volume-groupname/lvolume.

crypsetup open also requires a volume name for the second argument. This volume name will become part of the unencrypted device map used to initialize the filesystem and mount commands. Example of open device map: /dev/mapper/open-lvolume.

Initialize Filesystem

Creating a logical volume (either encrypted or un-encrypted) does not create the filesystem. That task must be performed separately using mkfs. When initializing a filesystem for the volume, it is best to use an "extended" filesystem such as ext3 or ext4.

mkfs requires that specify the device mapper path to the open and un-encrpyted volume. Example for a logical volume opened with the volume name open-lvolume: /dev/mapper/open-lvolume.

Unlocking and Mounting Existing LUKS Encrypted Volumes

Mounting an existing volume is a two-step process:

1. Open the volume so that it can be read and written to using cryptsetup.
2. Mount the volume filesystem to a point on the machine.

LVM

Use cryptsetup to open the volume for read/write. For LVM managed volumes, use the device mapper for the first argument of the command followed by the logical volume name. You will be prompted for the volume password.

Once the volume has been opened, it can be mounted directly using a mount command or an entry can be added to /etc/fstab so that the volume will mount at startup or with mount -a.

Whole Disk

Use cryptsetup to open the volume for read/write. For whole disks, use the device entry (/dev/sdb, /dev/sdc, /dev/sdd, etc.) as the first argument for the command followed by the LUKS volume name. You will be prompted for the volume password. By convention, it is a good idea to use the same name for the LUKS volume and logical volume.

When the volume is open, it can also be mounted using a mount command or entry in /etc/fstab.

Configure a LUKS Volume to Auto Mount

LUKs encryption can be configured to auto-mount in one of two ways:

1. through the use of a secret key
2. via a password prompt that appears as part of the boot sequence

This section describes how to configure the second of these two options by adding entries for the encrypted volume in /etc/crypttab and /etc/fstab. When properly configured, the machine will prompt for the disk passphrase during boot and will mount the volume after it has been unlocked.

Configure the Machine to Prompt for the Volume Passphrase

Linux reads the /etc/crypttab file when first booting in order to unlock encrypted volumes. /etc/crypttab is a listing of volume labels, their UIDs, and their mount options. Example:

Working from left to right, the fields provide:

• the label of the un-encrypted storage device
• the UUID of encrypted storage volume
• the key file which should be used to mount the volume or passphrase if none is used
• the encryption options (luks)

The example above will attempt to unlock the storage volume associated with UUID 7cb1... using sda6_crypt as the label via a passphrase.

Each line of the volume corresponds to a separate encrypted volume, and additional volumes are added by extending the file.

Retrieving the UUID of Encrypted Volumes

Storage devices are added to the crypttab using their UUIDs. The UUIDs of LUKS encrypted storage volumes can be retrieved using the luksUUID option of the cryptsetup command.

The command takes the device path for the storage volume as its only input and works for drives, partitions, and logical volumes.

Example 1: Disks and Partitions

Example 2: Logical Volume

Configure Mount Points for Unlocked Volumes

Mount points in Linux are configured using the /etc/fstab file. Entries in /etc/fstab will be mounted upon boot or when invoking the mount -a command.

The file is a list of the volumes, their mount points, the filesystem types, and mount options. Example:

The first column corresponds to the device mapper entry of the unlocked storage device, the second is the folder to be used as the mount point, and the third is the type of filesystem. The fourth column provides the mount options (defaults or errors=remount-ro in the example above), the fifth column is used by Linux utility dump to determine which filesystems need to be dumped (0 indicates "don't dump" the drive), and the sixth column indicates how file system checks should be performed.