How to Encrypt Storage Drives Using LUKS in Linux

3 years ago
by Nitesh Kumar
This article will cover a guide on using the “Linux Unified Key Setup” or LUKS encryption standard that can be used to create encrypted and password protected storage drives. During encryption, LUKS reserves a space on the storage drive and stores necessary information required for encryption and decryption on the storage drive itself. This on-disk encryption methodology ensures near plug and play compatibility across Linux distributions and easy transferability of data drives. As long as you have LUKS installed on your Linux system and you know the password, you will be easily able to decrypt any LUKS encrypted data drive on any Linux distribution.

Installing LUKS

LUKS is a part of the “cryptsetup” package, you can install it in Ubuntu by running the command below:

$ sudo apt install cryptsetup

You can install cryptsetup on Fedora by running the command below:

$ sudo dnf install cryptsetup-luks

Cryptsetup can be installed on ArchLinux using the following command:

$ sudo pacman -S cryptsetup

You can also compile it from its source code available here.

Finding Connected Storage Drives on a Linux System

To encrypt a drive using LUKS, you will first need to determine its correct path. You can run the command below to list all storage drives installed in your Linux system.

$ lsblk -o NAME,PATH,MODEL,VENDOR,SIZE,FSUSED,FSUSE%,TYPE,MOUNTPOINT

You will see some output similar to this in a terminal:

If you look at the output and drive metadata, you can easily find a path for connected drives (listed under “PATH” column). For instance, I have connected an external thumb drive made by Transcend. Looking at the screenshot, it can be inferred that the path for this drive is “/dev/sdb”.

Alternatively, you can run the command below to find the correct path for any connected storage drive.

$ sudo lshw -short -C disk

You will get some output similar to this.

Whatever is the drive path in your case, make a note of it as it will be used during LUKS encryption.

Encrypting a Drive Using LUKS

Before moving ahead, you should know that LUKS encryption will remove all existing data on the drive. If there are important files on the storage drive, make a backup beforehand.

Now that you have the drive path from the previous step, you can encrypt a drive using LUKS by running the command below. Make sure to replace “/dev/sdc” with the drive path you found in the previous step.

$ sudo cryptsetup --verbose luksFormat /dev/sdc

Follow on-screen instructions and enter a password.

In the end, you should get a “Command successful” message indicating that encryption has been successful.

You can also dump the encryption metadata and verify that drive has been encrypted successfully by running the command below (replace “/dev/sdc” as needed):

$ sudo cryptsetup luksDump /dev/sdc

Decrypting and Mounting a LUKS Encrypted Drive

To decrypt a drive encrypted using LUKS, run the command below while specifying the path of the encrypted drive connected to your system. You can replace “drivedata” with any other name, it will act as an identifier for the decrypted device.

$ sudo cryptsetup --verbose luksOpen /dev/sdc drivedata

The “Command successful” message indicates that the drive has been decrypted and mapped as a new storage device called “drivedata” on your system. If you run the “lsblk” command, the mapped drive will appear as a new storage drive connected to your Linux system.

Upto this point the LUKS encrypted drive has been decrypted and mapped as a device, but not mounted. You can check information about mapped drive by running the command below (replace “drivedata” as needed):

$ sudo cryptsetup --verbose status drivedata

The mapped drive acts as a real storage device connected to your system. But it doesn’t contain any partitions with file-systems yet. To read and write files in the mapped drive, you will need to create a partition. To create an EXT4 partition, run the following command while specifying the path of the mapped drive.

$ sudo mkfs.ext4 /dev/mapper/drivedata

Wait for the process to finish. This step needs to be done only once or when you need to force wipe the whole partition. Do not perform this step everytime you connect the encrypted drive as it will wipe the existing data.

To manage files on the mapped drive formatted as an EXT4 partition, you will need to mount it. To do so, run the following two commands in succession.

$ sudo mkdir /media/mydrive
$ sudo mount /dev/mapper/drivedata /media/mydrive

The first command creates a new mount point for the mapped drive. You can supply any path to it. The next command mounts the mapped drive so that you can access it from the path specified in the previous command.

Once mounted, you will be able to access the mapped drive from a graphical file manager or from the command line like any other storage drive. To unmount, run the following command while specifying the full path of the mount point.

$ sudo umount /media/mydrive

Conclusion

LUKS provides a way to encrypt an entire storage drive which can only be accessed using the password created during the encryption. Since it is an on-disk encryption system where encryption information is stored on the encrypted device itself, you can just plug the encrypted drive on any Linux system and decrypt it using LUKS to get immediate access to encrypted data.

About the author

Nitesh Kumar

I am a freelancer software developer and content writer who loves Linux, open source software and the free software community.

View all posts