Create and use Disk Encryption

Written by on .

Create an encrypted partition on an existing disk device or partition. This will overwrite any data previously on the device or partition.

cryptsetup luksFormat /dev/sdxY

Open the LUKS encrypted device:

cryptsetup luksOpen /dev/sdxY any-name

The device is now available as any other non-encrypted disk at /dev/mapper/any-name. For the first time, you need to install a filesystem:

mkfs.ext4 /dev/mapper/any-name

Then you may mount the filesystem:

mount /dev/mapper/any-name /mnt

Any files at the given mountpoint (/mnt) are now encrypted when written to disk. In order to properly close the filesystem, which will make the files inaccessible without entering the passphrase.

sync /mnt umount /dev/mapper/any-name cryptsetup luksClose /dev/sdxY

You may also want to keep a backup of the LUKS header. This is some information which contains data about the filesystem, the encryption method, and some larger keys. The passphrase actually only decrypts the larger keys which are in turn used to encrypt/decrypt the data. If the header becomes corrupt, broken, or lost in any way, all other data must be considered lost. Similarly, if the passphrase is forgotten, all data is pretty much lost.

cryptsetup luksHeaderBackup /dev/sdxY --header-backup-file /path/to/backup.luks.bin

In order to restore a header:

cryptsetup luksHeaderRestore /dev/sdxY --header-backup-file /path/to/backup.luks.bin

Keep the header safe, in the same way you would not hand over your disk to a hacker. If the passphrase is random and long enough, it is less of a problem of getting in the hands of a hacker. The header contains salt, by keeping it hidden, the salt becomes pepper.