Encryption linux partitions
It's important to encrypt your personal files. What if your computer is stolen? What if you take it somewhere to be repaired and someone with access to it looks at your personal photos, copies your passwords, or views your financial information? You don't want to be a victime of identity theft, or to have your personal life shared without your consent.
This blog post assumes you're using Linux. Open-source software is the best assurance we have that there aren't backdoors hidden in your encryption tool, easily unlocked by your OS vendor or really smart people who have learned how to access those backdoors or design flaws in the system.
These steps should work on most modern Linux systems, and were tested on various flavors or variants of Ubuntu, including Ubuntu Desktop, Ubuntu Server, Xubuntu, and Mint.
For the lazy
If you do a fresh installation of Ubuntu, you will be able to encrypt your home directory or the entire installation. Just do this if you don't need to encrypt external drives.
There are various steps here which, if done incorrectly, will cause you to lose data or be unable to boot up your computer. Only follow these steps if you are comfortable doing this sort of thing, have a backup of anything important, and are able to pay attention to what you're doing.
Find the partition
You can find the partition in a number of ways. If you have just plugged in an external
dmesg to see the device identifier. It will look something like
df -h to see all mounted partitions, if you're planning to encrypt an existing
This is vital. If you follow any of these steps on the wrong partition, you will likely lose data or make your computer unbootable.
Unmount the partition.
If the partition is mounted, you need to unmount (but not eject) it. Note that the
umount command doesn't contain the letter
sudo umount /dev/sdb1
make it an encrypted partition
Be sure to use the right volume here!
sudo cryptsetup -y luksFormat /dev/sdb1
Give it a name. Here we're using
stuff as the label.
sudo cryptsetup luksOpen /dev/sdb1 stuff
make a filesystem
sudo mkfs.ext4 -j /dev/mapper/stuff
make a directory in your home folder
You will only have to do these steps once. The
commands are used to change the group and owner of the encrypted
partition to your user, instead of
sudo mount /dev/mapper/stuff /home/milo/stuff sudo chgrp -R milo /home/milo/stuff sudo chown -R milo /home/milo/stuff
You can manually dismount the filesystems for additional safety.
sudo umount /home/milo/stuff sudo cryptsetup luksClose stuff
mount an encrypted external drive
When you connect a drive encrypted using these instructions and click on it in your file manager in Ubuntu, you will be prompted for the password automatically.
make a keyfile
This is optional. If you would like your encrypted partition to mount automatically when you boot up, you can do so. However, ensure that you are using whole-disk encryption if you do this. Otherwise anyone with access to your hard drive can access your key file.
sudo dd if=/dev/urandom of=/root/stuff.key bs=1024 count=4 chmod 0400 /root/stuff.key cryptsetup luksAddKey /dev/sdb1 /root/stuff.key
stuff /dev/sdb1 /root/stuff.key luks
/dev/mapper/stuff /home/milo/stuff ext4 defaults 0 2
In case you aren't using whole-drive encryption and don't want to store a keyfile anywhere:
sudo cryptsetup luksOpen /dev/sdb1 stuff sudo mount /dev/mapper/stuff /home/milo stuff