Linux partition encryption

Encryption linux partitions

It's important to encrypt your personal files. What if your computer is stolen? What if you take it somewhere to be repaired and someone with access to it looks at your personal photos, copies your passwords, or views your financial information? You don't want to be a victime of identity theft, or to have your personal life shared without your consent.

This blog post assumes you're using Linux. Open-source software is the best assurance we have that there aren't backdoors hidden in your encryption tool, easily unlocked by your OS vendor or really smart people who have learned how to access those backdoors or design flaws in the system.

These steps should work on most modern Linux systems, and were tested on various flavors or variants of Ubuntu, including Ubuntu Desktop, Ubuntu Server, Xubuntu, and Mint.

For the lazy

If you do a fresh installation of Ubuntu, you will be able to encrypt your home directory or the entire installation. Just do this if you don't need to encrypt external drives.

Warning!

There are various steps here which, if done incorrectly, will cause you to lose data or be unable to boot up your computer. Only follow these steps if you are comfortable doing this sort of thing, have a backup of anything important, and are able to pay attention to what you're doing.

Find the partition

You can find the partition in a number of ways. If you have just plugged in an external drive, use dmesg to see the device identifier. It will look something like /dev/sdb1.

Use df -h to see all mounted partitions, if you're planning to encrypt an existing partition.

This is vital. If you follow any of these steps on the wrong partition, you will likely lose data or make your computer unbootable.

Unmount the partition.

If the partition is mounted, you need to unmount (but not eject) it. Note that the umount command doesn't contain the letter N.

sudo umount /dev/sdb1

make it an encrypted partition

Be sure to use the right volume here!

sudo cryptsetup -y luksFormat /dev/sdb1

unlock it

Give it a name. Here we're using stuff as the label.

sudo cryptsetup luksOpen /dev/sdb1 stuff

make a filesystem

sudo mkfs.ext4 -j /dev/mapper/stuff

make a directory in your home folder

mkdir /home/milo/stuff

mount

You will only have to do these steps once. The chgrp and chmod commands are used to change the group and owner of the encrypted partition to your user, instead of root.

sudo mount /dev/mapper/stuff /home/milo/stuff
sudo chgrp -R milo /home/milo/stuff
sudo chown -R milo /home/milo/stuff

dismount

You can manually dismount the filesystems for additional safety.

sudo umount /home/milo/stuff
sudo cryptsetup luksClose stuff

mount an encrypted external drive

When you connect a drive encrypted using these instructions and click on it in your file manager in Ubuntu, you will be prompted for the password automatically.

make a keyfile

This is optional. If you would like your encrypted partition to mount automatically when you boot up, you can do so. However, ensure that you are using whole-disk encryption if you do this. Otherwise anyone with access to your hard drive can access your key file.

sudo dd if=/dev/urandom of=/root/stuff.key bs=1024 count=4
chmod 0400 /root/stuff.key
cryptsetup luksAddKey /dev/sdb1 /root/stuff.key

Add to /etc/crypttab:

 stuff /dev/sdb1 /root/stuff.key luks

Add to /etc/fstab:

/dev/mapper/stuff /home/milo/stuff ext4 defaults 0 2

mounting manually

In case you aren't using whole-drive encryption and don't want to store a keyfile anywhere:

sudo cryptsetup luksOpen /dev/sdb1 stuff
sudo mount /dev/mapper/stuff /home/milo stuff

Comments !

blogroll

social