Encrypt Ubuntu / Debian Disk Partition using Cryptsetup

Encrypting a disk is one of the security actions to prevent bare-metal attacks. Nowadays, many organizations, businesses, government officials around the world encrypt their disks to protect confidential information such as files, contacts, customer details e.t.c from manipulation. Encryption modifies the files and makes them unreadable to anyone who does not have the decryption key.

There are basically two encryption methods:

• Filesystem stacked level encryption: such as eCryptfs and EncFS, mounted on any directory at the top of the main file system
• Block device level encryption: The entire disk or partition in which the filesystem is stored becomes encrypted. These tools include VeraCrypt, CipherShed dm-crypt+LUKS, DMCrypt and Loop-AES

Cryptsetup is a Linux encryption tool based on DM-Crypt. It can be used to encrypt both hard disks and external media. Encryption is done using Linux Unified Key Setup(LUKS) which provides disk encryption specifications that facilitate compatibility on various distributions.

This guide offers a deep illustration of how you can encrypt Ubuntu / Debian Disk Partition using Cryptsetup.

Step 1: Install Cryptsetup on Ubuntu / Debian

The Cryptsetup utility tool is available in the default Ubuntu / Debian repositories and can be downloaded using the APT command below.

sudo apt update
sudo apt install cryptsetup

Dependency tree:

Reading state information... Done
The following package was automatically installed and is no longer required:
  linux-image-5.10.0-8-amd64
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:
  cryptsetup-bin cryptsetup-initramfs cryptsetup-run
Suggested packages:
  keyutils
The following NEW packages will be installed:
  cryptsetup cryptsetup-bin cryptsetup-initramfs cryptsetup-run
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 762 kB of archives.
After this operation, 2,846 kB of additional disk space will be used.
Do you want to continue? [Y/n] y

Step 2: Format Disk Partition as LUKS

First, identify the attached drives to your system.

$ lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0   10G  0 disk 
sr0     11:0    1  3.7G  0 rom  
vda    254:0    0   40G  0 disk 
├─vda1 254:1    0   39G  0 part /
├─vda2 254:2    0    1K  0 part 
└─vda5 254:5    0  975M  0 part [SWAP]

For this guide, we have the primary disk(vda )and another disk(sda ). We will be using the second disk(sda) which can as well be an external drive/removable media.

First, take a backup of the data in the disk and format it as LUKS.

sudo cryptsetup luksFormat /dev/sda

In the command above, we have initiated the Cryptsetup encryption on /dev/sda using the luksFormat. Proceed as below.

WARNING!
========
This will overwrite data on /dev/sda irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sda: <SET-PASSPHRASE>
Verify passphrase: <CONFIRM-PASSPHRASE>

Type YES and provide a passphrase, to encrypt the disk. You can also use keys for encryption but here, we will proceed with the set passphrase. Once complete, the disk will be formatted and can be viewed as below.

$ lsblk -f
NAME FSTYPE FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINT
sda  crypto 2           95f75ab5-6b1c-49b7-a4e3-088e6bd89fd1                
sr0  iso966 Jolie Debian 11.0.0 amd64 1
                        2021-08-14-11-23-46-00                              
vda                                                                         
├─vda1
│    ext4   1.0         88c8363f-6c60-4526-b6ac-e8f3609cf71c   31.2G    13% /
├─vda2
│                                                                           
└─vda5
     swap   1           7b104eda-111a-4eb1-bd78-c2461193b074                [SWAP]

Step 3: Create a Partition for Encryption

Once the disk has been encrypted as above, you cannot access the data on it. For use to be able to access and partition it. Open it and create the partition as below

sudo cryptsetup luksOpen /dev/sda cryptpart

Provide the passphrase set above to open the disk.

Run the command below to identify the disk.

lsblk -f

Output:

From the output, we can see a new volume (cryptpart) created under sda. This has been created by the mapper device for Linux.

Now create a new partition. Here, I will create an EXT4 partition.

$ sudo mkfs.ext4 /dev/mapper/cryptpart
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 2617344 4k blocks and 655360 inodes
Filesystem UUID: 289493ba-f87b-41c9-803a-c59baf112fff
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done 

Now create a mount point and mount the created partition temporarily.

sudo mkdir -p /mnt/encrypted
sudo mount /dev/mapper/cryptpart /mnt/encrypted

Verify if the disk has been mounted.

$ lsblk | grep cryptpart
└─cryptpart 253:0    0   10G  0 crypt /mnt/encrypted

Step 4: Permanently Mount the Encrypted Disk

Many Linux users know about editing the fstab file to make mounted disks persistent. But when it comes to these encrypted partitions, there is another file at /etc/crypttab as well.

Just like the /etc/fstab, the crypttab file is also read by the init process when the system boots. Based on the information on it, it will ask for the unlock key or automatically read it.

The crypttab file is created with the following information.

• Device name – this is the name assigned for the encypted device. For this guide, we chose cryptpart
• Encrypted device UUID – this helps to find the partition with encrypted data.
• Authentication method – you can choose “none” for the passphrase or you can specify a path to the key.
• Mount options – here, you can specify the number of tries for a passphrase, the cipher, the encryption method and other parameters.

Identify the UUID for the LUKS partition using the command:

$ sudo blkid | grep -i luks
/dev/sda: UUID="95f75ab5-6b1c-49b7-a4e3-088e6bd89fd1" TYPE="crypto_LUKS"

Now create the file as below.

$ sudo vim /etc/crypttab
# Content of the crypttab file
cryptpart    UUID=<partition_uuid>    none    luks

Sample:

Save the file and proceed as below.

Identify the UUID for the ext4 partition.

$ sudo blkid | grep -i ext4
/dev/vda1: UUID="88c8363f-6c60-4526-b6ac-e8f3609cf71c" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="61f2181b-01"
/dev/mapper/cryptpart: UUID="289493ba-f87b-41c9-803a-c59baf112fff" BLOCK_SIZE="4096" TYPE="ext4"

Modify the fstab file as well.

sudo vim /etc/fstab

Add the De-crypted partition mount point.

##De-crypted device will be mounted here##
UUID=289493ba-f87b-41c9-803a-c59baf112fff  /mnt/encrypted ext4 defaults 0 0

Step 5: Verify auto Mount

We will now verify if the device will be mounted automatically on boot. Reboot your system.

sudo reboot

When the system powers on, you will be asked to provide the passphrase.

With the passphrase provided, login to the system and once again verify if the disk has been mounted.

lsblk -f | grep sda -A 2 

Sample Output:

Step 6: Create Keys For Automatic Authentication

At times handling the passphrase on system boot can be tiring and therefore one needs to create an authentication key.

This key can be created as below:

echo "StrongPassw0rd" > volume-key
sudo mv volume-key /boot/

Set the required permissions.

sudo chown root:root /boot/volume-key
sudo chmod 0400 /boot/volume-key

Now add the keys to the LUKS Volume suing the syntax.

sudo cryptsetup luksAddKey <encrypted_device> <path_to_key>

For example:

sudo cryptsetup luksAddKey /dev/sda /boot/volume-key

Provide your passphrase for the key to be added to the volume. Verify if the key has been added.

sudo cryptsetup luksDump /dev/sda

Sample output:

Now modify the crypttab file to accommodate the new authentication method by replacing none with the key.

$ sudo vim /etc/crypttab
# Content of the crypttab file
cryptpart    UUID=<partition_uuid>    /boot/volume-key    luks

Verify this by rebooting the system.

sudo reboot

Verify if the device has been mounted.

lsblk -f

Sample output:

Step 7: Restore the Backup

Voila!

At this point, you can restore the backup made on the disk before formatting and enjoy the awesomeness of this tool.

The end!

We have managed to encrypt Ubuntu / Debian Disk Partition using Cryptsetup. Now you can keep the encrypted files out of reach by bare-metal attackers.

You can also view related posts: