How to encrypt block devices using LUKS on Linux

Sometimes you may want to encrypt your hard disk so that when someone connects your hard drive to their computer they need to provide user credentials to mount the drive. In Linux, it is possible to encrypt individual block devices. In this article, we will learn how to encrypt block devices in Linux using LUKS. LUKS is the Linux encryption layer that can be used to encrypt the entire root partition, a logical volume, or a specific partition.

This tutorial covers the following Linux Distributions

• Debian
• Ubuntu
• RHEL
• CentOS
• Rocky Linux
• Almalinux

Install cryptsetup-luks package

Cryptsetup utility tool comes with the cryptsetup-luks package which is used for setting up block device encryption in Linux systems. Installation can be done by using the following command.

Ubuntu/Debian

$ apt-get install cryptsetup

RHEL/CentOS/Rocky Linux/Almalinux

$ dnf install cryptsetup-luks

Prepare a LUKS partition

Once the utility tool is installed, prepare a partition for encryption. To list all the available partitions and block devices, run the following command.

$ fdisk -l

$ blkid

Now use cryptsetup luksFormat command to set up encryption in the partition. In this example, the partition, sdb, is used for encryption. You can make your own assumption based on your environment.

$ cryptsetup -y -v luksFormat /dev/sdb

The command executed above will remove all the data on the partition

Now we need to create a logical device-mapper device mounted to the LUKS-encrypted partition in the above step. In this example, encrypted is the name provided for the mapping name of the opened LUKS partition.

The following command will create a volume and set passphrase or initial keys. Remember that the passphrase can not be recovered.

$ cryptsetup luksOpen /dev/sdb encrypted

The mapping details of the partition can be found by using the following command.

$ ls -l /dev/mapper/encrypted

Use the following command to view the status of mapping. Replace your mapping name with encrypted.

$ cryptsetup -v status encrypted

cryptsetup along with luksDump command can be used to check that the device has been formatted successfully for encryption. In this example, sdb partition is being used for the confirmation.

$ cryptsetup luksDump /dev/sdb

Format LUKS partition

Writing zeros to the LUKS-encrypted partition will allocate the block size with zeros. Use the following command to set zeros to the encrypted block device.

$ dd if=/dev/zero of=/dev/mapper/encrypted

dd command may take some time to be executed. Use the pv command to check the progress.

$ pv -tpreb /dev/zero | dd of=/dev/mapper/encrypted bs=128M

Note: Replace encrypted with your device mapping name.

Now format the new partition with your desired file system. In this example, the ext4 file system is used.

$ mkfs.ext4 /dev/mapper/encrypted

Replace encrypted with your device-mapper name.

Mount the new file system. In this example, the new file system is mounted at /encrypted

$ mkdir /encrypted
$ mount /dev/mapper/encrypted /encrypted

Replace the device-mapper name encrypted with your own mapper name.

$ df -h
$ cd /encrypted
$ ls -l

So we successfully created an encrypted partition on Linux using LUKS.