Creating Encrypted Volumes

The cryptsetup utility sets up Linux Unified Key Setup (LUKS) encryption on the device and to manage authentication.

LUKS is an encryption specification that implements a platform independent and standard on-disk format. The standard ensures interoperability and compatibility among different distributions and programs. The implementation also includes tools that would simplify the administration of the encrypted disks. If used, this feature requires a passphrase at boot time. The correct passphrase then unlocks the encryption key to enable volume decryption.

For more information about LUKS, see the https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md file.

To encrypt volumes with LUKS, follow these steps:

  1. Initialize a LUKS partition on the device and set up the initial key, for example: 

    sudo cryptsetup luksFormat /dev/sdd

    The following warning is displayed: 

    WARNING!
========
This will overwrite data on /dev/sdd irrevocably.
Are you sure? (Type 'yes' in capital letters): YES

Enter LUKS passphrase: passphrase
Verify passphrase: passphrase

  2. Open the device and create the device mapping, for example: 

    sudo cryptsetup luksOpen /dev/sdd cryptfs

    You're prompted to enter the passphrase: 

    Enter passphrase for /dev/sdd: passphrase

    The encrypted volume is accessible as /dev/mapper/cryptfs.

  3. Create an entry for the encrypted volume in /etc/crypttab, for example: 

    # <target name>  <source device>  <key file>  <options>
cryptfs          /dev/sdd         none        luks

    This entry causes the OS to prompt you for the passphrase at boot time.

You use an encrypted volume in the same way as you would a physical storage device, for example, as an LVM physical volume, file system, swap partition, Automatic Storage Management (ASM) disk, or raw device. For example, to mount the encrypted volume automatically, you would create an entry in the /etc/fstab to mount the mapped device (/dev/mapper/cryptfs), not the physical device (/dev/sdd).

To verify the status of an encrypted volume: 

sudo cryptsetup status cryptfs

The following output is displayed: 

/dev/mapper/cryptfs is active.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: keyring
  device:  /dev/sdd
  sector size:  4096
  offset:  32768 sectors
  size:    104824832 sectors
  mode:    read/write

To remove the device mapping:

  1. Unmount any existing file system in the encrypted volume.

  2. Remove the mapped device from /dev/mapper.

    For example, for the encrypted volume cryptfs, use the following command: 

    sudo cryptsetup luksClose /dev/mapper/cryptfs

For more information, see the cryptsetup(8) and crypttab(5) manual pages.